Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 09:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241023-en
General
-
Target
file.exe
-
Size
1.7MB
-
MD5
e7423cd132a8b0550213c0fb9175ae31
-
SHA1
378d1048fecb53673ea33b910ae2d8ae08e578a5
-
SHA256
a80a31d0c26650521c50df60611832e214a9fde86a8eae0ca3d05356ae9e0e63
-
SHA512
7f35984008878a5bbbdca9ba891304720669f631ec6f4560dbf148bcbabc61434502a0313bed93eeeaf01691335732a06b70c7b8a228d4f6946419910ee0bb73
-
SSDEEP
49152:woefc2gUyHcqm0QD22qg/5LKI75mJKqkwKIT:w5fcFUyHm0C221mIqz
Malware Config
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Cryptbot family
-
Detect Poverty Stealer Payload 1 IoCs
resource yara_rule behavioral1/files/0x000500000001962d-179.dat family_povertystealer -
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral1/memory/2860-283-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection e6e9a52678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" e6e9a52678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" e6e9a52678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" e6e9a52678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" e6e9a52678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" e6e9a52678.exe -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Povertystealer family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1a521adeb0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fde018d92a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e6e9a52678.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DocumentsEGIJEBGDAF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 35ec7c68af.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2668 chrome.exe 2808 chrome.exe 2092 chrome.exe 2416 chrome.exe 1660 chrome.exe 2964 chrome.exe 3024 chrome.exe 1764 chrome.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DocumentsEGIJEBGDAF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DocumentsEGIJEBGDAF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1a521adeb0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fde018d92a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 35ec7c68af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 35ec7c68af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1a521adeb0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fde018d92a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e6e9a52678.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e6e9a52678.exe -
Executes dropped EXE 13 IoCs
pid Process 2996 DocumentsEGIJEBGDAF.exe 680 skotes.exe 2148 Zefoysm.exe 1820 1Shasou.exe 1392 vg9qcBa.exe 2984 vg9qcBa.exe 1744 vg9qcBa.exe 2860 35ec7c68af.exe 2308 1a521adeb0.exe 2628 service123.exe 2732 fde018d92a.exe 2676 c01ab66a6a.exe 2676 e6e9a52678.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine DocumentsEGIJEBGDAF.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 35ec7c68af.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 1a521adeb0.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine fde018d92a.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine e6e9a52678.exe -
Loads dropped DLL 25 IoCs
pid Process 2360 file.exe 2360 file.exe 1856 cmd.exe 1856 cmd.exe 2996 DocumentsEGIJEBGDAF.exe 2996 DocumentsEGIJEBGDAF.exe 680 skotes.exe 680 skotes.exe 680 skotes.exe 680 skotes.exe 680 skotes.exe 1392 vg9qcBa.exe 1392 vg9qcBa.exe 680 skotes.exe 680 skotes.exe 680 skotes.exe 2860 35ec7c68af.exe 2860 35ec7c68af.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 2628 service123.exe 680 skotes.exe 680 skotes.exe 680 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features e6e9a52678.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" e6e9a52678.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\1a521adeb0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009252001\\1a521adeb0.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\fde018d92a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009253001\\fde018d92a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\c01ab66a6a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009254001\\c01ab66a6a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6e9a52678.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009255001\\e6e9a52678.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001a0a2-428.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 2360 file.exe 2996 DocumentsEGIJEBGDAF.exe 680 skotes.exe 2860 35ec7c68af.exe 2308 1a521adeb0.exe 2732 fde018d92a.exe 2676 e6e9a52678.