Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2024, 01:36
Static task
static1
General
-
Target
8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe
-
Size
1.8MB
-
MD5
5fcab4c0e9af5adc2963461bf81e0a5d
-
SHA1
f81122d741b6de1503e7625feea68233ae29f670
-
SHA256
8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1
-
SHA512
9fb90dbe48aba5ba7ac1e44cc97d5c498d8bb9a4f1fa397c3be1dfc76e1d072a319c13551d56677bcb156a37e8dcb8f464335d9e785c9e262087faa36ac88932
-
SSDEEP
49152:JqJPRWVSRuI1dPbV3CrNFVPkTXoM2DWizFoBI4B:8JPqsuIjPorJPdzzFoB
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://property-imper.sbs
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://blade-govern.sbs/api
https://story-tense-faz.sbs/api
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral2/memory/1000-730-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 160554b75a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 160554b75a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 160554b75a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 160554b75a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 160554b75a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 160554b75a.exe -
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF fcf64cfd4b.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3b9e2cfe02.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fb01a898f3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 160554b75a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fcf64cfd4b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 1 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 6984 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3b9e2cfe02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fcf64cfd4b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3b9e2cfe02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fb01a898f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fb01a898f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 160554b75a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 160554b75a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fcf64cfd4b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 8 IoCs
pid Process 1020 skotes.exe 4908 3b9e2cfe02.exe 2936 fb01a898f3.exe 2700 6ad795b014.exe 5920 160554b75a.exe 1000 fcf64cfd4b.exe 6840 skotes.exe 6724 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine fb01a898f3.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 160554b75a.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine fcf64cfd4b.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 3b9e2cfe02.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 160554b75a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 160554b75a.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3b9e2cfe02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009469001\\3b9e2cfe02.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fb01a898f3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009470001\\fb01a898f3.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6ad795b014.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009471001\\6ad795b014.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\160554b75a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009472001\\160554b75a.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023ca8-68.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1488 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 1020 skotes.exe 4908 3b9e2cfe02.exe 2936 fb01a898f3.exe 5920 160554b75a.exe 1000 fcf64cfd4b.exe 6840 skotes.exe 6724 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe -
