Analysis
-
max time kernel
85s -
max time network
117s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
19-11-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe
-
Size
1.8MB
-
MD5
bcfee732e35f4f1fe6efe205abf3d2ba
-
SHA1
4621092b6053a8f709b095d067a2ad26da17a127
-
SHA256
9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2
-
SHA512
5a252217cf75e21c74f81e8ec772ebfa3cd7dcca6c058c1fac2a538f810fba52213e039e847f93be9ea6f748297790ecf9f67ede360746cd9f57ffbb1c6989ae
-
SSDEEP
49152:s2ZDC654mZ/BWgyhaKqsVOarqHi5HpdTL+PLMm0Oj3VZE53ZZqP:Q65JBBWpIsn5TTSTrjFZE53Z0
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://c0al1t1onmatch.cyou/api
https://peepburry828.sbs/api
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral2/memory/3460-354-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ abb32faf0a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08e29a88bd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ lum250.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rodda.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4537c0d937.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b2ab7bb398.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cbe586bd9c.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 5184 chrome.exe 6028 chrome.exe 2420 chrome.exe 1936 chrome.exe -
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cbe586bd9c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lum250.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rodda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b2ab7bb398.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08e29a88bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lum250.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4537c0d937.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion abb32faf0a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cbe586bd9c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion abb32faf0a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b2ab7bb398.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4537c0d937.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08e29a88bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rodda.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation cbe586bd9c.exe Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation axplong.exe -
Executes dropped EXE 20 IoCs
pid Process 4448 skotes.exe 4932 cbe586bd9c.exe 392 axplong.exe 3916 crypted2.exe 3680 crypted2.exe 4820 stealc_default2.exe 564 5hvzv2sl.exe 4888 5hvzv2sl.exe 1920 5d58635b7f.exe 2840 lum250.exe 2440 klops.exe 4576 rodda.exe 1020 axplong.exe 2200 skotes.exe 1788 IObit.exe 3460 4537c0d937.exe 3932 abb32faf0a.exe 2640 b2ab7bb398.exe 5084 0cef0c3e7f.exe 4552 08e29a88bd.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine lum250.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine rodda.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine 4537c0d937.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine abb32faf0a.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine cbe586bd9c.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine b2ab7bb398.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine 08e29a88bd.exe Key opened \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Software\Wine 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe -
Loads dropped DLL 2 IoCs
