Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/11/2024, 01:36
Static task
static1
General
-
Target
8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe
-
Size
1.8MB
-
MD5
5fcab4c0e9af5adc2963461bf81e0a5d
-
SHA1
f81122d741b6de1503e7625feea68233ae29f670
-
SHA256
8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1
-
SHA512
9fb90dbe48aba5ba7ac1e44cc97d5c498d8bb9a4f1fa397c3be1dfc76e1d072a319c13551d56677bcb156a37e8dcb8f464335d9e785c9e262087faa36ac88932
-
SSDEEP
49152:JqJPRWVSRuI1dPbV3CrNFVPkTXoM2DWizFoBI4B:8JPqsuIjPorJPdzzFoB
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://property-imper.sbs
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://blade-govern.sbs/api
https://story-tense-faz.sbs/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 0d5a91f2d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 0d5a91f2d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 0d5a91f2d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 0d5a91f2d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 0d5a91f2d6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 0d5a91f2d6.exe -
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 3595924d93.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0d5a91f2d6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3595924d93.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7ff3530b10.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d1355c5cd7.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1416 chrome.exe 1544 chrome.exe 2376 chrome.exe 1152 chrome.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3595924d93.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7ff3530b10.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d1355c5cd7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0d5a91f2d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0d5a91f2d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3595924d93.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7ff3530b10.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d1355c5cd7.exe -
Executes dropped EXE 7 IoCs
pid Process 2176 skotes.exe 320 VBVEd6f.exe 2840 7ff3530b10.exe 1740 d1355c5cd7.exe 1428 082f78a906.exe 2056 0d5a91f2d6.exe 3968 3595924d93.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 7ff3530b10.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine d1355c5cd7.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 0d5a91f2d6.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 3595924d93.exe -
Loads dropped DLL 9 IoCs
pid Process 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 2176 skotes.exe 2176 skotes.exe 2176 skotes.exe 2176 skotes.exe 2176 skotes.exe 2176 skotes.exe 2176 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 0d5a91f2d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 0d5a91f2d6.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\7ff3530b10.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009469001\\7ff3530b10.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\d1355c5cd7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009470001\\d1355c5cd7.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\082f78a906.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009471001\\082f78a906.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d5a91f2d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009472001\\0d5a91f2d6.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000015d59-387.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 2176 skotes.exe 2840 7ff3530b10.exe 1740 d1355c5cd7.exe 2056 0d5a91f2d6.exe 3968 3595924d93.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe -