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1392 set thread context of 1744 1392 vg9qcBa.exe 55 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job DocumentsEGIJEBGDAF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1332 2860 WerFault.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6e9a52678.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1Shasou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35ec7c68af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DocumentsEGIJEBGDAF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vg9qcBa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vg9qcBa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c01ab66a6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zefoysm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a521adeb0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fde018d92a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 35ec7c68af.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 35ec7c68af.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 2848 taskkill.exe 1600 taskkill.exe 2176 taskkill.exe 816 taskkill.exe 1048 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vg9qcBa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 skotes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 skotes.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 vg9qcBa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vg9qcBa.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2360 file.exe 2360 file.exe 2360 file.exe 2964 chrome.exe 2964 chrome.exe 2360 file.exe 2360 file.exe 2996 DocumentsEGIJEBGDAF.exe 680 skotes.exe 2860 35ec7c68af.exe 2308 1a521adeb0.exe 2808 chrome.exe 2808 chrome.exe 2732 fde018d92a.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2676 e6e9a52678.exe 2676 e6e9a52678.exe 2676 e6e9a52678.exe 2676 e6e9a52678.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeShutdownPrivilege 2964 chrome.exe Token: SeDebugPrivilege 2148 Zefoysm.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeShutdownPrivilege 2808 chrome.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 2176 taskkill.exe Token: SeDebugPrivilege 816 taskkill.exe Token: SeDebugPrivilege 1048 taskkill.exe Token: SeDebugPrivilege 2848 taskkill.exe Token: SeDebugPrivilege 2952 firefox.exe Token: SeDebugPrivilege 2952 firefox.exe Token: SeDebugPrivilege 2676 e6e9a52678.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2964 chrome.exe 2996 DocumentsEGIJEBGDAF.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe 2808 chrome.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2952 firefox.exe 2952 firefox.exe 2952 firefox.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe 2676 c01ab66a6a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2964 2360 file.exe 32 PID 2360 wrote to memory of 2964 2360 file.exe 32 PID 2360 wrote to memory of 2964 2360 file.exe 32 PID 2360 wrote to memory of 2964 2360 file.exe 32 PID 2964 wrote to memory of 2988 2964 chrome.exe 33 PID 2964 wrote to memory of 2988 2964 chrome.exe 33 PID 2964 wrote to memory of 2988 2964 chrome.exe 33 PID 2964 wrote to memory of 1932 2964 chrome.exe 34 PID 2964 wrote to memory of 1932 2964 chrome.exe 34 PID 2964 wrote to memory of 1932 2964 chrome.exe 34 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 1528 2964 chrome.exe 36 PID 2964 wrote to memory of 3068 2964 chrome.exe 37 PID 2964 wrote to memory of 3068 2964 chrome.exe 37 PID 2964 wrote to memory of 3068 2964 chrome.exe 37 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 PID 2964 wrote to memory of 1740 2964 chrome.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70c9758,0x7fef70c9768,0x7fef70c97783⤵PID:2988
-
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:23⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:83⤵PID:3068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:83⤵PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2344 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:3024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2156 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:23⤵PID:2676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2540 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 --field-trial-handle=1928,i,11153571805517080895,10273170166040358431,131072 /prefetch:83⤵PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsEGIJEBGDAF.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Users\Admin\DocumentsEGIJEBGDAF.exe"C:\Users\Admin\DocumentsEGIJEBGDAF.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:680 -