pid Process 4820 stealc_default2.exe 4820 stealc_default2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\klops = "C:\\Users\\Admin\\AppData\\Local\\klops.exe" 5d58635b7f.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abb32faf0a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007470001\\abb32faf0a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b2ab7bb398.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007471001\\b2ab7bb398.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0cef0c3e7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007472001\\0cef0c3e7f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08e29a88bd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007473001\\08e29a88bd.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d58635b7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005824001\\5d58635b7f.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 89 raw.githubusercontent.com 59 raw.githubusercontent.com 60 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 57 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00280000000450b6-326.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 3384 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 4448 skotes.exe 4932 cbe586bd9c.exe 392 axplong.exe 2840 lum250.exe 4576 rodda.exe 1020 axplong.exe 2200 skotes.exe 3460 4537c0d937.exe 3932 abb32faf0a.exe 2640 b2ab7bb398.exe 4552 08e29a88bd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3916 set thread context of 3680 3916 crypted2.exe 95 PID 564 set thread context of 4888 564 5hvzv2sl.exe 102 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe File created C:\Windows\Tasks\axplong.job cbe586bd9c.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral2/files/0x0029000000045194-983.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 804 3916 WerFault.exe 93 5096 564 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0cef0c3e7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08e29a88bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4537c0d937.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbe586bd9c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hvzv2sl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lum250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language abb32faf0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hvzv2sl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rodda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2ab7bb398.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 992 cmd.exe 924 cmd.exe 4488 PING.EXE -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1260 taskkill.exe 4688 taskkill.exe 4820 taskkill.exe 4708 taskkill.exe 4480 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4488 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3724 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3384 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 3384 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 4448 skotes.exe 4448 skotes.exe 4932 cbe586bd9c.exe 4932 cbe586bd9c.exe 392 axplong.exe 392 axplong.exe 4820 stealc_default2.exe 4820 stealc_default2.exe 2840 lum250.exe 2840 lum250.exe 4576 rodda.exe 4576 rodda.exe 2200 skotes.exe 2200 skotes.exe 1020 axplong.exe 1020 axplong.exe 4820 stealc_default2.exe 4820 stealc_default2.exe 3460 4537c0d937.exe 3460 4537c0d937.exe 3932 abb32faf0a.exe 3932 abb32faf0a.exe 2640 b2ab7bb398.exe 2640 b2ab7bb398.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 4552 08e29a88bd.exe 4552 08e29a88bd.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1260 taskkill.exe Token: SeDebugPrivilege 4688 taskkill.exe Token: SeDebugPrivilege 4820 taskkill.exe Token: SeDebugPrivilege 4708 taskkill.exe Token: SeDebugPrivilege 4480 taskkill.exe Token: SeDebugPrivilege 3808 firefox.exe Token: SeDebugPrivilege 3808 firefox.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3384 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 4932 cbe586bd9c.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 5084 0cef0c3e7f.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 3724 EXCEL.EXE 3724 EXCEL.EXE -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 5084 0cef0c3e7f.