pid Process 1884 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3844 4908 WerFault.exe 91 1636 4908 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb01a898f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 160554b75a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b9e2cfe02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6ad795b014.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcf64cfd4b.exe -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fcf64cfd4b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fcf64cfd4b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 764 taskkill.exe 4836 taskkill.exe 2908 taskkill.exe 788 taskkill.exe 4672 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771450113065695" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1488 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 1488 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 1020 skotes.exe 1020 skotes.exe 4908 3b9e2cfe02.exe 4908 3b9e2cfe02.exe 2936 fb01a898f3.exe 2936 fb01a898f3.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 5920 160554b75a.exe 5920 160554b75a.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 5920 160554b75a.exe 5920 160554b75a.exe 5920 160554b75a.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1000 fcf64cfd4b.exe 1884 powershell.exe 1884 powershell.exe 1884 powershell.exe 5368 msedge.exe 5368 msedge.exe 5752 msedge.exe 5752 msedge.exe 5640 chrome.exe 5640 chrome.exe 6840 skotes.exe 6840 skotes.exe 6724 skotes.exe 6724 skotes.exe 6176 chrome.exe 6176 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5752 msedge.exe 5752 msedge.exe 5640 chrome.exe 5640 chrome.exe 5752 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4836 taskkill.exe Token: SeDebugPrivilege 2908 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 4672 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 4428 firefox.exe Token: SeDebugPrivilege 4428 firefox.exe Token: SeDebugPrivilege 5920 160554b75a.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe Token: SeCreatePagefilePrivilege 5640 chrome.exe Token: SeShutdownPrivilege 5640 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1488 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 4428 firefox.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 2700 6ad795b014.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5752 msedge.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe 5640 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4428 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1020 1488 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 83 PID 1488 wrote to memory of 1020 1488 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 83 PID 1488 wrote to memory of 1020 1488 8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe 83 PID 1020 wrote to memory of 4908 1020 skotes.exe 91 PID 1020 wrote to memory of 4908 1020 skotes.exe 91 PID 1020 wrote to memory of 4908 1020 skotes.exe 91 PID 1020 wrote to memory of 2936 1020 skotes.exe 105 PID 1020 wrote to memory of 2936 1020 skotes.exe 105 PID 1020 wrote to memory of 2936 1020 skotes.exe 105 PID 1020 wrote to memory of 2700 1020 skotes.exe 106 PID 1020 wrote to memory of 2700 1020 skotes.exe 106 PID 1020 wrote to memory of 2700 1020 skotes.exe 106 PID 2700 wrote to memory of 