Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe
-
Size
1.8MB
-
MD5
bcfee732e35f4f1fe6efe205abf3d2ba
-
SHA1
4621092b6053a8f709b095d067a2ad26da17a127
-
SHA256
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2
-
SHA512
5a252217cf75e21c74f81e8ec772ebfa3cd7dcca6c058c1fac2a538f810fba52213e039e847f93be9ea6f748297790ecf9f67ede360746cd9f57ffbb1c6989ae
-
SSDEEP
49152:s2ZDC654mZ/BWgyhaKqsVOarqHi5HpdTL+PLMm0Oj3VZE53ZZqP:Q65JBBWpIsn5TTSTrjFZE53Z0
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral1/memory/2904-513-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 90bf81c9f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 90bf81c9f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 90bf81c9f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 90bf81c9f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 90bf81c9f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 90bf81c9f1.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 39b6052c3a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 89da15b12b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c6f5adb2b8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 90bf81c9f1.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1148 chrome.exe 2176 chrome.exe 5832 chrome.exe 1784 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 39b6052c3a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 89da15b12b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 90bf81c9f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 39b6052c3a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c6f5adb2b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c6f5adb2b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 90bf81c9f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 89da15b12b.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 39b6052c3a.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe -
Executes dropped EXE 10 IoCs
pid Process 2804 skotes.exe 2524 IObit.exe 2904 39b6052c3a.exe 676 89da15b12b.exe 4008 skotes.exe 2096 c6f5adb2b8.exe 1576 d0b4448de7.exe 5768 90bf81c9f1.exe 3048 skotes.exe 572 service123.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine c6f5adb2b8.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 90bf81c9f1.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 39b6052c3a.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 89da15b12b.exe -
Loads dropped DLL 1 IoCs
pid Process 572 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 90bf81c9f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 90bf81c9f1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\89da15b12b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007470001\\89da15b12b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c6f5adb2b8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007471001\\c6f5adb2b8.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0b4448de7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007472001\\d0b4448de7.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90bf81c9f1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007473001\\90bf81c9f1.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023cba-115.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1428 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 2804 skotes.exe 2904 39b6052c3a.exe 676 89da15b12b.exe 4008 skotes.exe 2096 c6f5adb2b8.exe 5768 90bf81c9f1.exe 3048 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4556 2904 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89da15b12b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90bf81c9f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39b6052c3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6f5adb2b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0b4448de7.