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 3808 firefox.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe 5084 0cef0c3e7f.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3808 firefox.exe 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE 3724 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3384 wrote to memory of 4448 3384 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 83 PID 3384 wrote to memory of 4448 3384 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 83 PID 3384 wrote to memory of 4448 3384 9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe 83 PID 4448 wrote to memory of 4932 4448 skotes.exe 89 PID 4448 wrote to memory of 4932 4448 skotes.exe 89 PID 4448 wrote to memory of 4932 4448 skotes.exe 89 PID 4932 wrote to memory of 392 4932 cbe586bd9c.exe 90 PID 4932 wrote to memory of 392 4932 cbe586bd9c.exe 90 PID 4932 wrote to memory of 392 4932 cbe586bd9c.exe 90 PID 4448 wrote to memory of 3916 4448 skotes.exe 93 PID 4448 wrote to memory of 3916 4448 skotes.exe 93 PID 4448 wrote to memory of 3916 4448 skotes.exe 93 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 3916 wrote to memory of 3680 3916 crypted2.exe 95 PID 392 wrote to memory of 4820 392 axplong.exe 99 PID 392 wrote to memory of 4820 392 axplong.exe 99 PID 392 wrote to memory of 4820 392 axplong.exe 99 PID 392 wrote to memory of 564 392 axplong.exe 100 PID 392 wrote to memory of 564 392 axplong.exe 100 PID 392 wrote to memory of 564 392 axplong.exe 100 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 564 wrote to memory of 4888 564 5hvzv2sl.exe 102 PID 4448 wrote to memory of 1920 4448 skotes.exe 105 PID 4448 wrote to memory of 1920 4448 skotes.exe 105 PID 4448 wrote to memory of 2840 4448 skotes.exe 106 PID 4448 wrote to memory of 2840 4448 skotes.exe 106 PID 4448 wrote to memory of 2840 4448 skotes.exe 106 PID 1920 wrote to memory of 992 1920 5d58635b7f.exe 108 PID 1920 wrote to memory of 992 1920 5d58635b7f.exe 108 PID 992 wrote to memory of 924 992 cmd.exe 110 PID 992 wrote to memory of 924 992 cmd.exe 110 PID 924 wrote to memory of 4488 924 cmd.exe 112 PID 924 wrote to memory of 4488 924 cmd.exe 112 PID 924 wrote to memory of 2440 924 cmd.exe 113 PID 924 wrote to memory of 2440 924 cmd.exe 113 PID 4448 wrote to memory of 4576 4448 skotes.exe 114 PID 4448 wrote to memory of 4576 4448 skotes.exe 114 PID 4448 wrote to memory of 4576 4448 skotes.exe 114 PID 4448 wrote to memory of 1788 4448 skotes.exe 117 PID 4448 wrote to memory of 1788 4448 skotes.exe 117 PID 4448 wrote to memory of 3460 4448 skotes.exe 118 PID 4448 wrote to memory of 3460 4448 skotes.exe 118 PID 4448 wrote to memory of 3460 4448 skotes.exe 118 PID 4448 wrote to memory of 3932 4448 skotes.exe 119 PID 4448 wrote to memory of 3932 4448 skotes.exe 119 PID 4448 wrote to memory of 3932 4448 skotes.exe 119 PID 4448 wrote to memory of 2640 4448 skotes.exe 120 PID 4448 wrote to memory of 2640 4448 skotes.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe"C:\Users\Admin\AppData\Local\Temp\9ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\1001698001\cbe586bd9c.exe"C:\Users\Admin\AppData\Local\Temp\1001698001\cbe586bd9c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1606⤵
- Program crash
PID:5096
-
-
-
C:\Users\Admin\AppData\Local\Temp\1002552001\ha7dur10.exe"C:\Users\Admin\AppData\Local\Temp\1002552001\ha7dur10.exe"5⤵PID:5284
-
C:\Windows\Temp\{113C0D1F-C522-4BDD-A4C1-80FE9027E618}\.cr\ha7dur10.exe"C:\Windows\Temp\{113C0D1F-C522-4BDD-A4C1-80FE9027E618}\.cr\ha7dur10.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\1002552001\ha7dur10.exe" -burn.filehandle.attached=540 -burn.filehandle.self=5486⤵PID:5136
-
-