4836 2700 6ad795b014.exe 107 PID 2700 wrote to memory of 4836 2700 6ad795b014.exe 107 PID 2700 wrote to memory of 4836 2700 6ad795b014.exe 107 PID 2700 wrote to memory of 2908 2700 6ad795b014.exe 109 PID 2700 wrote to memory of 2908 2700 6ad795b014.exe 109 PID 2700 wrote to memory of 2908 2700 6ad795b014.exe 109 PID 2700 wrote to memory of 788 2700 6ad795b014.exe 111 PID 2700 wrote to memory of 788 2700 6ad795b014.exe 111 PID 2700 wrote to memory of 788 2700 6ad795b014.exe 111 PID 2700 wrote to memory of 4672 2700 6ad795b014.exe 113 PID 2700 wrote to memory of 4672 2700 6ad795b014.exe 113 PID 2700 wrote to memory of 4672 2700 6ad795b014.exe 113 PID 2700 wrote to memory of 764 2700 6ad795b014.exe 115 PID 2700 wrote to memory of 764 2700 6ad795b014.exe 115 PID 2700 wrote to memory of 764 2700 6ad795b014.exe 115 PID 2700 wrote to memory of 696 2700 6ad795b014.exe 117 PID 2700 wrote to memory of 696 2700 6ad795b014.exe 117 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 696 wrote to memory of 4428 696 firefox.exe 118 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 PID 4428 wrote to memory of 3084 4428 firefox.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe"C:\Users\Admin\AppData\Local\Temp\8c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\1009469001\3b9e2cfe02.exe"C:\Users\Admin\AppData\Local\Temp\1009469001\3b9e2cfe02.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 16284⤵
- Program crash
PID:3844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 16284⤵
- Program crash
PID:1636
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009470001\fb01a898f3.exe"C:\Users\Admin\AppData\Local\Temp\1009470001\fb01a898f3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\1009471001\6ad795b014.exe"C:\Users\Admin\AppData\Local\Temp\1009471001\6ad795b014.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9816a231-cc4b-4a5f-9912-d1191cb10e2c} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" gpu6⤵PID:3084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2360 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfb301cf-ec32-4c90-82d0-e89916ff67a1} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" socket6⤵PID:5052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -childID 1 -isForBrowser -prefsHandle 3636 -prefMapHandle 3592 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b704be6-9faa-4805-869f-050c23742f0e} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab6⤵PID:2636
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3856 -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3488 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73b13b40-a6e5-44a7-a52c-f6bb239afd88} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab6⤵PID:2256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4700 -prefMapHandle 4696 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {573c1b38-623c-417b-8e97-37adc0e092cf} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" utility6⤵
- Checks processor information in registry
PID:1336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5504 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49683b08-67c8-44eb-96e3-0f9b391250ed} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab6⤵PID:5696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b532e0f3-d98d-49bf-af66-f01ce8c88cdc} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab6⤵PID:5708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5872 -prefMapHandle 5876 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef83a3b2-8efa-4add-8b54-7f895535ca9d} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab6⤵PID:5720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 6 -isForBrowser -prefsHandle 6284 -prefMapHandle 6288 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb57b64e-ec08-41bb-8930-6278616b05d7} 4428 "\\.\pipe\gecko-crash-server-pipe.4428" tab6⤵PID:2352