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 39b6052c3a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 39b6052c3a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 3972 taskkill.exe 64 taskkill.exe 2188 taskkill.exe 4448 taskkill.exe 212 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3177479843" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e5100000000020000000000106600000001000020000000b6854b588a8cabffd6145d73c0ae2253c6e455cddccfe4abb92e298c5709839f000000000e80000000020000200000006799f065aff2b78306a2dca0ee2d0a8f5f8474a46cc74c023c56db75f4388ff320000000f179a3ac501256f2271c05de1166b5cf985985c9118adb404db2bda0e2a0fe98400000001259a3d4d9a561f7b7e5961024a8de7663fed38dd175a2cd4c8fdd0fd3b95c2f035b7d02fe7d9c8325f7462344dd1547c039758ba8fd6046f068cded51e8b151 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3177479843" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144623" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E8B438AC-A6A2-11EF-A7EA-E6FB6C85BB83} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a80cbeaf3adb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600920beaf3adb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e51000000000200000000001066000000010000200000004fa1cb627432d9f97fc8fd72ad786b8b13b9a7db5675b05d67b8b9fdebee958b000000000e80000000020000200000001c8f8aa4e98dd5f2ebe7fd6fb9171f1e387ae35e6653dfc0c462dc7bde47bcd32000000011a4e45a2eef4b9ecfe705a0593f5618c18bdccde7a3e8ea3dc3077a01c918ec4000000050429e548493b8c70aeef02ea78adcfb5d166f03cbbbd17be13c6bae409dc5f8ac603a95990b9d48f86990cf482805559b242f2297bfb59ec4377336fc3af16f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144623" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1428 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 1428 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 2804 skotes.exe 2804 skotes.exe 2904 39b6052c3a.exe 2904 39b6052c3a.exe 676 89da15b12b.exe 676 89da15b12b.exe 4008 skotes.exe 4008 skotes.exe 2096 c6f5adb2b8.exe 2096 c6f5adb2b8.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 5768 90bf81c9f1.exe 5768 90bf81c9f1.exe 5768 90bf81c9f1.exe 5768 90bf81c9f1.exe 5768 90bf81c9f1.exe 1148 chrome.exe 1148 chrome.exe 3048 skotes.exe 3048 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3972 taskkill.exe Token: SeDebugPrivilege 64 taskkill.exe Token: SeDebugPrivilege 2188 taskkill.exe Token: SeDebugPrivilege 4448 taskkill.exe Token: SeDebugPrivilege 212 taskkill.exe Token: SeDebugPrivilege 3828 firefox.exe Token: SeDebugPrivilege 3828 firefox.exe Token: SeDebugPrivilege 5768 90bf81c9f1.exe Token: SeShutdownPrivilege 1148 chrome.exe Token: SeCreatePagefilePrivilege 1148 chrome.exe Token: SeShutdownPrivilege 1148 chrome.exe Token: SeCreatePagefilePrivilege 1148 chrome.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 1428 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 3196 iexplore.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe 1148 chrome.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 3828 firefox.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe 1576 d0b4448de7.