-
C:\Users\Admin\AppData\Local\Temp\1002824001\2a58993494.exe"C:\Users\Admin\AppData\Local\Temp\1002824001\2a58993494.exe"5⤵PID:5664
-
-
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"5⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"6⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe"C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe"7⤵PID:6408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe"C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe"5⤵PID:6036
-
-
C:\Users\Admin\AppData\Local\Temp\1003429001\quzfesaq.exe"C:\Users\Admin\AppData\Local\Temp\1003429001\quzfesaq.exe"5⤵PID:6548
-
-
C:\Users\Admin\AppData\Local\Temp\1003616001\b801ca76b7.exe"C:\Users\Admin\AppData\Local\Temp\1003616001\b801ca76b7.exe"5⤵PID:6656
-
-
C:\Users\Admin\AppData\Local\Temp\1003617001\fce8e5f37b.exe"C:\Users\Admin\AppData\Local\Temp\1003617001\fce8e5f37b.exe"5⤵PID:6872
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 3044⤵
- Program crash
PID:804
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005824001\5d58635b7f.exe"C:\Users\Admin\AppData\Local\Temp\1005824001\5d58635b7f.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\klops.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\cmd.execmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\klops.exe"5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\PING.EXEping localhost -n 16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4488
-
-
C:\Users\Admin\AppData\Local\klops.exeC:\Users\Admin\AppData\Local\klops.exe6⤵
- Executes dropped EXE
PID:2440
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\1007319001\rodda.exe"C:\Users\Admin\AppData\Local\Temp\1007319001\rodda.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
-
C:\Users\Admin\AppData\Local\Temp\1007468001\IObit.exe"C:\Users\Admin\AppData\Local\Temp\1007468001\IObit.exe"3⤵
- Executes dropped EXE
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\1007469001\4537c0d937.exe"C:\Users\Admin\AppData\Local\Temp\1007469001\4537c0d937.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3460 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
PID:5184 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1fc,0x228,0x7ff8481acc40,0x7ff8481acc4c,0x7ff8481acc585⤵PID:5248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,16033837689302535011,5111412193428171697,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1936 /prefetch:25⤵PID:5532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1600,i,16033837689302535011,5111412193428171697,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2220 /prefetch:35⤵PID:4188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,16033837689302535011,5111412193428171697,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2432 /prefetch:85⤵PID:1672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,16033837689302535011,5111412193428171697,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3224 /prefetch:15⤵
- Uses browser remote debugging
PID:2420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,16033837689302535011,5111412193428171697,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3268 /prefetch:15⤵
- Uses browser remote debugging
PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,16033837689302535011,5111412193428171697,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4516 /prefetch:15⤵
- Uses browser remote debugging