pid Process 1356 powershell.exe 3260 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VBVEd6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ff3530b10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3595924d93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082f78a906.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1355c5cd7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d5a91f2d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString VBVEd6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 VBVEd6f.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3272 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 2024 taskkill.exe 936 taskkill.exe 1560 taskkill.exe 564 taskkill.exe 2832 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 VBVEd6f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a VBVEd6f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a VBVEd6f.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 2176 skotes.exe 1356 powershell.exe 320 VBVEd6f.exe 320 VBVEd6f.exe 2376 chrome.exe 2376 chrome.exe 2840 7ff3530b10.exe 1740 d1355c5cd7.exe 320 VBVEd6f.exe 1428 082f78a906.exe 2056 0d5a91f2d6.exe 2056 0d5a91f2d6.exe 1428 082f78a906.exe 1428 082f78a906.exe 2056 0d5a91f2d6.exe 2056 0d5a91f2d6.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3968 3595924d93.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 3432 chrome.exe 3432 chrome.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1356 powershell.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeShutdownPrivilege 2376 chrome.exe Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 936 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 564 taskkill.exe Token: SeDebugPrivilege 2520 firefox.exe Token: SeDebugPrivilege 2520 firefox.exe Token: SeDebugPrivilege 2056 0d5a91f2d6.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe Token: SeShutdownPrivilege 3432 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 2376 chrome.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 2520 firefox.exe 2520 firefox.exe 2520 firefox.exe 2520 firefox.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 2520 firefox.exe 2520 firefox.exe 2520 firefox.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 1428 082f78a906.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2176 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 31 PID 2096 wrote to memory of 2176 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 31 PID 2096 wrote to memory of 2176 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 31 PID 2096 wrote to memory of 2176 2096 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 31 PID 2176 wrote to memory of 320 2176 skotes.exe 33 PID 2176 wrote to memory of 320 2176 skotes.exe 33 PID 2176 wrote to memory of 320 2176 skotes.exe 33 PID 2176 wrote to memory of 320 2176 skotes.exe 33 PID 2176 wrote to memory of 1356 2176 skotes.exe 35 PID 2176 wrote to memory of 1356 2176 skotes.exe 35 PID 2176 wrote to memory of 1356 2176 skotes.exe 35 PID 2176 wrote to memory of 1356 2176 skotes.exe 35 PID 320 wrote to memory of 2376 320 VBVEd6f.exe 37 PID 320 wrote to memory of 2376 320 VBVEd6f.exe 37 PID 320 wrote to memory of 2376 320 VBVEd6f.exe 37 PID 320 wrote to memory of 2376 320 VBVEd6f.exe 37 PID 2376 wrote to memory of 2764 2376 chrome.exe 38 PID 2376 wrote to memory of 2764 2376 chrome.exe 38 PID 2376 wrote to memory of 2764 2376 chrome.exe 38 PID 2376 wrote to memory of 804 2376 chrome.exe 39 PID 2376 wrote to memory of 804 2376 chrome.exe 39 PID 2376 wrote to memory of 804 2376 chrome.exe 39 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2736 2376 chrome.exe 41 PID 2376 wrote to memory of 2236 2376 chrome.exe 42 PID 2376 wrote to memory of 2236 2376 chrome.exe 42 PID 2376 wrote to memory of 2236 2376 chrome.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe"C:\Users\Admin\AppData\Local\Temp\8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7459758,0x7fef7459768,0x7fef74597785⤵PID:2764