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3196 iexplore.exe 3196 iexplore.exe 1868 IEXPLORE.EXE 1868 IEXPLORE.EXE 1868 IEXPLORE.EXE 1868 IEXPLORE.EXE 3828 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 2804 1428 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 86 PID 1428 wrote to memory of 2804 1428 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 86 PID 1428 wrote to memory of 2804 1428 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 86 PID 2804 wrote to memory of 2524 2804 skotes.exe 98 PID 2804 wrote to memory of 2524 2804 skotes.exe 98 PID 2804 wrote to memory of 2904 2804 skotes.exe 99 PID 2804 wrote to memory of 2904 2804 skotes.exe 99 PID 2804 wrote to memory of 2904 2804 skotes.exe 99 PID 2804 wrote to memory of 676 2804 skotes.exe 103 PID 2804 wrote to memory of 676 2804 skotes.exe 103 PID 2804 wrote to memory of 676 2804 skotes.exe 103 PID 3196 wrote to memory of 1868 3196 iexplore.exe 112 PID 3196 wrote to memory of 1868 3196 iexplore.exe 112 PID 3196 wrote to memory of 1868 3196 iexplore.exe 112 PID 2804 wrote to memory of 2096 2804 skotes.exe 113 PID 2804 wrote to memory of 2096 2804 skotes.exe 113 PID 2804 wrote to memory of 2096 2804 skotes.exe 113 PID 2804 wrote to memory of 1576 2804 skotes.exe 114 PID 2804 wrote to memory of 1576 2804 skotes.exe 114 PID 2804 wrote to memory of 1576 2804 skotes.exe 114 PID 1576 wrote to memory of 3972 1576 d0b4448de7.exe 115 PID 1576 wrote to memory of 3972 1576 d0b4448de7.exe 115 PID 1576 wrote to memory of 3972 1576 d0b4448de7.exe 115 PID 1576 wrote to memory of 64 1576 d0b4448de7.exe 117 PID 1576 wrote to memory of 64 1576 d0b4448de7.exe 117 PID 1576 wrote to memory of 64 1576 d0b4448de7.exe 117 PID 1576 wrote to memory of 2188 1576 d0b4448de7.exe 119 PID 1576 wrote to memory of 2188 1576 d0b4448de7.exe 119 PID 1576 wrote to memory of 2188 1576 d0b4448de7.exe 119 PID 1576 wrote to memory of 4448 1576 d0b4448de7.exe 121 PID 1576 wrote to memory of 4448 1576 d0b4448de7.exe 121 PID 1576 wrote to memory of 4448 1576 d0b4448de7.exe 121 PID 1576 wrote to memory of 212 1576 d0b4448de7.exe 123 PID 1576 wrote to memory of 212 1576 d0b4448de7.exe 123 PID 1576 wrote to memory of 212 1576 d0b4448de7.exe 123 PID 1576 wrote to memory of 3512 1576 d0b4448de7.exe 125 PID 1576 wrote to memory of 3512 1576 d0b4448de7.exe 125 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3512 wrote to memory of 3828 3512 firefox.exe 126 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 PID 3828 wrote to memory of 1924 3828 firefox.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe"C:\Users\Admin\AppData\Local\Temp\9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\1007468001\IObit.exe"C:\Users\Admin\AppData\Local\Temp\1007468001\IObit.exe"3⤵
- Executes dropped EXE
PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\1007469001\39b6052c3a.exe"C:\Users\Admin\AppData\Local\Temp\1007469001\39b6052c3a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1148 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff8b5bcc40,0x7fff8b5bcc4c,0x7fff8b5bcc585⤵PID:1964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,15488417404935822772,12798626558730484168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2028 /prefetch:25⤵PID:5360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,15488417404935822772,12798626558730484168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:35⤵PID:5404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,15488417404935822772,12798626558730484168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2304 /prefetch:85⤵PID:5416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,15488417404935822772,12798626558730484168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:15⤵
- Uses browser remote debugging
PID:5832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,15488417404935822772,12798626558730484168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:15⤵
- Uses browser remote debugging
PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,15488417404935822772,12798626558730484168,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:15⤵
- Uses browser remote debugging
PID:1784
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:572