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009472001\160554b75a.exe"C:\Users\Admin\AppData\Local\Temp\1009472001\160554b75a.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920
-
-
C:\Users\Admin\AppData\Local\Temp\1009473001\fcf64cfd4b.exe"C:\Users\Admin\AppData\Local\Temp\1009473001\fcf64cfd4b.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1000 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
PID:6984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa1fa4cc40,0x7ffa1fa4cc4c,0x7ffa1fa4cc585⤵PID:6992
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1009474041\EO1w7lf.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5640 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0x80,0x104,0x7ffa1fa4cc40,0x7ffa1fa4cc4c,0x7ffa1fa4cc585⤵PID:5672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:25⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1780,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:35⤵PID:2756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:85⤵PID:2720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:15⤵PID:5416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:15⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:85⤵PID:6368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:85⤵PID:6512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4684,i,727855280482090997,14028089180005309920,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6176
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa110f46f8,0x7ffa110f4708,0x7ffa110f47185⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8607787773494904918,16592997806653248135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:25⤵PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8607787773494904918,16592997806653248135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8607787773494904918,16592997806653248135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:85⤵PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8607787773494904918,16592997806653248135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8607787773494904918,16592997806653248135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:15⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8607787773494904918,16592997806653248135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:15⤵PID:5256
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵PID:6032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
PID:396
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4908 -ip 49081⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4908 -ip 49081⤵PID:1140
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3556
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4012
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:6428
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6840
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD59e930267525529064c3cccf82f7f630d
SHA19cdf349a8e5e2759aeeb73063a414730c40a5341
SHA2561cf7df0f74ee0baaaaa32e44c197edec1ae04c2191e86bf52373f2a5a559f1ac