PID:1936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007470001\abb32faf0a.exe"C:\Users\Admin\AppData\Local\Temp\1007470001\abb32faf0a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\1007471001\b2ab7bb398.exe"C:\Users\Admin\AppData\Local\Temp\1007471001\b2ab7bb398.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\1007472001\0cef0c3e7f.exe"C:\Users\Admin\AppData\Local\Temp\1007472001\0cef0c3e7f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:1720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3808 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1932 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96a782db-fa93-49ab-ad93-665e55b5f13a} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" gpu6⤵PID:2568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e063ae3-cb13-4da5-8c88-34d28abc2dcc} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" socket6⤵PID:3340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2744 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca061e29-4675-4ef1-9a75-a904614d9880} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab6⤵PID:4116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -childID 2 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a57f8d-ae62-457e-8c61-9855600fe4a8} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab6⤵PID:3652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4700 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbb5633d-073c-4f94-a4cb-0382820632de} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" utility6⤵
- Checks processor information in registry
PID:5856
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 3 -isForBrowser -prefsHandle 5572 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c99cce3-c5ae-4aae-96e9-501943e03951} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab6⤵PID:5316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 4 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aedddd8-bcd8-466a-aa87-b7e0da3e16fd} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab6⤵PID:5312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 5 -isForBrowser -prefsHandle 5884 -prefMapHandle 5896 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e4d20d9-3300-442a-9737-b3477b798b1c} 3808 "\\.\pipe\gecko-crash-server-pipe.3808" tab6⤵PID:5256
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007473001\08e29a88bd.exe"C:\Users\Admin\AppData\Local\Temp\1007473001\08e29a88bd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3916 -ip 39161⤵PID:2684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 564 -ip 5641⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\PushResize.xlsx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3724
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"1⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"1⤵PID:6320
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Authentication Process
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize471B
MD53c80040483bbfa0321c628b2baf8beb3
SHA1a2bd88894795a0315e3c7a0aaad598c8351eb4c7
SHA256499ce321bdef01f5469bab13624e52f97dbebcae26e25463d6f19c815253113e
SHA5125f888f8b547d2b0339d72a291123425c647a4b9a0f74947d4e7fecf212b4b979f84165525e47b71c7eb1afecf46aa87881507ff30ff68d80e7ddc5ecb80b29a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize412B
MD57dba83a5a2b1a02924841a39961050ed
SHA10757e259094a2adbb10216395e22391590f2c5f1
SHA256afab937fa111569589bb221402a3f62eb8477fe543734289c729be0412e1c8de
SHA51283c43e1af35d6304eb982af432b390a4c38a9ac26bfc7f1dd526f8189197bf1f2791ea84ce3902b847fa7bf6c2582cd72e9e42fccf45d931c480633afacddeb6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
120KB
MD55d2cc8f3d7bf9247500e22f33a9c8a38
SHA1e88c5befd361a7674b63a9775490fbbaf128e91a
SHA256c2a6ddc0df6701071661d037f7b1a48db3ce9866aaac0d7ed26f80c87e06a006
SHA5122fa4cf86f9863fdd9b24f454c0e0019e98b6794d49a5e0b8c33b0fd3640a4c643989c068893cc371fe0bc3dc7b448d452c38d0bbb8e9974577e6e437bc827850
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD5abcdb65cd8e8e6df5fa20c24d17763bf
SHA109a036b68e553821ddd2446251d223d9d9739dd8