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 17644⤵
- Program crash
PID:4556
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007470001\89da15b12b.exe"C:\Users\Admin\AppData\Local\Temp\1007470001\89da15b12b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:676
-
-
C:\Users\Admin\AppData\Local\Temp\1007471001\c6f5adb2b8.exe"C:\Users\Admin\AppData\Local\Temp\1007471001\c6f5adb2b8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\1007472001\d0b4448de7.exe"C:\Users\Admin\AppData\Local\Temp\1007472001\d0b4448de7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:64
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:212
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce2baadb-5cbb-475d-b059-b1a05ed13725} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" gpu6⤵PID:1924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {702ec756-2217-4751-b0d8-70ca512cc4b8} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" socket6⤵PID:3492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2652 -childID 1 -isForBrowser -prefsHandle 2552 -prefMapHandle 3200 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24cde43a-1267-48c0-9060-89996292ec76} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab6⤵PID:2924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdeb5f1c-cfe9-4da5-aa40-91a6f5fdc36e} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab6⤵PID:2376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4868 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4860 -prefMapHandle 4856 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e168459d-fcea-4105-a21e-cc0e2400a72d} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" utility6⤵
- Checks processor information in registry
PID:5812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5376 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb37f313-c8aa-40c2-8ea8-73ddc47a6046} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab6⤵PID:2184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be65b80f-e491-4010-8488-91bdb2538aef} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab6⤵PID:5128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5c0b83d-40ab-41c8-8883-386fb867b6a8} 3828 "\\.\pipe\gecko-crash-server-pipe.3828" tab6⤵PID:5140
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007473001\90bf81c9f1.exe"C:\Users\Admin\AppData\Local\Temp\1007473001\90bf81c9f1.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5768
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4008
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1576
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\PopTest.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3196 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2904 -ip 29041⤵PID:5452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5522c5ee80b98186283c0d2fc515cf330
SHA1fea75d3898d987331508bbea0b567e7374825a07
SHA256958d0ab1e532cfa3e15f3b3e66a80a51de842553400dac70bf0bb6005a02323d
SHA5121bb6e71123e0d97b384d6f6630e3a6c4fc405adf23ede2698fc163b391628e030eaccb3213855b97d96b2a69818c2137c435486236087c05842dddf216a3728b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD54ad0b08e4f9f48ad9dd494408ba40b57
SHA1b65f3cc090760e77d49a7e3cbb5ad790dc95d110
SHA2565c0c68b193b2127e8d016580d32bf90e94fe2af772fb0a416e4b0c71d77ab853
SHA5124f266fb96ff7fe3b0c7e24c0b0dab96f2f30a2873c1847cd00099c4f8cffdf277c5c4a789bbfaefdb4fbe8cfbd4bfb6a7bea2f1c89d4a611de4378471bac0958
-
Filesize
4.1MB
MD5ca00d6c5903f68cf43e74774d7b08a52
SHA165e2318a24492c149eb66865f5f3bd4ee09e88bb
SHA256de16ea07d8934b7746f20ee895293e48e49a7264a589518f04a4c8b8e2bafe8e
SHA5120ce810baa5f5284c030cb38c9f3057cb5a5973e38ab677177b9f5cde452a6f894bcf42ef16229c497d2fd2f720872803fb121f2ee4264123aa2fe087a9295c8b
