Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 08:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
40fbf66fe2c47dcd8d2de9191b48b355
-
SHA1
eb7260a1cf345b9a225fa6250727db32e391ffd6
-
SHA256
c5723c29a13feb389fd9e72e6e81d914c0693d9846c2810d1d0bad4e3307eb78
-
SHA512
2d4328dea1251bd7694c4f1b42f7bf5efad6b8712364bd42db6f8ba612dffd430b6e4bc158756c5e68d9aa24b0904cdff7ac7fde06cdf2826f062077415d0690
-
SSDEEP
49152:tai5lapixRQLHDfUG2XIBlCE7MFKMM68xbEYGXxhA:gi58iLU32YBlCE7MFld8aYGXj
Malware Config
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://property-imper.sbs
Signatures
-
Amadey family
-
Lumma family
-
Processes:
c0d5371b15.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection c0d5371b15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c0d5371b15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c0d5371b15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c0d5371b15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c0d5371b15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c0d5371b15.exe -
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
Processes:
2879339004.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 2879339004.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
file.exeDocumentsBFCAAEHJDB.exeskotes.exe2879339004.exe25e9d277fe.exe4d10dc4f99.exec0d5371b15.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DocumentsBFCAAEHJDB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2879339004.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 25e9d277fe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4d10dc4f99.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c0d5371b15.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid Process 2344 chrome.exe 1524 chrome.exe 1076 chrome.exe 1996 chrome.exe 1564 chrome.exe 532 chrome.exe 2728 chrome.exe 2788 chrome.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exe2879339004.exe4d10dc4f99.exec0d5371b15.exeDocumentsBFCAAEHJDB.exeskotes.exe25e9d277fe.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2879339004.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4d10dc4f99.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c0d5371b15.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DocumentsBFCAAEHJDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DocumentsBFCAAEHJDB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 25e9d277fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 25e9d277fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2879339004.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4d10dc4f99.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c0d5371b15.exe -
Executes dropped EXE 12 IoCs
Processes:
DocumentsBFCAAEHJDB.exeskotes.exeVBVEd6f.exeMesa.comknotc.exeknotc.exe2879339004.exe25e9d277fe.exe4d10dc4f99.exed031a638c4.exec0d5371b15.exepid Process 1400 DocumentsBFCAAEHJDB.exe 2952 skotes.exe 1988 VBVEd6f.exe 2728 Mesa.com 680 knotc.exe 2916 knotc.exe 1148 540 2879339004.exe 3060 25e9d277fe.exe 2992 4d10dc4f99.exe 1732 d031a638c4.exe 1848 c0d5371b15.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c0d5371b15.exefile.exeDocumentsBFCAAEHJDB.exeskotes.exe2879339004.exe25e9d277fe.exe4d10dc4f99.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine c0d5371b15.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine DocumentsBFCAAEHJDB.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 2879339004.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 25e9d277fe.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 4d10dc4f99.exe -
Loads dropped DLL 16 IoCs
Processes:
file.execmd.exeDocumentsBFCAAEHJDB.exeskotes.execmd.exeknotc.exeknotc.exepid Process 2816 file.exe 2816 file.exe 2768 cmd.exe 2768 cmd.exe 1400 DocumentsBFCAAEHJDB.exe 1400 DocumentsBFCAAEHJDB.exe 2952 skotes.exe 2940 cmd.exe 2952 skotes.exe 680 knotc.exe 2916 knotc.exe 2952 skotes.exe 2952 skotes.exe 2952 skotes.exe 2952 skotes.exe 2952 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Processes:
c0d5371b15.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features c0d5371b15.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c0d5371b15.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
skotes.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\25e9d277fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009557001\\25e9d277fe.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\4d10dc4f99.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009558001\\4d10dc4f99.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\d031a638c4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009559001\\d031a638c4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\c0d5371b15.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009560001\\c0d5371b15.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x000b000000016c9d-1294.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 336 tasklist.exe 1644 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
file.exeDocumentsBFCAAEHJDB.exeskotes.exe2879339004.exe25e9d277fe.exe4d10dc4f99.exec0d5371b15.exepid Process 2816 file.exe 1400 DocumentsBFCAAEHJDB.exe 2952 skotes.exe 540 2879339004.exe 3060 25e9d277fe.exe 2992 4d10dc4f99.exe 1848 c0d5371b15.exe -
Drops file in Windows directory 3 IoCs
Processes:
DocumentsBFCAAEHJDB.exeVBVEd6f.exedescription ioc Process File created C:\Windows\Tasks\skotes.job DocumentsBFCAAEHJDB.exe File opened for modification C:\Windows\CoCurious VBVEd6f.exe File opened for modification C:\Windows\RipeHaiti VBVEd6f.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000187a5-840.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tasklist.exetaskkill.exetaskkill.exechoice.exetaskkill.exefile.exeDocumentsBFCAAEHJDB.execmd.exeskotes.execmd.exed031a638c4.exetimeout.exec0d5371b15.exeVBVEd6f.exe4d10dc4f99.exetaskkill.exefindstr.exe2879339004.execmd.execmd.exeMesa.com25e9d277fe.execmd.exefindstr.exetaskkill.exetasklist.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DocumentsBFCAAEHJDB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d031a638c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0d5371b15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VBVEd6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d10dc4f99.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2879339004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mesa.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25e9d277fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeMesa.comfile.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Mesa.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Mesa.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2684 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exechrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 1536 taskkill.exe 1500 taskkill.exe 2580 taskkill.exe 3000 taskkill.exe 2544 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings firefox.exe -
Processes:
Mesa.comskotes.exe25e9d277fe.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Mesa.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Mesa.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 skotes.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 skotes.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 25e9d277fe.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 25e9d277fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Mesa.com -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
file.exechrome.exeDocumentsBFCAAEHJDB.exeskotes.exeMesa.compowershell.exechrome.exe2879339004.exe25e9d277fe.exe4d10dc4f99.exed031a638c4.exec0d5371b15.exepid Process 2816 file.exe 2816 file.exe 2816 file.exe 532 chrome.exe 532 chrome.exe 2816 file.exe 2816 file.exe 1400 DocumentsBFCAAEHJDB.exe 2952 skotes.exe 2728 Mesa.com 2728 Mesa.com 2728 Mesa.com 1876 powershell.exe 2728 Mesa.com 2728 Mesa.com 1524 chrome.exe 1524 chrome.exe 2728 Mesa.com 540 2879339004.exe 540 2879339004.exe 540 2879339004.exe 540 2879339004.exe 540 2879339004.exe 540 2879339004.exe 3060 25e9d277fe.exe 2992 4d10dc4f99.exe 1732 d031a638c4.exe 1732 d031a638c4.exe 1848 c0d5371b15.exe 1848 c0d5371b15.exe 1848 c0d5371b15.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
chrome.exetasklist.exetasklist.exepowershell.exechrome.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exec0d5371b15.exedescription pid Process Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeShutdownPrivilege 532 chrome.exe Token: SeDebugPrivilege 336 tasklist.exe Token: SeDebugPrivilege 1644 tasklist.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeShutdownPrivilege 1524 chrome.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 2580 taskkill.exe Token: SeDebugPrivilege 3000 taskkill.exe Token: SeDebugPrivilege 2544 taskkill.exe Token: SeDebugPrivilege 2280 firefox.exe Token: SeDebugPrivilege 2280 firefox.exe Token: SeDebugPrivilege 1848 c0d5371b15.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeDocumentsBFCAAEHJDB.exeMesa.comchrome.exepid Process 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 532 chrome.exe 1400 DocumentsBFCAAEHJDB.exe 2728 Mesa.com 2728 Mesa.com 2728 Mesa.com 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe 1524 chrome.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
Mesa.comd031a638c4.exefirefox.exepid Process 2728 Mesa.com 2728 Mesa.com 2728 Mesa.com 1732 d031a638c4.exe 1732 d031a638c4.exe 1732 d031a638c4.exe 1732 d031a638c4.exe 1732 d031a638c4.exe 1732 d031a638c4.exe 2280 firefox.exe 2280 firefox.exe 2280 firefox.exe 1732 d031a638c4.exe 1732 d031a638c4.exe 1732 d031a638c4.exe 1732 d031a638c4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exechrome.exedescription pid Process procid_target PID 2816 wrote to memory of 532 2816 file.exe 30 PID 2816 wrote to memory of 532 2816 file.exe 30 PID 2816 wrote to memory of 532 2816 file.exe 30 PID 2816 wrote to memory of 532 2816 file.exe 30 PID 532 wrote to memory of 772 532 chrome.exe 31 PID 532 wrote to memory of 772 532 chrome.exe 31 PID 532 wrote to memory of 772 532 chrome.exe 31 PID 532 wrote to memory of 2968 532 chrome.exe 32 PID 532 wrote to memory of 2968 532 chrome.exe 32 PID 532 wrote to memory of 2968 532 chrome.exe 32 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1996 532 chrome.exe 34 PID 532 wrote to memory of 1724 532 chrome.exe 35 PID 532 wrote to memory of 1724 532 chrome.exe 35 PID 532 wrote to memory of 1724 532 chrome.exe 35 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 PID 532 wrote to memory of 2032 532 chrome.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d59758,0x7fef6d59768,0x7fef6d597783⤵PID:772
-
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:2968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:23⤵PID:1996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1360 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:83⤵PID:1724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1436 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:83⤵PID:2032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1976 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1988 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2448 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:23⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1120 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 --field-trial-handle=2136,i,4646810706028975861,11798193255488594048,131072 /prefetch:83⤵PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsBFCAAEHJDB.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Users\Admin\DocumentsBFCAAEHJDB.exe"C:\Users\Admin\DocumentsBFCAAEHJDB.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Appreciate Appreciate.cmd && Appreciate.cmd6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"7⤵