SHA25669fc7ea18af7285d1f46027915cd125929aef5fa99281b1ed38924452503193c
SHA512bdcdd877f9f8776c1a82f2402a97b69a55ba98a36f0b34469d6452f08fd9f814861032c153006274c1ac9c5bcbabf074cddb5f716ba9dab546b2d33bbe831aad
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244
Filesize192KB
MD530bbd6332a1fced07f9bddb88be526ed
SHA116c14b2006766bd92aa163d01df7af3fddaad854
SHA2567ea2537215581ae6af0d938957ad512df6233b938096e719b08381109b0dce83
SHA5122c8da48fa13f614623d8da40a9a924bb6b135a09191baccb4cb6b81602b5e044fecf59e05df8d6f693b86e0e009a0069761513099c450965dc85d17376a43947
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5ecc298c6cca4b0a2b82be4ae0a4fd4a0
SHA18b4ce4ed19acffdd9e938db82c253701364306a1
SHA2569b44378074afe7ee3691d3ccb27b1e1e711ef0a42643345b76b7a47d5444c07c
SHA5122842d6bda30974062819176e7db38060d0e6859a50fe439451f71b54dcbb7ae7f2465b4728c22ad3d181642f88f8a986b9d2ff08be392c6ba9b98d438ba368af
-
Filesize
7.3MB
MD5aed024049f525c8ae6671ebdd7001c30
SHA1fadd86e0ce140dc18f33193564d0355b02ee9b05
SHA2569c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494
SHA512ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
730KB
MD5cc3381bd320d2a249405b46982abe611
SHA132a5bc854726c829da2fbaed02ff8d41ea55e432
SHA256781e958b54a63ef673857bfe9c0a5992eb44b06f15d5499f8e35e44b1e1c868c
SHA51273c95936748b9edf103c28d558d885bfee070efc18d318581fb1723769a15bb642976bdfb93b36a0b68d869538e0ee3c1936d613240bf29d3ff64dbb3d20e2e4
-
Filesize
1.8MB
MD5b58725b0a514974aae36a20730adc4b3
SHA1a99eb4395fc9a95cad952a7d4bd444fb3baa9103
SHA256a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76
SHA51221ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29
-
Filesize
8.4MB
MD52f8fd18eb8f7832baa360c7ea352fb4f
SHA1e6e35646162c50941cb04767c3efb6e877800660
SHA2566c68d28c2fd55a424a21ba96b76d383f652bbed8cb68d7fbfaafcd139a689e44
SHA5121323985d00c239059d490357ee58d6ac70a804da77a706d793774ef1c8feeec52bc1b33ae01b9b51bb8ba787ebbed11b94e7f30c482ad9a7ee89a91bd6189434
-
Filesize
2.8MB
MD56a3268db51b26c41418351e516bc33a6
SHA157a12903fff8cd7ea5aa3a2d2308c910ac455428
SHA256eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c
SHA51243f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33
-
Filesize
429KB
MD5c07e06e76de584bcddd59073a4161dbb
SHA108954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f
-
Filesize
3.9MB
MD5b3834900eea7e3c2bae3ab65bb78664a
SHA1cf5665241bc0ea70d7856ea75b812619cb31fb94
SHA256cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
SHA512ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909
-
Filesize
4.5MB
MD5f32cd2e08a31508b3d354b2c5a064cc4
SHA1b89527b38529cbc310ece5b0298ba499ae5800b2
SHA256c351efd9a6f2c28d5fb053ce8c10e015c2d311a76e323033508089c4445a2f62
SHA512ff5ece4b4d4b26b4d2e18d64913b9b62c05d8360dc6bab3213a003bf604acfb6077a7e7584d6269cfc3e68c8a00c5c99fb96654e4fe878559c7d056e0f60ff52
-
Filesize
730KB
MD5493ab5162b582687d104156ca1b10ba5
SHA1ced8bc2467ec76184041447148e091f2752b0a54
SHA256ef4a502ddf1302d71b96fdd150613d35d2722868d669c4e8f33ff715d5456ad7
SHA512225a3e33d015aeb700ed13cb3b7f3c4f8485cac277cc3a2484c7dc4ce27733f0b17112d53e323cb4c96fecbfa2e98adf7f2e712d0dd9f482e7c985b62e464fb1
-
Filesize
3.5MB
MD5c63a8ca4db450d6e09cb1d3709c893ad
SHA1fc6ee19f76ecd5b361b02d0f9e2aaa2a0ca59010
SHA2565d5e5e00b2683092a89e16c271369a03aea176e466b29205df5730b26e19b4b7
SHA51236d10d4a1981aed0e930bda1a66afc99b1f5e4e412921f9f4c2e0a140bdc1f17d6b1f0b7a379e03fa47c26e0f71a31591d946a219eb17e5652c97c46b6fbde0a
-
Filesize
1.8MB
MD583b2ddd34dedeaf68fdb35426c383b7b
SHA12d11d73ccff1a20c02904504819a823eaa129fff
SHA256bdc039a14dc690c16138ed84b2dfc550532cb60b4c2e359ce129132ebdcb286c
SHA512b2d49d115c84bcd23ae67496fad9f222cb3a0158ea91fa25e57ddd4b8db5cb72413cf03b253bb5f4046c1dad021f0bf7a12c650f6a0d9934783a463792a45c58
-
Filesize
1.8MB
MD586a5d7f66a6aa908260e684c97079ef3