-
Filesize
1.7MB
MD5888242c19537f0f114634d771ce4a9cd
SHA1e0e86e160c2c465c3c49b31cdfbbb67ecd5a9366
SHA2560ddd13cd233f81153d8d558297ba09317867797db7d87e7758a51e4131e587d6
SHA51208d552edae0404a8d25af25ac86cdce98d6e59a32d99fae4e0be5b8085e838aced0c1bd464fc5f6f4c41dc0c5160452d35760ebf0bf702eefcb0c6b7b5560199
-
Filesize
1.7MB
MD5e218c3b8301592ed017608e81df8c33f
SHA11c953abe9acf0e759116d61c32d14c2b70cd65fd
SHA256d5bf9e1a3af167866dd104e9aaa4db76b172101abd31a893adf503032ebd80b9
SHA512173646bf3063c6185527e3acf2ad78d0fde734101226cb50004b943d6417a5d842fd381bacf78021ae7dbf8fe1537a1ed8edfc07cd82d5a2da778807b56d3891
-
Filesize
900KB
MD5c202b9fb5ed13afd406eb71e5cdc8570
SHA124620f327145a676c230e8b7a7096f9736f353c4
SHA25664fe0184720def98b06de5cdb4289dbe9357670a973028de21645ada7934e52e
SHA512c6d9e48c16d6b505c06cae84e83bbd9ca185a67dbddacda19de38ff4e0db5d00b8f18e7876050a45255ec4feb1d9558c221204d26cd4d04e837584f0687be4f0
-
Filesize
2.7MB
MD5b1428cca95bff0b76ab62397d02df9e3
SHA1a5b0ead9e190ce4f64c8ab23ecc412ef8dd7a52b
SHA256329ec550d7912b296ae2936bb392f56d16ac2dcde22a9101a1332e119a164c99
SHA51234b3391f0a24e42c908f2497031096ad7174f2d9e54d155b128bc1fff2922d2fb1f0688393a4a59f3087186eea19f8dc5576e9bc1e8c001ecc3eb888b805b0e5
-
Filesize
1.8MB
MD5bcfee732e35f4f1fe6efe205abf3d2ba
SHA14621092b6053a8f709b095d067a2ad26da17a127
SHA2569ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2
SHA5125a252217cf75e21c74f81e8ec772ebfa3cd7dcca6c058c1fac2a538f810fba52213e039e847f93be9ea6f748297790ecf9f67ede360746cd9f57ffbb1c6989ae
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
16KB
MD5ce1bdb0b60536391b93f29c60322e90f
SHA1298ef3b4fa6ba1229159a4e8b895d97049fa9c5d
SHA2565dac375156ff4bdefdd07740d9658920b076340ac5ab6e3b94bd3dc5d7d75d5b
SHA512c7209ca2cfc5f94a882b6722718b3961599297d3cef6cf6d0cbc6d7cdef0995835823b967956e699360ab3784c9b3fe59bb140d823bbbf5b7f61cc5e3a24e0f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize6KB
MD5dbd8cec856e1ec4e4b6411e2d8a6bab8
SHA16d5465af290d52b36f57acfb519c6b0d5ea1073d
SHA256fb560fb22dcae7ac9e30957dcb93c5c8d312543309790aca2b3ec795397be3d3
SHA5123729818b7d5d75adeb489f5f03b0263315bf131213084ae0c5f10dc709f28635e877868776b84642f451d34c1d6a97a9b822aa66aec5a684d3affe66d9401be8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize10KB
MD57a9fe1440b13810492169f42816ed4ab
SHA145ee37b2116175316bea61f45658f0209e5b3866
SHA25667e39e403604819a2bb25b362d3a5b942b27ef0c343bbf4fbf1c99ff1ebb86c8
SHA51291cfa07f1bea4bd2a0446f1674fdb517c115f372eadd523085505fdc4e43852b3398e7346eac48be487523ba0cbbee3c64d12a749eaf080cf7069480505023bb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize17KB
MD50ec08a1aa860a33717c95bd5ed920ddc
SHA1ef7e0ec0e6126a2e4d5f748b3146b34ac1634f30
SHA256dd37b6b1acafe1ecc4873875946c12c52aaca1661d77c18134b403501c992edb
SHA512da58fb951a76daecc550b24e755bc3b67ed5bf29bbd8d4ed34a3d0d024cdc675984cb050d5b3e89a9724a0989310fcf9ebd6d34a44ce54ce1f19b62c6aebd207
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD558b5ab2b03e8359f84d7e5b4c82245c9
SHA18a66f8c008920067d17b7eedc62dc324ff08aeb5
SHA2566403de4faecdfc8bbe2a2de0b56dd3b06c0781d026aeaee48fa8afe5660c33d6
SHA5120a91d32f859380665a7187f5086c349039268fb952059263428845c0fe619c715afc26ec7ef96f1ffab60f9a9b84f8da82119cb403615f144eb18f8388bf402d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize28KB
MD511ed86db449f7978fab8bdb76cb33949
SHA13a24d6b52230faedeb9fd292eb6c7f112004cb13
SHA2568df2fdd8187bc5d9936faebc9a1129537f34c34721b8f457cef0045cf37a5c52
SHA512139efd0d51a50fdd2f0c9472d98095b4a9bd72d484c2e21b74b06bc3e3a8231ad1c526a47d363231feca0ddc1084c7ad57d499e94c6d9bc30da8a21954288789
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5188daa6021328c20dc1fd397b88c675a