SHA512dbc7db60f6d140f08058ba07249cc1d55127896b14663f6a4593f88829867063952d1f0e0dd47533e7e8532aa45e3acc90c117b8dd9497e11212ac1daa703055
-
Filesize
649B
MD50862aaa2f9f98a4cb4aecbf347f8b4b4
SHA193f48a2aec0a8fba54fd149ec170e14945e21985
SHA2561581b0f638e128700761dcd8acc0c7b7ebbcb3f2d7f570f4812fcb4469118117
SHA512bd202a39c0a43d62d648dc9b1d21997e34477497131702516da185b8c4c16d07143d91c5bce570521fc7505fe95ff119c7a91ca17b9e5603542c4b316f21faf7
-
Filesize
264B
MD56a134cd1c671a286e3bf42146efebb9f
SHA16aa913a365686d8386bc45c2afe696968efc81ed
SHA25650d1588ddccfe8af160e2af6d567c92e22c7ec2d6bf3881e45431b1b66cb3d18
SHA512a429d6a587c9afff3690302f41ea510e9eddc7631f025317dbcebe395401d4b13d86c4b1e02b2dd8c84358f594632c7c3193b3942c03fd3a0d86a87ead33c447
-
Filesize
3KB
MD59ac36d5367c14c8e63f14a56e0cf81e5
SHA1c2f88235b8c5f49d6e197cd311428fccd077c3aa
SHA2567ebe900a130e2dd8ec8c136ea3148d308feee3ebfd5fe576709a3c4e06f6b2bb
SHA512e5fb382b8c5a3f686f4c97e6ed6fdafe9b99c7184392cb1e4557227656c00fbac9a3b5e18a15b32cd6c6dedda56d09f87a48b44a3e2b2948e450418c3afb3002
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5d83ee1f14bceab10db8288f7d2d4f960
SHA12ee6d254fe1f7b26c9ce9cc54c55951a02439804
SHA256c3403f32c58bc57c2b4b779240a6e4c11ef7e6d2dde1b785cad2c8148477d2ee
SHA51265780db673c9e69b6cc9a663ac038a7aecd11c4870179c5017769467e7206dc4399ed2309f3ef9e0dd8ee056d8c9103449792655bc3c2fbbd9ab874fd72a5c49
-
Filesize
9KB
MD54e4eda16cbae6728fd9c06b98998cb0d
SHA18a4ded379e626266d06b9ed3d9ff8caff20c047f
SHA256e176d49431dbda5f6018b412487c79aecd0b9d18d5ec9efc43ca54d60ee55709
SHA51266014f5fa0d7f1d69b23a78d8945c41e0975f2106faaf8c1676661835d690264fb9f113afa9bdfca550870a58bfcb3865a7ad7055ece0ae5caad8b3bf2880d58
-
Filesize
9KB
MD586e7495a2807e85f2a1b88ca6f9e7819
SHA163db5cf06989fc3369a3d90cbc3f981ddef4a252
SHA2563baf24fbff51c486d2e871055de2098889a1e0bcec8353ba3ca5f1cde81bd774
SHA512f164e263461034da7303f7581e2e96d207e4be92d145b28bc231b950af3bacdabd7699236ffbeffc48ddb86a98ae2222b600e1649f50a74ba5d34a301a581335
-
Filesize
9KB
MD51afcd220707badd767513f0930a1922e
SHA1c0106a6435b037f8184e04829b411d0881db40d0
SHA256d69b074aad6dd5c4ba53662ea30c10ba268900965bdebfaf2844f5ea999ddbc6
SHA5125854cb9aeac5ba4ad8b3c4eeeff844d481771277c03e13d7c4dba8e3f3e3870187c071b1eb1391b387aaf8c3fc7b322cb44c09f9da16447daac5ff0e4305ef11
-
Filesize
9KB
MD51e2d672a9cb50923c0a4cb805b9e6ff5
SHA17b7d03ac8a2b4db08a32dbc2ac462d592789bd3a
SHA256895288c67491c351b081458f53e05114e5a941ff95eca4881960e89221cf7147
SHA5123fa99c009e52e4206a1b3c486389f0c5989763ab51706db4eb6a8514f9139037b03ab81045c6ba403dc344022644413586a25738e11d304f057efa90b3c01396
-
Filesize
9KB
MD5d5c799d6625379dcfed48f480ad5d035
SHA1fc8732e2203152b4c157a6b7ff332b8fe30040a7
SHA25688cb279065e1c88223430a14578f1b6e3fde39e3815a2590f6ed8dda56fb6eee
SHA5121b64b4305a77e69f7bc3c10f137bee8a403ca0426a3cc9b20680ea105de4b6d0acb000ebc5d07dfeda714af50907a4979945785c3a6234120bee7bb52934f8a8
-
Filesize
9KB
MD51c43c8d0b3b42cb217eeae3dfbcb03ed
SHA1f8226a2d6174404d2441148b736254f04915351d
SHA256b23d879bdb86c2d002e401ce3ea023930b43517be2bf02ac3fe3df5f6abadd17
SHA512cec442440549dec88d596405f09eda1c24fa83e61739eceaa342f9dd8973519e71219e7131f0f32746bb2b3127a41d8e2b3b927d087cee14a29d732093aad665
-
Filesize
9KB
MD5ae803d7e3ca14bcdb5330c963648c16c
SHA1730bb3c80f023d2c792148a39179c50bac46e4fd
SHA2569d44c809b03041e3fb119e9637f2d1905cbd67d74bb86e16be165316dfe2a889
SHA5120ad94a42d247e7c6af02efb565fde77d71c0824a2756fbb46bbc8f7619a8314e58dc59bb8dd4df89a0e534140538bfb666a408302379e43b996c25c878152626
-
Filesize