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:25⤵PID:2736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:85⤵PID:2236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:85⤵PID:1028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:1152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:1416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1364 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:25⤵PID:2996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2284 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 --field-trial-handle=1268,i,16160462712356442249,6434197177591812196,131072 /prefetch:85⤵PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe" & rd /s /q "C:\ProgramData\ECGDAAFIIJDA" & exit4⤵
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3272
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1009351041\PeRVAzl.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\1009469001\7ff3530b10.exe"C:\Users\Admin\AppData\Local\Temp\1009469001\7ff3530b10.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\1009470001\d1355c5cd7.exe"C:\Users\Admin\AppData\Local\Temp\1009470001\d1355c5cd7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\1009471001\082f78a906.exe"C:\Users\Admin\AppData\Local\Temp\1009471001\082f78a906.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:2044
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.0.1752509992\388976172" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d6e6b7-4bea-4146-9508-c564c25581e7} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 1296 10fc1058 gpu6⤵PID:1932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.1.363557294\228118629" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3811367a-df00-4d6d-96be-736223c64ea9} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 1496 d74e58 socket6⤵PID:2628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.2.1612796573\20222014" -childID 1 -isForBrowser -prefsHandle 1976 -prefMapHandle 1992 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b310f306-2daf-4644-b27e-30ba913a6fc2} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 1968 1a4af158 tab6⤵PID:768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.3.971633431\535835088" -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {794373a3-e0c7-43d0-ab0b-59c04e10013c} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 2904 d60858 tab6⤵PID:1080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.4.1765423355\113767812" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3784 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {052c0c3c-25bd-41b7-95fc-0917b3b60b86} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 3800 20054158 tab6⤵PID:1600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.5.1585935141\1017514132" -childID 4 -isForBrowser -prefsHandle 3916 -prefMapHandle 3920 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd112a2-85c6-4697-8de4-66c5f0290030} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 3904 202e8658 tab6⤵PID:1952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.6.152818816\1660952350" -childID 5 -isForBrowser -prefsHandle 4088 -prefMapHandle 4092 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86a40425-5a42-452a-878a-45c6cd6099e4} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 4076 213fee58 tab6⤵PID:1580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.7.199626443\508179412" -childID 6 -isForBrowser -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d1cbf54-7928-4f61-aa0e-1f96ac8985d7} 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 1632 14886b58 tab6⤵PID:3936