SHA1ea2073c5bc282d7381d374b71223fadf20f94fde
SHA256e2511562080c5ca015a044d60432aa9afe39bc2dd7c5bc862f2038e356da0917
SHA512b1f7162d6e67f02db3cbc1e3591194da7fda1cbd48ae08c5b48490409f401de4138b520db12ab60c535560581508cd9201792d5b7c88990e4b7b085df3b385b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize28KB
MD5ec7e94e3fdebb0772e7b092b3e1e8279
SHA17ea7fe787691ebbe2590e8b504519474d89239a5
SHA25666a3bf4e3435e219ba912620c40b84a2fcce231e47e6919ded75ae5382989195
SHA5124b744012fb7e1a7af30c1ecb4b9fc3f78262b0832e40e5d7cee72f5f5c8a5a4d76b19149d028df58377a47b1c4a0cff377de853ae526da30825234f2aa8df5e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\1f5b7348-7ef8-4ea1-8b13-be9925192de3
Filesize26KB
MD5bdcf5bed481c9b89f691dbffb2e704f1
SHA1da3d4bf088302e7af8a3da1b2ba32b6bb044a0c8
SHA25627cf8dc71d07382de7b60b74ca496ed3af39ae3a962a01b2d6cb65681d15f53c
SHA512e591a733020da383685d165b7d80e29addb84cbec090da4662346ec9ddea0dea34d09ff391f2db5728e5655c9071c4c0cbf59bd5da8cbd3b9a4e7ead2274351f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\512da625-1785-42b6-b7dd-d4edb65d1e49
Filesize671B
MD5b342f1042ba2c6c0018d8f04298b4853
SHA1820382d94f0c31b746b28e878ddfcf008d3a6df4
SHA256b7fd93803fa2c153284b69086966d9e8345a8e53375d3a1081e37502fb61d553
SHA51209ee4d54b975cadf51d16aecdfab160d069e1ae73c9927d773e71f92330c8f4bcaec87249a4a3ad9bc9f5fb282f336109e3451db2d2412ef3080b4bb55910d76
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\7d092353-be1d-4fee-801f-0a1046851454
Filesize982B
MD5cb7cae7ed4ab5518989181e43ddb0bc5
SHA1c7789158f6c06e8cc165edf4599e3db4aa8aa471
SHA256f4d92797c96da745c386b729fe861ded0df82adf067d8be5ed804bfa24b28715
SHA51222e4558fe386d5657d222e134428efe20d37276d78593a54e3e61c0d0463db5cd4bc0606736e7546c02a040bfcdf39df30dc5b53caed7af910c6ae2bb7f34a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5ecd17815d8d7782c110fde576650b8e5
SHA16570ff8c1a800a6024c41903c91cb0daa3608da3
SHA2562bbbd4c3b87e64a10f4250f50d85e625fd1edfdcc2bf2ba1a67d43e199eeed83
SHA5129c3fde5c3f786857d4cbaecb9a3b831de2b184a29e10df65b8252251834e18c3a9ae0a3708979548fca427583827d68f3798df6d15c4a97aab6f9b01420db407
-
Filesize
12KB
MD58fa77dc48d66025f24d3c047eb23b5da
SHA1f0fbdd2df875e01ce2cb1f7f1b961596cd3cfebb
SHA256b769cb67abc55062bbf4c1b244289ed1564fb70d7d7dbe0296a44f650069439c
SHA5126389a3be82a0f5bad1dd97fd429cbc1e457283121a69c0db40cb1c607676c1bf907a3b776eafdf195262df07877bcabee2513aec38f920a437977d05e4025ca6
-
Filesize
10KB
MD5bc6237f86326cf97b9b61c6d1dc58fe5
SHA16f77a0380d423d10bb03d9fcbaa9a56a9be12317
SHA25651fdd7c2098a8485d8496a3f1bea02024c0bfed5eef198b63e705ff3a6649cc3
SHA512a724c2556ff4f4b80b3e34e096b58f163949aceefee4defa18d0c846ddb1da2aa83b47df142050dde06baf67d9d208eb06a42d5e0ddb98806c2d85ab3a71fdcb
-
Filesize
11KB
MD5734fef9236edacc7cf3c8ca1f1372b40
SHA12e3e965cdf8924c4ce0246e5075e3804c0ca0ce8
SHA25679133426573b7acc86ae2ae8a4c46ba9d4a6fdb652b2c302db2715a9f54e4e3c
SHA5128f60706547bb8eb4f9bada3d45e819dd273b46b16201e65d6fe0663077d8adf898d9c18cab59b439031321fd134a814bf2b47df7c7ddfe84d8080a3cecaa6c56
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize936KB
MD55f1d58d68e401ab4160265c07f7c8545
SHA1e16b8dfef0920c12e9d40a7ddfbdea30fbc0b54e
SHA2563b4245ed209a34ca48be942239b08b3bae0a3c15392904cf03ddd17f0234d0c2
SHA51215e3be37af54e1787daa94404cd4a393a007f2fd5725b0417356492e6af4f34f94125bff69d088e0878d4526b7b734d89be2ec8507ac59a14b0a6960a97029a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.5MB
MD5ec265fa1e298cb524214f46d9a77e74c
SHA147198fb590485606b1d9d7e82827ee382ed4ca17
SHA256e98a4b33875573355509ff7873a945a4280dddf4bf12cdc7fbcad2af0fdd0c99
SHA5120d5dd72f40da5dc8f1e2415d2e1b9221e0a96213c7769f9a9e777447743ead94a794acd20a712c582be7460748436495b29a9302da9ef6f8be6b71326ec54075