9KB
MD5fc2a287381d972280b72218c389c0fdc
SHA1423d8da709accb95b23e1e7ec6237524235398f2
SHA256b9a66fd7248304d328fa9f4da94a6e5ed0aacd5eb8423ffa9cbe840822a3a3d6
SHA512790289c704f9192fbbded4cf26f597caa3ee79ee45e122c961d8c20cc3a4cd88f0e8f1c0bea973e6cd8597a2cae7a46a3ec26f241f82f416166e5fdbdbd47c2c
-
Filesize
15KB
MD58519c6b3e88ec1ef7191e384a7ca07d9
SHA1bb8a1759557e027d239a967da07d56b2f2525f6b
SHA2560fa89f3543d66943396585afd9ab64c4b5728548574f9858a06c669daaad0eab
SHA512dfcf46db90784d22c5ef4443db4d0cc99b15c9730fc539eb44018587346b8aadc1918379c63e1f5393a23920f832eee0adefc1bd9faa072e00f147d28425065f
-
Filesize
234KB
MD5e775f319cafaee716690fe747d1fb562
SHA147cb5cdaee0d2283f5197440a3fc3e55ebd14d6f
SHA25672352fc7809cb869c2659c874b5bc445a127462ab498644fde4abfd9a55f4932
SHA512b13037848bc1d122badee000aef500c5430c8583c8dc186290b8432f5c10a224862b15ee2dea988a62cbb59a5348cabe7bbacb2f39ec2f2f1cb63ce546a149ce
-
Filesize
234KB
MD5fdf1b076d82e49182a20f668dfbbb405
SHA1256813c36aa62260ba3223bf49e1b7b408fd4629
SHA256231306e265922da2b70ec1249417c8e9eb4b2f3c507236657f86dac47bc63372
SHA512f4d2171d39ca393d0de2fc8cc8496e0e28a3e669e361da2ff51b1c0dd42cefe7478977efb10528e2203a6ccbf6df4de590f61e27a2bcf7c14f80d2efda5a98e8
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
31KB
MD5032ec36c68025cd1a817e42f2059b6ed
SHA1e022fc7e86003c8ac7a939db8e87db6878ab4685
SHA25600bf656b4b80cc7f8d7be1cc8d1990726f3dd11a10987c9d2cc7da792c3820fc
SHA512a741915a843cb0ccdbc2b4daec75c4ccbac7524266086b7bce9005524300b7049f1506f3cf714066c72918dad34258380a88d34c895ac60f1727afcebfe5e80d
-
Filesize
38KB
MD5cb5a611c29e54b35700e15ee1b2b2324
SHA10ea9a7477f90bb5bdb5be8462ba84bd479cc62da
SHA256f728e6672ebc5b9c31aba1caa0d93bbebd3e210522d411956e99f24d25e70b7f
SHA51294e0fba97ebe61f099bf2231459b484f2c358b5a94a4304be70cae6e7be52af007d315f4da191d169e02874ee7624a74c71e0eae879228680e66092e93f5b657
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD516a79bac14174c3207c5a10d9f7a24b6
SHA13c1911ce49cdcdc0d17871e8e9f29bd2bc148f11
SHA256b66083a474e46c54996b2bbfe535a317719e46dfe0470e572bfceed56cf1a8d6
SHA5128b6d7986b2642ba24a55a4a78c02a10f219841aa0fa84ad75c6107d5dca01eaf913a958fa1c45b041e37a0ec29cf949a96de55d87116a798b459ea3c9fad65c4
-
Filesize
1KB
MD50be381577bb0e869dde587e5755b70a0
SHA12e16cf55ad7dc3a155c88d12c3a8686409a471b9
SHA256ba5635839c805d80a55f427eb2406937ad009509504bbc2554beb975f70c5cf2
SHA512daa1ac0cd2e578aede5b4918deb7aa9c7a651592953b18e6e00a3111fa1db7d4eaf023aeecf30fbbe7197a09ffc98d1b33e33418e842d66f1c9f9be43b6dd90d
-
Filesize
5KB
MD5506cffb2c9d5884466f8dc507da5ff63
SHA133d63a4a82b600124abfbf0cad47a63634585caf
SHA2565a8216296bbf73894a217f497cb7f0775baa10a8a8fd5784176530db540fd5dc
SHA5128e140727cd6ac98e0edc5e2c8c938c59a3215dbbf3e93a50af083c56f2e7f8d14ac682672778ef0754b92e32453a9d17abf77bbc21af48b304ebc2c6651f32af
-
Filesize
6KB
MD56311698c21d295bdee969366af934696
SHA1f496c019e39299a4913e67ea5799b6ba683bb721
SHA256703842ae4c7ab14bfd8d4df553fff3598b5886bc1cfd0e0c5e08b7f560d4afb9
SHA512596d1f5e917e5e99037ec1a1a6fb9170ef9002abfd16085273491fade6068bcdb8771ac68f535e05779ee455d8aa5c12e306f7f94495ba862c0eb23127742a74
-
Filesize
10KB
MD597b7516ec9c7e498812a8fffccd46f06
SHA12dab63020bdb628262ec2eb6dba9b31d56ab23bd
SHA2565ac68fb1bb21e9373b133043fecf2a54678dc2acaefe27ee3a2f36993ae7a5f0
SHA5123aabb406b725a29efab3fd26b7655c00e38e2c5b60312fbbe1d381cf7355b47a5d170b27cdd2cb48279bf2c823a0bd53ebaa7d2e2f1c827158b68ac653e1f34f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD541eb1b68e1fcc9beb1166781b83ffd9c