C:\Users\Admin\AppData\Local\Temp\1009146001\Zefoysm.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\Zefoysm.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"6⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009251001\35ec7c68af.exe"C:\Users\Admin\AppData\Local\Temp\1009251001\35ec7c68af.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"6⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2808 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e99758,0x7fef6e99768,0x7fef6e997787⤵PID:892
-
-
C:\Windows\system32\ctfmon.exectfmon.exe7⤵PID:2020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1364,i,17078376085993132260,1896703161514980576,131072 /prefetch:27⤵PID:1604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1376 --field-trial-handle=1364,i,17078376085993132260,1896703161514980576,131072 /prefetch:87⤵PID:1828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1364,i,17078376085993132260,1896703161514980576,131072 /prefetch:87⤵PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1364,i,17078376085993132260,1896703161514980576,131072 /prefetch:17⤵
- Uses browser remote debugging
PID:2092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1364,i,17078376085993132260,1896703161514980576,131072 /prefetch:17⤵
- Uses browser remote debugging
PID:2416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1572 --field-trial-handle=1364,i,17078376085993132260,1896703161514980576,131072 /prefetch:27⤵PID:2620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1076 --field-trial-handle=1364,i,17078376085993132260,1896703161514980576,131072 /prefetch:17⤵
- Uses browser remote debugging
PID:1660
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 9686⤵
- Loads dropped DLL
- Program crash
PID:1332
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009252001\1a521adeb0.exe"C:\Users\Admin\AppData\Local\Temp\1009252001\1a521adeb0.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\1009253001\fde018d92a.exe"C:\Users\Admin\AppData\Local\Temp\1009253001\fde018d92a.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\1009254001\c01ab66a6a.exe"C:\Users\Admin\AppData\Local\Temp\1009254001\c01ab66a6a.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2676 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:2936
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2952 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.0.2045453552\704502739" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1048 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b7005ad-7742-4542-b016-48309fe3799e} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1352 106e4d58 gpu8⤵PID:1828
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.1.429051654\644939847" -parentBuildID 20221007134813 -prefsHandle 1528 -prefMapHandle 1524 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd0297c1-4c30-46bd-99cb-3d5ebc0c1ad4} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1552 e74e58 socket8⤵PID:1432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.2.45764000\1539743372" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3325303a-abfb-41d2-8c1d-659d7c51faa4} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2104 1065cb58 tab8⤵PID:2892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.3.1263338966\1026634791" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d3bac23-25f4-4980-9d36-2f8e9b3e4372} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2908 e64558 tab8⤵PID:868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.4.2062247715\690032959" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3452 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7985d82-7d77-45d2-aa66-f25ac74c778d} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3764 1fded058 tab8⤵PID:1276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.5.1082195016\1912244300" -childID 4 -isForBrowser -prefsHandle 3872 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {416422df-5b71-456b-8484-8fc44c929d94} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3860 1fdeca58 tab8⤵PID:2704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.6.1562283527\293767545" -childID 5 -isForBrowser -prefsHandle 4036 -prefMapHandle 4040 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20ea1dae-b800-42c8-9cd1-4109d81275d1} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 4024 1fdecd58 tab8⤵PID:1752