SHA1cc3beab7c38ee4a341bce58937eb8433e4b30990
SHA256b4c6b9f9f3bd55090817a9a10fec28be0db3d90578f6c1cc89a9cce3363a2f91
SHA512bb5087e5729cf2ad204de2259c93ff77fa051212759aae0cd67530211409c205f0bec6cc2eac855fb35515af6fb444f6c1d2c1a42abc6aa4d4d455f1665c62de
-
Filesize
4.1MB
MD5ca00d6c5903f68cf43e74774d7b08a52
SHA165e2318a24492c149eb66865f5f3bd4ee09e88bb
SHA256de16ea07d8934b7746f20ee895293e48e49a7264a589518f04a4c8b8e2bafe8e
SHA5120ce810baa5f5284c030cb38c9f3057cb5a5973e38ab677177b9f5cde452a6f894bcf42ef16229c497d2fd2f720872803fb121f2ee4264123aa2fe087a9295c8b
-
Filesize
1.7MB
MD5888242c19537f0f114634d771ce4a9cd
SHA1e0e86e160c2c465c3c49b31cdfbbb67ecd5a9366
SHA2560ddd13cd233f81153d8d558297ba09317867797db7d87e7758a51e4131e587d6
SHA51208d552edae0404a8d25af25ac86cdce98d6e59a32d99fae4e0be5b8085e838aced0c1bd464fc5f6f4c41dc0c5160452d35760ebf0bf702eefcb0c6b7b5560199
-
Filesize
1.7MB
MD5e218c3b8301592ed017608e81df8c33f
SHA11c953abe9acf0e759116d61c32d14c2b70cd65fd
SHA256d5bf9e1a3af167866dd104e9aaa4db76b172101abd31a893adf503032ebd80b9
SHA512173646bf3063c6185527e3acf2ad78d0fde734101226cb50004b943d6417a5d842fd381bacf78021ae7dbf8fe1537a1ed8edfc07cd82d5a2da778807b56d3891
-
Filesize
900KB
MD5c202b9fb5ed13afd406eb71e5cdc8570
SHA124620f327145a676c230e8b7a7096f9736f353c4
SHA25664fe0184720def98b06de5cdb4289dbe9357670a973028de21645ada7934e52e
SHA512c6d9e48c16d6b505c06cae84e83bbd9ca185a67dbddacda19de38ff4e0db5d00b8f18e7876050a45255ec4feb1d9558c221204d26cd4d04e837584f0687be4f0
-
Filesize
2.7MB
MD5b1428cca95bff0b76ab62397d02df9e3
SHA1a5b0ead9e190ce4f64c8ab23ecc412ef8dd7a52b
SHA256329ec550d7912b296ae2936bb392f56d16ac2dcde22a9101a1332e119a164c99
SHA51234b3391f0a24e42c908f2497031096ad7174f2d9e54d155b128bc1fff2922d2fb1f0688393a4a59f3087186eea19f8dc5576e9bc1e8c001ecc3eb888b805b0e5
-
Filesize
1.8MB
MD5bcfee732e35f4f1fe6efe205abf3d2ba
SHA14621092b6053a8f709b095d067a2ad26da17a127
SHA2569ed1097f6a529e7a07213f5678e57cf894da48c2e2465a523d839fa445ff7bb2
SHA5125a252217cf75e21c74f81e8ec772ebfa3cd7dcca6c058c1fac2a538f810fba52213e039e847f93be9ea6f748297790ecf9f67ede360746cd9f57ffbb1c6989ae
-
Filesize
319B
MD508cc9d3003acaad31d5776c8a1fa408a
SHA19ffd95cc856eb3c57feadbd90fa7299de38f34b1
SHA256739834e505ff3365375f83c217f325b1a034298a825901e56cede9d76bebcd8c
SHA512ae973813c2fe0baef6e0a7bf7cc635a2180d703927f17ef25bfbd9b97d95722a4d26cdded3b0dd86b635a187ee27872701b9caf294dae385a3dac12408494282
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5ef7b06761ec8cdb555d785346e571092
SHA10ef35b6a8d99272c1bdb14bde8c206cc7f919583
SHA25605b5f700765816c52c4ba50d74e17d05af0c377705cffe529961ac27b00044ca
SHA5120c4e282c9b5756c5a6512afa1074061fe6a5cb2850ddc26a9bc2190fd22e2e86135850b9bef45b2034c92b538666e48b6dcd6fbe4072fe9c18f19368a9436fcd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin
Filesize8KB
MD52383911bf01fe91b24db73245dcb9a58
SHA1a07d159760d91cb5870dcfa716f6e62bf51de91c
SHA256c58d90cb9235d0b7452329291bcf7e714d717bdb5dee032a6c964d1bd9dfe3a9
SHA512678c32779eed89ace895cc9b90d1a9fbc48a5ebe03c6422625afe3d434bf149e23007b6fc24a785fd8497696772e25a0ca1d346a67f5cddffbbede2540aec0d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51c16b5f7ad49720adb25699161096f37
SHA1ee422b1bd648a94091b8d5c632832076bec4ab93
SHA25605690e21ba8a4fae7f28ef41493450bc9eb0a1ff1786c2b94cdd9780304d3cfb
SHA512cd20226f841095c004d0fa8471e8349fa294511603f3c1fb8f60847bb264e4d4ad2a6ddb31c5201cb154283619b1d27db5fcd776cd3ce97ca1717cce7cc01abe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5b3d881e6afa10fc2442c0a87370532e9
SHA1e5dc02c532295d6b902ad71569eee572b64f6279
SHA2562e60fa398187120bd1e77c9101dd26ba97e2e455a88deef603c4d30747bb9420
SHA512349f288fa58b5fc0c26f8d7e2f27870211846ccdb31fcbf016bf0e485c55819ed3211d77000c664af949bf9f7eb3ba398f9d4b4109b8eca54af293fd8ffb7eb4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\1eed980a-d54d-4ed9-8ab3-58c5c569fcb6