SHA1ef0c3f7890d03d98b4f186f1b0efc704ba3175d7
SHA25639b6234aa85e37e9d54fc5e3e3cc82aa1f593e8403b702bdc2a64f854bd20225
SHA51222cc2c5b0e821683592a23d51586f91dcca71dd0961343f3731394e7df8f80cc36b4b34e01b3b29c79263321f5007b317aaea09411c755260f73b7dce1fc9772
-
Filesize
1.8MB
MD595a269acc2667e85ec3c67f5f76e0fe5
SHA185b4c01a1f5a65cfe084165bbba00493a74b6a1a
SHA256d8bf15f010a88817bfff05c7df61fba23676d5fe4d3a8deb5073fc7fa5255a3c
SHA512be24721f2eec1b3240837a1d42030d58de00cbcd66d6db183a11d3f00e2829859b4813b1a6bcdffcba0c7352975618df95212e723d0bb65a0c360dd8fd1a20dd
-
Filesize
1.7MB
MD517d580563cbdd3a37f8ef159c70f0b8e
SHA1b0532976bd695b39384aa81d89b54fbde900b778
SHA2569bba12864f0e8b64600e4252b589fd4f1f0b0339ecde4bc1c130a0d96945ffa7
SHA512784fff522205ce44534474cdb26c7b456aeb6e2c42e4de96b3d5f6b4a36a0d329cf05a847f0a292979aaa09935fc9445390063faca4f0f492ee61ade0540f775
-
Filesize
901KB
MD502efc01b5599a6e5f021767a6a16deb4
SHA12eb11d0ed62d8ab3f51143e8e69dad6f596379b8
SHA25603dff2a3ef928cc73243dea6e2b426c14c4889b47a169d4820b1dbbb053c9613
SHA51277f956502bb7ba33d50934668b808e4914a14e28f2f7a534669c2af705d8baac6e11b247cea77da42a24a6c8944cfd12801fe0c0f362d06ba97d45e113b00077
-
Filesize
2.7MB
MD59dea695dfad32ec439d077eb815b0b58
SHA13d817569c6fbcb0757ec47d97492f2a5fa2d2b08
SHA25610a4bfdc91b931d5ed67c58f8db81ca7d3560da9bdd41f7a39b19617a7581ad8
SHA51258c17aab073e20b7d59f3d5d283a86cb512e64e7e895cf181336f620b6be12d27b531e8aadc9518f4a4e665d780072a78ddbb4845f51e463af8f54db54c1c0da
-
Filesize
4.2MB
MD58bbc0ba3f7e3de90ec5e840675fb4312
SHA1d55c0017d44c6f92dab0a4590239633ae0d39c6d
SHA25661b556e5d3b3f6005b4d8074e31cb3b3fd99a285b62e8f141c5ee52bdfeb9e44
SHA5126a6fe43be875d44235b09f4b64fe54a0e3a2c426b314f236291c46f614774ebd3151ece273601f626c684a89138e452b713250d118f954694fef866775f740f6
-
Filesize
132B
MD527b9f35dd5e29794e0f254d4006f6fa4
SHA195496ffd85e8e55f57832b24c90a900d3cc96b26
SHA256ca3bd2725a493554e081ea2c5528c7f134edad6374e2747e27230f112cec7f1d
SHA51244dbb780e4e25e3eccc2de8c3edc7b0a4bb18e1f7f9cbbdd046ae74dc4daee526fdc5339864a66eb9d14b48b0871f474fdbe22eb1766eb4e94b0b6460fd5841d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD55fcab4c0e9af5adc2963461bf81e0a5d
SHA1f81122d741b6de1503e7625feea68233ae29f670
SHA2568c5f58b2abcbb73f05d0d96bc1dd056bce130ce4f3209cfe02529b6b03ef86f1
SHA5129fb90dbe48aba5ba7ac1e44cc97d5c498d8bb9a4f1fa397c3be1dfc76e1d072a319c13551d56677bcb156a37e8dcb8f464335d9e785c9e262087faa36ac88932
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize8KB
MD57431372e742a088a258e35c4c3eba9b8
SHA1d895aac56b4a59417920056b4d801fc528255b06
SHA25656d3b8cafba67ca756aa8157eeec5afd6800eba04e9a96a9e2159b207a4c4490
SHA5120a9db765efbf2f45a20cd9f81a53db3fa7b83535be5cfdbcd28560c9084adc40db49c6d6601537b95f2192238d091a887f57860685bdc3cd626aa8c767dbbd3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize12KB
MD5a49078ac545075f1d0d21a06f6730b05
SHA11658dda57f63f057da48af49da9fcf33353ff9f1
SHA25693b5acb28a16d296d91d968e42f8220833e5cb7590378b950bb89930b13248e7
SHA5123afa47186bd6c4b113f8e53f0209ecca12127e0c358a1687ebf653055b02ab25f4d538174a4849d1ae2d92e7fe1249b54e0df5a634204d7b2380c1109fe2b4f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize17KB
MD57d7b2a35eb22234d4003486e5b332f2e
SHA19d85d4c41bf0877666e64cedf60856a83ffc0806
SHA25674bb53fe109bd81495457055375acd6c531a72d50d7bcfd41132d524168bc8cb
SHA5127fcaff5c0238338bcf1ed02c287820732f999c46fd852b0eaa169a6152a1b8ff64041be851a23c145aa9af6a1ea10a372d19bb838d7bd17318952d7593e42432