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009255001\e6e9a52678.exe"C:\Users\Admin\AppData\Local\Temp\1009255001\e6e9a52678.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1680
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2360
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD54a665889f3436960b716c066cc9f7818
SHA13ba9ad9a24de57891e3a837bbfd74e16327f290b
SHA256682fec0092076f4b284dca80067793252e2217bdf47b47a690bdb46d1a2f0483
SHA512ad3a3a6df89587c6d4bf504bbb60602e20639875fa97b257b808306ba9de3903453ce62eddf94619e781f2aff0c0ce8cadf399a4de0863fe74794a2788d13f72
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
136B
MD51f2fc8cf5a8ebb07a35fe9cf729da4d2
SHA1fbec4cab248e45e65318941b2a300d173378f104
SHA2566d11fc33a5c248cf0c72c152fa4c1855cbbb8d893fe91e35a2a18185637c5e13
SHA512ee49330b6c9056b25d45a375527ac80c815a59cad72a7fbb0db4b46e47ff02bc381d9ac5e029c5b91993f70b1360a079040d04e2f310f65e7bb5f0a073e7d111
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
Filesize107B
MD522b937965712bdbc90f3c4e5cd2a8950
SHA125a5df32156e12134996410c5f7d9e59b1d6c155
SHA256cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b
-
Filesize
1KB
MD52e42c8b4136f9f2b392ef5feea05f6d7
SHA18b9aa824e4505ff78732fd7e2eb9f906a1705d72
SHA256eedc63545b0a1fbea84c2a3543892d72ca20f8c2f2602d4d6bd6c94342ad3f55
SHA512c9ee47d5ba17077ab2b6ed1c1a9f932249612070536d6849401c6c4bed008cb99d0752dddd57ae0b3db3a95960b62f5a2c4ad320eefc9f2e07659b927f6ce503
-
Filesize
2KB
MD54a7d630f64ea4ba6675450630ce6d8f5
SHA1d1eba486454e2e66461d7a453fd6fe8f52988a26
SHA256e1c3bdac2019dcb4e83239072ab7ecb66b3f53851532b9f703a01b853b478a69
SHA512ce62e4341542f18051f405ba74171a852ea189e18b08b248282169ca3b902a098890347cd3af67e84e35e63e1b13c2714883986c4a1948197c106db7178eaf76
-
Filesize
250B
MD5082356f2eb58cdf330ca17fe4389e9e7
SHA1f97a5bbf6ce4da0026cec505b6d803b9111daec1
SHA256b63cfc12d327b2c71dcc35f7f52e757e576d9e004447047574b66e6ef4c3face
SHA5125f9d19b719a0cec315a83730875d2b96133f548227066a1cfe520fe0096c68597f26170d64f08377ed35306dcf17da1018a5a2d22eaaf98ea1220d8166389c86
-
Filesize
250B
MD517955c6a1bfe62d0dc5fef82ef990a13
SHA1c4bc3f9ccf3fa9626c9279ecb1a4cbfbf4a0fcf5
SHA2561cba135964cd409db09911c7cd4699112622596ff633cea868a83c54088c03a7
SHA5125fb73bb4f7eb1c9e26f34e5d0f310783c7e629e717760ee38731a52a8e3fba6831d77abf0f37631fed820839a00c9242a582e59266de08d3c92c5c4f83c8e7a3
-
Filesize
57B
MD550e0a00e9e3eca5dd3e80d3e6e8b8eb6
SHA1f0afa409c7ab927938c8dedf7e57c0f355103cba
SHA2567c820f099ace6ab1f6694f5b610412ce0cd81c64a500bc8558ae5ff9042a9c8c
SHA5127834f7052e6d21e6aba4b5445b555103bfb9f1e04457a5aa7363918e97e0d7dfd0e08a9136c377600fd3a1c8818296b76e9eb09c7217b4e8b9229bb81689a79e
-
Filesize
249B
MD50073a06f1b7db0639e596959dfe7728c
SHA16fdfe45514e208ddb970d55bb5ff063370179aa2
SHA256d1d82cc149cd4d4e01a30d39c46e2b9ea11bfa93e0f27ca85760360f34f64b90
SHA512ddd22b6f540037c80735810273ed369bf9cccc69f01f0a6b40cace6d7e6ce6286477d7cf16c37cee7605998d9a31a1056a41d3008f765ac4ab60cb5595624710
-
Filesize
98B
MD5cce6d9e0a2fca760e3a7904fca2fa80b
SHA1b637051510893c6688ef301bd59532f3255b3a01
SHA2567833d6eb2a94306bd3d04cf593243cda062e5deb67528a767a43f42d8a12e159
SHA51217740ac23a35c466429bd338214cff75d51321a95eac7785e3ff2b5597a1d6cc01a52bdfbd4143b0510affd86b4a892a6f0d337d057ee464d788abd8a4b7b2f7
-
Filesize
34B
MD512275f46db968e27e4edb23a4517904d
SHA11bd41f5f55dc8532c45c5ed91bd0823deabe3d3a
SHA2560b9769e63620205002586d7dbefa19d6c3573ffa65bc86eb49113ec271feea4a
SHA512084364c331be5c6b8c537a6c56b732ccdbb45f0d74a1e0ed89ac195e9ae43e15f15c953e3ed188990f0abb7e0e6456fa4b6b34562a02c180f7c061a7728c8b66
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
249B
MD5453596dafd6940896adb1afbde4bfcc0
SHA1ef3849e5df111632e59e04fb7b94ed2f22f37ba3
SHA25656204634834bb551ff0cfdd3e0c4e07b25d0a89df04f86b245ddcbd4b081a55b
SHA512590a9639d98bea6ccc46c48e431c21da895218c3061e7c77cf3e315fba629c6db507f5d37b05481117a7184c6afa8a490171615c793167587151a1ebe251f778
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
Filesize118B
MD5799ec7fe3eea5adb74029f4b64b291e0
SHA1aa50caa4f5631ee0d6f6ccbb3a6ed3e36482f11b
SHA256a8f16494d87c4a3b9292d978a0a75d60c6672e96dba1d92d659b6b8267b89f13
SHA5120e28235a8986a3722ab5b118f9c15773819cf71441abef7c36902da65a6662e31d061bedce9d8409eb63de33647a637aa9efb5660f97cb20574a584fb23ec797