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009472001\0d5a91f2d6.exe"C:\Users\Admin\AppData\Local\Temp\1009472001\0d5a91f2d6.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\1009473001\3595924d93.exe"C:\Users\Admin\AppData\Local\Temp\1009473001\3595924d93.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1009474041\EO1w7lf.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5049758,0x7fef5049768,0x7fef50497785⤵PID:3452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:25⤵PID:3656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:85⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:85⤵PID:3788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:15⤵PID:3832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2128 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:15⤵PID:3836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3236 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:15⤵PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3344 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:25⤵PID:3604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=1184,i,14466108435801967187,12165982135818972510,131072 /prefetch:85⤵PID:852
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵PID:3520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:3568
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1436
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-21031836629895909191000560353682547220167825732-756436895-317895187-2030091447"1⤵PID:1740
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3888
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c4f6d4bbbbfebf839fe616cdc50837da
SHA1129c15ed9aba1d6a70f2f0f291d0ba9d12b50c1a
SHA256e8cb83bd58ebf9d8523fd0359e5a2d1a53c32fa0c8ed793c121a48622603de03
SHA512e2c56f1fdcc9fddcce9c820f448544fa309c95990ac5df527cd432ecd8c9800a4b94c3bc76d288327f7dbf0d133e26ba20b8afa0868eb184032e22fc1a8be132
-
Filesize
40B
MD51d6994c9e7456e30a9c2dcecdc184047
SHA1ad85ecf6f00da14dbde2b4b22e52809a02ad11cb
SHA25632d641a0b1a4d012ac26b4511e84b1ce3a0c129fccd4e85a78a31d46b14f1a8d
SHA51245820fc375361f0518efc53e283a5421a58ace75b2d4d94c9a190ac75a3b3717b9b797e8d27cec3014fcc9e9ea27f2ffc586777d8d658e0e24d379fe7604c607
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
136B
MD5d222ad1ff5d849a7fbda7d5a05f49e1e
SHA1e49cbc11ab42bb24611b66da7c86e3625dd33b5c
SHA25639b304892a78ef8eeca779f18b1f11b861ede6708c6c74841b0118f17dea4823
SHA512e19b8ce24fa0df484fdaaa85c51f3804546de43ac7a3ce7038a1eb7ec3e105ec08141b67b76022b8536bb0270ad10f96a5e9d88464645dca62aa3649afe5cf14
-
Filesize
50B
MD51be22f40a06c4e7348f4e7eaf40634a9
SHA18205ec74cd32ef63b1cc274181a74b95eedf86df
SHA25645a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691
SHA512b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD5589c49f8a8e18ec6998a7a30b4958ebc
SHA1cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA25626d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
6KB
MD53ee9d55bb763fb4b561fe0929372a97d
SHA182bf4bd1efe7a1cca31ec0f8e27c19545afe4cf5
SHA2562a6166564d6edcad2d447f7c98d2d34ec0f1413bf9b71bc033643ab3a3b91378
SHA512e4c42e108bb4858565dc1b59d0accd61a429e2129d2fc17b02d2ef9472b95bbbda3afbc6895cbde7792a0464dec56a3d7f76860a7aae00e70d8502215489b943
-
Filesize
6KB
MD5694e3a8ae7a6789386518b4681dfd325
SHA1c21d513eba88bf289abe973cfa29ef66ce3c8251
SHA25643c7771bbd216fdbbcb864199213674d8a932812673df65f75999590c290b373
SHA512f52793d76e5b2402f6f828edf617bb79ec0a5e11e57881e8a76d58f8c1fc118267d789546578a957bafa1a551b5db7e49858a21bfd513ebc57c0f39229d65cde
-
Filesize
136B
MD5e9fe30ede9c3856a2de6dbf43df075f4
SHA124e96c269f326eb413c80bf9a04ae4cf86920007
SHA25645c99a05904560cc388d027de3c5a251e43c1d29076dd0d2b5767f85a3304f3d
SHA51248cef70e75400c320106b103ff422622f17b2d5815b3e7e0d464e94b83f3fb1a10721583528f043f2c3e6acfd8c74798540289e8ff3887a1c7f893635807964d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
Filesize107B
MD522b937965712bdbc90f3c4e5cd2a8950
SHA125a5df32156e12134996410c5f7d9e59b1d6c155
SHA256cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b
-
Filesize
1KB
MD5cc3810d7095e9ba30eddd9f7c02e783c
SHA158e59270c2d5c5f9ee7e4a2ef55af786b22254d7
SHA2568659f69681aff39239470438d3a8cf8537f8c27113c2bde201c4ae870b4ef58d
SHA51290f6b96f82a0dd64521db2c7aff5868415f253a28602288456dade19aea856de08d79b65e5b7d90195424e4430b3f8462044d75947bea4f25aa6b4b6a3a7b9fd
-
Filesize
2KB
MD5acce9f1473f69ff129b9b85914b29a5f
SHA1223e2109f89085cc1d95d4926e8f636414d12eea
SHA25619860ac9ee3dae9719aa1d74ff1279920f0739369d6c9cf85bd5fc85ec5eb496