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize6KB
MD51c730e4a710bb510299428f8fef03416
SHA1040c8c4577354b529873a277b76609bc17bf0362
SHA256a2c5034d5c81f845e47a741e5ea84a03ebe66d89712fedc0950803138a055dd6
SHA512526079b51a42e667f9159b820d77efe28cc4b21243265fef7d639a163bf4b33471ced848030633d94d419d290759ae83b7c24ed913c489337d75b4701de39f0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5e8e54bde2d83a7fd0d4a3c1f4110ed29
SHA15c278c149d0e4507c8fdb9c6985a17fb039b1d22
SHA25690a42b2bd6cab24c28990e9699ab0c82a221b391ca95af496454bd8437964999
SHA512a41e3aa2541b3f9c3d8a404b118914b8f65a9ee5085441c13a16792ac4b63012640bcd88ad673ed2d985801125e1533007f1050b8053026671d1dcb767493098
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize31KB
MD538f7fbb836b6da3810dd2b9be67a2a79
SHA11567e1c4aefe274863564d5761f0cecdff303de7
SHA256c0d928d942e54967ace67d0d97bf9eb13fff3fcaf82ffe102b593ddd1c8b4b47
SHA512c96550feb295ad0a0d69741b033ac37eb90a6167a02c8ffe3c389a94f3c94f886f9505524beaf082b052d14dc8a0e8d03327a268989d9236219d700077394615
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\7cb918a6-f06f-4d6c-9adf-3929b03d9c45
Filesize982B
MD5df9e24a3215024926dc9f975ab64f5b3
SHA174d2af2088c50e280d79e63623e81b158038dbf8
SHA256b744afd0048cc3d5830af7af828adcd83842265edba68b76addef1c228853f73
SHA512b0fea5ee3cd1375b8909451b1fc7700801fd90582d1d3b1fe462c7b023c469dc6ce8ec72da876f8f2ecf896af0a81a0b145cb5c7c22058cc6905c8bf6fd7a551
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\f1ce3b17-d2e1-4980-9956-26149830887e
Filesize659B
MD57d198531f7fae1253c4482aa754db6ab
SHA161d779d95ef816d394096074f04847ac111ba7cb
SHA2568d1faf6268f9bfaa651f2f2210ae8a6b3871c158691a83f601291e1949b7917d
SHA51246e1571fe984ccafb173d2050f09932a5dc09367950e39c64862c81e0627d67dd1d2d09a140894a1dad63d54efdf3f7ba28423cd9a0c7f8df98422b8920e3661
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
Filesize1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
10KB
MD5bb616235f6ac87cdb0127af31be22e62
SHA1b32f09b6fe0bc34145c5f099ed0bf19fa736afca
SHA25695a712d8c80a19069105dc615ae8bf7883eed53cb67d59f30a856411e5646922
SHA5126accc65fa4ed5f7f5ac1c569192626d8b766f8de6fd70376b6a222a82931adc66ea1a5b46ee6443ff7ebb0991f954a5ecac5670cdfadea7b5e48aaea90b53b5a
-
Filesize
11KB
MD5c2c1112361e8921a8c6ce4f0aa9a132d
SHA117305b380802b287ff9c227d3514a047b155e3ee
SHA256db4e36ab799e108df22a2e0ca40b7733724c31c94e2162766b70417818443480
SHA5126ce87b996659673591248b83377e53e0b92b18dbbf5f076023a2bb18df700b1c549b657438bea119a250f1dcd5263b28dc332d5247a4e4c8d79891fce0659f4b
-
Filesize
12KB
MD50529d727acfeeaf84f4c42acebd69ea1
SHA17a972210e84ce2706c40c9d38b3ce2d698b1e192
SHA256be1ce05798795e7c7bbe46c3465498611ac3f895e7e848c51db5b6767480c79b
SHA51225e78aae4ee8ef192f211a06f6d24a41ebebc60cffab87b406f2ae9677327b8fbb8983b9bc252d62ac87fe221e2ef67df9c41746055bfe8f0c8f347b539993bb
-
Filesize
11KB
MD5a3cce302f30ab40ac26b9fefde603623
SHA121dd51207b02d06ef0142f90d5a520800ca703e3
SHA256e466323b53e721eadf6726753431ae3ca7068a7b832efdf0edb5e5cc97ed81b7
SHA512eb611f0e723ab4cc61ff4c62b810050b53659d5fcbea65c988bd938ef040b0938b06d2ba60822244f88124a761453d0f53f18760ec917989b9911bf09a942fb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5756342d6f600cf0346f8d23a27301e50
SHA1bdc51a7fc305bde246603017fbf6aa18e95b8511
SHA2567299a4e7e6969e75db664079cb3090abcd7941414858f1ec68d068c07969c7a1
SHA5123dac22356899ffe2cb063ba5d6d53f47955890e7c95e6c3f4daaf390869317ddc373c2d3e7fcfe338d2fe8ca829babff6a70d7947dce881398d0770a4693f204