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp
Filesize29KB
MD5a86d1675cd07052a5f4615252df582ba
SHA1562b498654c6c9c30dc49e284de10895e3ad7c18
SHA25603d5265dfec0bf4283c68020c70ce9e0d226fdbcb64db29ea1d9c9a0abf2bb5d
SHA5124a2daa2f361a6931fb01ce6f5969a0cdfdeafc01195b6b5696b2e1f11c77da0f8c5dcfa7e252732582c33548f5a1d58d0b7f58a302a1501d0dd7a178149f2fa6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
211KB
MD5ebbaf388ef32ae0785459ea0e57f0b68
SHA12604c1636a3479667df404117fa3b57d1ac8849f
SHA256dca6babd2e9709e4f2f56946626b7919a84b09a8d4679f34a985eabb255aba20
SHA512d787214d90bb99be76fe4ede63ca50487b80c0da7c190faa4120b845cea42e631e1b59989d7b4fb07f2eb83ca7187890d40a36a07cc40236e76d1d1806aba4e7
-
Filesize
29KB
MD5d0038532ae6cec64be83bc19d0b8f695
SHA117a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
SHA512af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
-
Filesize
460KB
MD520160349422aeb131ed9da71a82eb7ab
SHA1bb01e4225a1e1797c9b5858d0edf063d5f8bc44f
SHA256d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea
SHA512907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8
-
Filesize
4.2MB
MD5b4de34dcc96d16ec82f6fa3a7d037d4f
SHA1a61abdbcf17bd347b2f0733d921100bf5503e844
SHA256176260afa9071597e2a1a9947ae1394acf082932fbbb78b3c830c6d7c63bfa76
SHA512619dd38b27a461164a5541a42d4796b5f946df776d7e8e5e0849580c7148a6bbd7afb50db9e7ee0fb0f2dce02962a260fa7545c14d70f1e005243e1fd600aa33
-
Filesize
1.8MB
MD5c0027647c26af68b744a4be6494bdebd
SHA1b8fd87584d9eac22277e16c022e04ac12a9c7478
SHA256b735699c90385dd43f7c72897fee81aa998d7fb7fbb070639e5fb3ab20251548
SHA512ff05626d5679b51ecc5362e2ec4bcbc2af85a0e137728f32c0602dfa856ec154c8e40d0e15be1b8951db35496a4f790927514c17416c2733af245e5a3277da3b
-
Filesize
1.7MB
MD5e7423cd132a8b0550213c0fb9175ae31
SHA1378d1048fecb53673ea33b910ae2d8ae08e578a5
SHA256a80a31d0c26650521c50df60611832e214a9fde86a8eae0ca3d05356ae9e0e63
SHA5127f35984008878a5bbbdca9ba891304720669f631ec6f4560dbf148bcbabc61434502a0313bed93eeeaf01691335732a06b70c7b8a228d4f6946419910ee0bb73
-
Filesize
901KB
MD5402239d87cbfb0a1f3cdf2d641a32b32
SHA14c6474475af1accace9a5b996b072fb954b08d42
SHA25647cb2f71bff73cf7bdc551c6e2bc2275c4286d52bb9b77c967806ae34b61b77a
SHA512ecf2beeac89f4a431e8628cd30e00e103ecfd6c75671b13092d2854facbad1c66c5e2b9313165cbeae59c0bbba00e505d891132d3b5b89294e9d966e6545692d
-
Filesize
2.7MB
MD5eaa89cb86d24875d5f654023b97a448b
SHA1cca6df2324d6e1d5a4d5be100a97164c9bee9a67
SHA25639194f598806ee3a073197675b49e18730978be74138703e2c91a3a332d41e0d
SHA5126274bc80a172d856d03e403615b8c8d31cc8e74cc55991e90037785ace7db86df54d785188dc42e16f5afbbbc764a78a5b40eddb9e9683e4a59baffc2546707f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5b03b8ff22eaba3946fb4875ca3f71043
SHA1c38fbfdb6198e2995f4ea094dd8063f25235a283
SHA25658ddb25cf0787857e44a84e115b25a7c0e12af29e2ac6d1a6874aee309eb572e
SHA5126ba83f665ed6d25f4cebade0a45c42f8ded3a159508a7b00d2a28b973f0df2c1ae0acb517f438d38dfccd34dcf8733bcaed7cd6a254e60f7af87d9e3a8228851
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\0200eccf-5767-4df9-ad34-6d4820c11f69
Filesize745B
MD547c254377cbb60f169960c50cb0af77a
SHA1ab0759c6cc62b19ce582256cf6f9505a627444a7
SHA2567f0286fc59dfd9c804008134418ca03580353a14eb998ce900fcb84cc60fc2b3
SHA51258aed22c40a978eaed6f6f12a43e386a6e47bfed2e6c303e6a8dc93dde193fb1e69a1dee6402fe1585fc184dba51255c3b24ce0164a8ea6a2a6336941b12a008
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\b4168aa4-f5eb-4962-b240-47a3268958d1
Filesize11KB
MD50771c61abed5edc225e1e35c64dcb86e
SHA1cd411630eeb9060f7cec06e9f34f974d560b8f42
SHA256d080681f7fd0368349b7c1ea0b986b9d443917a225c58da4f55dce0bab77745c
SHA512da4a880d0f92621e2ca4ae5a12cab75621ba59904fb57d88e5dc1dfedc1b7b02423cc4bbaf46497cc823db7aca46c0f3d6436f15abc4834274dadacba8f000de
-
Filesize
6KB
MD5d3f3d1217ed0fc846f1c9f5b5542d00c
SHA1ed1c767d289475c0fabab9be26ca02b7dc8ab451
SHA2563146bd9e76821f43b91154b5f50047e9b03a2f8605e04656000037493e31eabc
SHA512f6de9a94014b8a44886249a41eeb4df13194f949f452cdbfb255505c0da88d713894e79f7ad1bc4fc44e9bd4c0bb2366fb7a2a189e3e9c5f3c2b91125daaf28f
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD5b136d71b7374063413830db122aede59
SHA1443c7629c02f9b95dd36c11dabfffd4c01dc89e6
SHA256e7dc2940de34f5fe0350f2eda5e1eaaa1cfb7675453f3b421edfef5174bbca5e
SHA512f9ee75b93b0568948b14edc93d5c70a66dc78af3d79674057131db49d3197fa44b990c80c91eca9b52f8eba20be897a2bdd9ac79583167032a441d173f217b75