Filesize671B
MD5d5672932a5b17a984d984477fa4acc57
SHA1f092a7a4d1bd9e7bffcbe5ffc55894978849644e
SHA2564345b612da3b874df73a0b6418117a9d5b3bc991cf38d6c89b906a4a5ec0f4b6
SHA512292657da53fdba4e043166363cd0d4b6afdd757bb6e72ad22fa6738c0e62362856a92c89ab3e18dab2dff953c54536ddee724c4545ff385389e533eb51d3a016
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\b4ec50a8-4613-461d-b8bd-69a1cae95271
Filesize26KB
MD54dcde3d10b99267d4f88191ee0dff8ad
SHA196fe1a71ead5934e3f5520e9d7df8554cb913e59
SHA256ebbe15c9c64130b25f9f559270df7ae83fb4297b8a43994232d81d5ae7a21d06
SHA512e908d0340836dc4a7412019a2e0b47ef59aed31b19b1549c581c39d64bdd8b6cc52a3ad9c8376f64ba2f1753e31c3a3e7c65a3ce58c9ef66656027a07c905cb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\c3e1da8b-8ec9-499a-b30d-8d777b4f6d34
Filesize982B
MD5ee49c38ad2fb4e90f8a7ea4410fc9fbe
SHA12d87f27732c6a8de9d049c9eb35ba12034e1ff0d
SHA256dfd24c37d59cf8dcd4da1295007b309396c678819bcc4167daf09a0718f1d842
SHA512cf044b343ab850350d0557640ba10d6012c6f9208daa8c1dd536a84288de95f18d2049e82a1fe45017ac7e52ba41a1a59f87cca174a9f96112396230244f7ccf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize640KB
MD59c408bfb993034071b4b964e5703f1f8
SHA18454114e7c588f2fa35e4c923e4a191d536b925b
SHA2563dbd0bb1a12202921a486fb6057903737a551e3d3761250771073e5e141550bf
SHA51200281a652f6fa29f1c4eb7137c52b5fe83eac6ebe5ff0d8d0b3f5ec4afc16a4e091037e8155de77847a404d300d2c5c1391f55472569d969bd5f7c7526697744
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
10KB
MD5f9359b8704f0c83295929d0c4083ed5a
SHA1a217825010fc161adc9eb2e8a378c0ca1870d6d1
SHA256c0f521cd47c565be2a8dbbfde657ec62dbae144cfc92508c9001d6759527e296
SHA512408f97bf4a31cb4705b8ff4efbdf6be1edc12b8cd8f06f13345002eab4162234ec8716675a6cc09ba490d4bdd739d58e698d419a797c33a037292687eb80dd53
-
Filesize
12KB
MD56d90288df2066b411183c4d294249bb6
SHA1b7fba0f650d8f6683598f733a71c29507ddd2f3f
SHA2568db8fd45832100020cc59a1f697021012863bfa8805cc23e1f03c083ef46480b
SHA512a938955d0e93e10af9aaa3bb7940a61806b192207d8134ec9526f0660e7d0e0b101b6ead11e32916c31edf01cc1dde2cf8a739d35369b47faa02f6e8d15711de
-
Filesize
11KB
MD59f5eacb03c2de38659fc3df9501e7e3c
SHA1d5976a46357dfffac94c8e3f048ead3aec4da363
SHA2562b813adad65504ace4fef558ccf64e4b362fd661d8e58be96fb00b14ade6cf13
SHA5126b66d2b643302f3e01fd2f865d8677681fa6d408411f3e2a85c53dbff25a41a6f68c631caabb1ca841db7383670e531eaac573eb9905d4062071d3eeb3c53c7c
-
Filesize
10KB
MD5186425ba14f8aa11ef167d932468a2e2
SHA103ce0b9e918968f1ec0903cc1eef130f750dda2f
SHA2560988f9ec8654305694841c6a8f063c222bf8eb5d8ea9d69ea7e020785764779e
SHA512bfca9341c9000ecb443127a24586c3a787bab089e028be8f285b6f64b8db14da52d5eaa8fde0ea802bf3f4b62e2f093033e8754717ed8afa1c230c3eb5c07a80
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize768KB
MD5c7a5717b854d72529439b05ff10f9f11
SHA1552fc98576e1f8f2b025fe4cc2d66b660a17c901
SHA2564679d86728d2d7866946a048a183bf01fb47f193a6443fc6e8802083c2c107f4
SHA512d2667019dc08839ecfe80d49b177032ce14a03b479adb3b589d68f0a7e0b94d2ce1ce90358f47456f13b4ab307c77a0ebce051f5d8bf38dc7f8ab8e040777034
-
Filesize
8.1MB
MD58543de5d216f8112e80867337dec74db
SHA11cb2462e70718245cd4cb023576c74e2d4a9b213
SHA2563cc98ab01aa1fb3ab9f6147ae0d0d7f82ad965f09520511ce1456eeb9aac7d58
SHA512af285d51cf45e1b3a8caa89e0ce73d14c2ea76eb5cf72f09aa7fab97c486e349b5ebd0936f756e4ca8817f97182819aa1ede186a73c45c96f5d9ed138fdf8e12
-
Filesize
312KB
MD51a4efbc6b661d10a1a4fdbe1a7fa54f0
SHA179f665dcb75db8d711728bab172e444cae2d8133
SHA256b3baa312189da8828d8e3c2b8c20ad3df76da96908d961aa03fed98a61b9bc86
SHA5127cbb77e084f0b8c1af1c7f0451fc0bddfb6b97bb0f9a563a982be8df8effb6816c0aa992448c354d3dc1b13520d440b67bb9e33bd03739e06dee7bf80d32ee39