SHA512043dde292d5a999ff34aaebf2adc4298c2bc0d4f35058b7f6177ffb61ee115ec5d733b7d412efa0f921ff67ed7c27aa7913868a19b1b96540ad1c7065efc848f
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
250B
MD5ef8e1b3519b3b7f85388f3d6cadfaed7
SHA17dfe418a28fd3fe2ff9591a36cd61fa4a8a2585e
SHA2563be1ef7eb40dd27eba863b338e9ef9d97c4987b58aa9e9097d9f58c1a8ccb986
SHA512c8e2cda5b9b6249271ea8366b67e816a3f6382b4473320ef95bd32e1abf81c83d28c012b7dd8b32df2582decb898acfc5a92555f6df0dab74a5c94ebe2a4d9c8
-
Filesize
250B
MD503d881fc5a4ab4013bd1b30988abb179
SHA19ad861569715575d7b676e5683b14dd3cffec304
SHA2565da7b30f55f920166ad821f532fb95bd11546bf63a228fc41357aa122fcaf5e8
SHA51229ab8ac2c642a83086266f88ffde8d71c96cd0d98812fac526e0a0adc58d8bc7f99760ad19a71cc38c3ef5edb9ab9d642ef6b665bf4ce336260b0171411e26f6
-
Filesize
249B
MD5b52baad0611be7da367d94748bf7d578
SHA1f0366ef585f4f12dd20b89f758ed57f65f56ae96
SHA256a4d2e83d0da57ce52bc718ec889d1ae024ac3227d424e258bf1bc227281ce2a1
SHA512542a546d5444368ca3c47b3b6d6dcecbdc84ad4ed615562794b7d48622198b2a2c2a7973de4bf05bf75fe50df2e2f2b00bf601045a6cb2278684f839dbd271a8
-
Filesize
34B
MD512275f46db968e27e4edb23a4517904d
SHA11bd41f5f55dc8532c45c5ed91bd0823deabe3d3a
SHA2560b9769e63620205002586d7dbefa19d6c3573ffa65bc86eb49113ec271feea4a
SHA512084364c331be5c6b8c537a6c56b732ccdbb45f0d74a1e0ed89ac195e9ae43e15f15c953e3ed188990f0abb7e0e6456fa4b6b34562a02c180f7c061a7728c8b66
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
249B
MD5ea2c1a62e3a4f18a21499dc442fe80bc
SHA118ff63e3a4f67050d7e6dfafefdc242736659cf4
SHA2567a4a4ccc7ec447311168d9cf84310971469579b889b16eab7305c8dc6370d1b3
SHA51296bd582ee5a9a268a6c3fe61fa043aa479d6db3daeed5a9ef6eb7ab75a529384108ec33a381a0ff8ca22ebb7a11175ad065c9c006d4756d55efa6a7225b046cf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
Filesize118B
MD5799ec7fe3eea5adb74029f4b64b291e0
SHA1aa50caa4f5631ee0d6f6ccbb3a6ed3e36482f11b
SHA256a8f16494d87c4a3b9292d978a0a75d60c6672e96dba1d92d659b6b8267b89f13
SHA5120e28235a8986a3722ab5b118f9c15773819cf71441abef7c36902da65a6662e31d061bedce9d8409eb63de33647a637aa9efb5660f97cb20574a584fb23ec797
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
Filesize32KB
MD51220f51966383ee5a7bcd16a5fe0c987
SHA1b0e4c23a819230ba1c6ce97497007eb6cdad1118
SHA256d73aa2931c36e1f6f25b59836ea003da5e31a65ef3790aac12a8c98173b20145
SHA51209d5cabca6b9048a6c23975aabe02b1e18a79ef163bab66036ef0f053d1d9c429539598c7a9b04f2734dcbe44da5fae606192fd41ffe055c194617a1d7e0f617
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
409KB
MD54ea576c1e8f58201fd4219a86665eaa9
SHA1efaf3759b04ee0216254cf07095d52b110c7361f
SHA256d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f
SHA5120c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494
-
Filesize
3.0MB
MD52b918bf4566595e88a664111ce48b161
SHA1e32fbdf64bb71dc870bfad9bbd571f11c6a723f4
SHA25648492827286d403668996ae3814b2216b3b616f2fb4af2022bf3d2fc3f979a26
SHA512e3d58adbe13befe91fb950cc52b16d6d2fcb8f6d65bab4020222713207b07ce78b76e2e2532cf3de23149e934ba1e1cb9046a95a18424a668bfa4a355af6f44a
-
Filesize
1.8MB
MD595a269acc2667e85ec3c67f5f76e0fe5
SHA185b4c01a1f5a65cfe084165bbba00493a74b6a1a
SHA256d8bf15f010a88817bfff05c7df61fba23676d5fe4d3a8deb5073fc7fa5255a3c
SHA512be24721f2eec1b3240837a1d42030d58de00cbcd66d6db183a11d3f00e2829859b4813b1a6bcdffcba0c7352975618df95212e723d0bb65a0c360dd8fd1a20dd
-
Filesize
1.7MB
MD517d580563cbdd3a37f8ef159c70f0b8e
SHA1b0532976bd695b39384aa81d89b54fbde900b778
SHA2569bba12864f0e8b64600e4252b589fd4f1f0b0339ecde4bc1c130a0d96945ffa7
SHA512784fff522205ce44534474cdb26c7b456aeb6e2c42e4de96b3d5f6b4a36a0d329cf05a847f0a292979aaa09935fc9445390063faca4f0f492ee61ade0540f775
-
Filesize
901KB
MD502efc01b5599a6e5f021767a6a16deb4
SHA12eb11d0ed62d8ab3f51143e8e69dad6f596379b8
SHA25603dff2a3ef928cc73243dea6e2b426c14c4889b47a169d4820b1dbbb053c9613
SHA51277f956502bb7ba33d50934668b808e4914a14e28f2f7a534669c2af705d8baac6e11b247cea77da42a24a6c8944cfd12801fe0c0f362d06ba97d45e113b00077
-
Filesize
2.7MB
MD59dea695dfad32ec439d077eb815b0b58
SHA13d817569c6fbcb0757ec47d97492f2a5fa2d2b08
SHA25610a4bfdc91b931d5ed67c58f8db81ca7d3560da9bdd41f7a39b19617a7581ad8
SHA51258c17aab073e20b7d59f3d5d283a86cb512e64e7e895cf181336f620b6be12d27b531e8aadc9518f4a4e665d780072a78ddbb4845f51e463af8f54db54c1c0da
-
Filesize
4.2MB
MD58bbc0ba3f7e3de90ec5e840675fb4312
SHA1d55c0017d44c6f92dab0a4590239633ae0d39c6d
SHA25661b556e5d3b3f6005b4d8074e31cb3b3fd99a285b62e8f141c5ee52bdfeb9e44
SHA5126a6fe43be875d44235b09f4b64fe54a0e3a2c426b314f236291c46f614774ebd3151ece273601f626c684a89138e452b713250d118f954694fef866775f740f6
-
Filesize
132B
MD527b9f35dd5e29794e0f254d4006f6fa4
SHA195496ffd85e8e55f57832b24c90a900d3cc96b26
SHA256ca3bd2725a493554e081ea2c5528c7f134edad6374e2747e27230f112cec7f1d
SHA51244dbb780e4e25e3eccc2de8c3edc7b0a4bb18e1f7f9cbbdd046ae74dc4daee526fdc5339864a66eb9d14b48b0871f474fdbe22eb1766eb4e94b0b6460fd5841d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.8MB
MD55fcab4c0e9af5adc2963461bf81e0a5d
SHA1f81122d741b6de1503e7625feea68233ae29f670
SHA2568c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1
SHA5129fb90dbe48aba5ba7ac1e44cc97d5c498d8bb9a4f1fa397c3be1dfc76e1d072a319c13551d56677bcb156a37e8dcb8f464335d9e785c9e262087faa36ac88932
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD555e7e18550abe71941ce129981cf8712
SHA1c5e717f1e950a02bb12c92db2b43edcb0da41ead
SHA2568c5c53341e953fd17e89762eae4decaf988610e177a0fb52f40ee7219aff5f04
SHA51269e90b3c7893e116cf57026d32a6478d7c142c85bc36040968a3cfd298a295d125f3496d3bfa881b68c4848b5ed174c21787181ce08921fd0d4f1f22aed1ac09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD576258d010ae990beb757f2b57e485ce1
SHA1045e8a1922667787594b4fb9ea22011a0a1b527e
SHA256d03802c205fc4c1a8a215c95f9a947d0f4eee0f2ca81bd023706df2809addba7
SHA512c21dc99218903858ff5a25a6cf8675b0bcc32a7fa3e1fde4586bc77f6dc8551b6106e06946cdcaf24706edfb9b7b511ea8c6efd3c68a4ddb01d6b5380f5ea3cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\828f5de5-e84d-4b20-9d31-62b9d9dd1c42
Filesize733B
MD592fa71c9ace5d079c825337329ae7a58
SHA171d074fd246f4222dc3013657c9714a321c24bb4
SHA25621d0d8e71584e37e1ca6d3cc4736a9486f6127ef85b4536f7d0ad316112785b2
SHA5126d4c0f6643480c7b51434b6a5368dbd13d0622a372fc73f7dd99db5f93a0474028163816797ad97113dd490a370ba67964e81087f7e0ce1962d7f00f9e5fe111
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5aaf15230dd3207778396ca062ea4687a
SHA1d85801bd850d35480c87919ee353e7fc37cdb061
SHA256172bc477d560c44d3fab583aded4908c66eaee8a9ab9d9cd516182482a2620e9
SHA512ec7b5584a571b66e9ace336746e260b7d1572cf1317b1fa314450660fb35bcd75d278dd92d218356435c4c4b5f58451c99bc36488159e2bda303ebf942da27b8
-
Filesize
6KB
MD5770d897571dc77a7ba26ac45038ef94b
SHA1277f6652712c492eaa233954359f8530f30c9bf9
SHA2564795a62198540cf3fc756350d8d374ddc700d8a3935e97b93783e59b78a4d82b
SHA51291a2a0f683a5ae45bb1f87ca3797b922166f28bc63cbb7733b903b2fbc7daae5404b12ef553b56798e0f52490422285f8ff4510c63096e579aec7847f0f91f1a
-
Filesize
7KB
MD55dd21811022ba4369553bc9ce6fece7f
SHA12ca1e4b3fefb438f39a59d8245da2b1ec1b1d0d9
SHA25689e8d2fdf621980ab2511f8fb3a5dc0fd371125b7b34e1295267eb45194afc2a
SHA5120d55fb9d688365f25bbde32038c523ec8b51332352603912c5808da6b02107e477655841dc8777197185dd68dc0a9b3ffb8b07dacddadbfc72609c322f038bf3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD521418f07f5ba9ef0be4956d5d15b788a
SHA1c5d57e5ef210d7a4d34af9eee14ba9f140896a3f
SHA2569daa6c7e3400615a4d4d6c5c6d545974dfe074dac3d827b23f06a73920e54fd0
SHA512a758acfb88639576eee65e85da493d0d10f4b0c4b9d775795f21a55fc7234c8b8d0a5ee37084c1c8ba7634aeb30cd293a2d752bac0407c9b1bf7b47d47c064dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5a2ca78b16cf94e9a62f39d521dc3467a
SHA115f9f181888c294ab6b51bafc9f239cdf8a1807f
SHA256883d65b0a2b07d285a80b8077ef779c17290db8e75db3f800945981ee479ff29
SHA512d2f5680ffe629e4b47356bfe070848c0a2f2ef96c85b2974c2c365d2af4ef47f6cf0e07218a55384c4f78c99eb5c75d309ed8685f85a879422fee5326588348b