- System Location Discovery: System Language Discovery
PID:1208
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"7⤵
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3975067⤵
- System Location Discovery: System Language Discovery
PID:1368
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Concept + ..\Mix + ..\Trunk + ..\Answers + ..\Bufing + ..\Benefits + ..\Ram + ..\Guides k7⤵
- System Location Discovery: System Language Discovery
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\397506\Mesa.comMesa.com k7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1524 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5df9758,0x7fef5df9768,0x7fef5df97789⤵PID:2680
-
-
C:\Windows\system32\ctfmon.exectfmon.exe9⤵PID:796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:29⤵PID:588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:89⤵PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:89⤵PID:2592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1476 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:19⤵
- Uses browser remote debugging
PID:1996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2388 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:19⤵
- Uses browser remote debugging
PID:1076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1164 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:29⤵PID:2964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3328 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:19⤵
- Uses browser remote debugging
PID:1564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 --field-trial-handle=1216,i,2535004560638909938,12497703129464164877,131072 /prefetch:89⤵PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\397506\Mesa.com" & rd /s /q "C:\ProgramData\AAKJEGCFBGDH" & exit8⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\timeout.exetimeout /t 109⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2684
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 57⤵
- System Location Discovery: System Language Discovery
PID:2668
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1009351041\PeRVAzl.ps1"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009552001\2879339004.exe"C:\Users\Admin\AppData\Local\Temp\1009552001\2879339004.exe"5⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\1009557001\25e9d277fe.exe"C:\Users\Admin\AppData\Local\Temp\1009557001\25e9d277fe.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
-
C:\Users\Admin\AppData\Local\Temp\1009558001\4d10dc4f99.exe"C:\Users\Admin\AppData\Local\Temp\1009558001\4d10dc4f99.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\1009559001\d031a638c4.exe"C:\Users\Admin\AppData\Local\Temp\1009559001\d031a638c4.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:1732 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:1988
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2280 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.0.1243103421\148516893" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2170131f-eacd-4ce9-80e1-912b3014aa1b} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 1304 104db158 gpu8⤵PID:2964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.1.1171579236\1658158543" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb7bf65d-07c6-4d9b-b439-5d86c52cda71} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 1516 e72d58 socket8⤵PID:2028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.2.1890826941\1009494921" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf12f091-2706-4f26-b49e-3a80cad6f642} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 2108 1045e258 tab8⤵PID:2184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.3.2129675268\208695256" -childID 2 -isForBrowser -prefsHandle 2964 -prefMapHandle 2960 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e295a75-151e-4279-8edc-af4d83914450} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 2976 1c505958 tab8⤵PID:2032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.4.144765005\54894285" -childID 3 -isForBrowser -prefsHandle 3716 -prefMapHandle 3592 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3608f996-8a95-47b7-8769-9da72c2a3d7b} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 3728 1cdd4f58 tab8⤵PID:2864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.5.1744662535\305564002" -childID 4 -isForBrowser -prefsHandle 3864 -prefMapHandle 3868 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae292873-e35c-46f8-9ed0-719ca4f94e3b} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 3852 1cdd5b58 tab8⤵PID:2760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2280.6.1201888105\79324620" -childID 5 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe341ac-3c70-42f8-946f-1328bde3b459} 2280 "\\.\pipe\gecko-crash-server-pipe.2280" 3920 1b844858 tab8⤵PID:236
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009560001\c0d5371b15.exe"C:\Users\Admin\AppData\Local\Temp\1009560001\c0d5371b15.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2800
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5102841a614a648b375e94e751611b38f
SHA11368e0d6d73fa3cee946bdbf474f577afffe2a43
SHA256c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264
SHA512ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a
-
Filesize
6KB
MD557d817fbdadce24100bf6db7c793e097
SHA1182f0c8e4a83a4d9676681473b0a85698d9e5a75
SHA256dd1698441d677fcbe398d02e8e5f4469efca7a81ef7c560aabf2d87a5220f8e0
SHA512b4d0fef9d7efef2d8fc07590328b0e6b341523982c88d62cbf4a7f9fc308b2dd30e539fee5c67f984051f1bf31098a54ca94ef214a8147efc22a97ee6e6775b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b7a8929890bae1566c5c43f03a9178d
SHA1848d71c553134da4356c87ed13290d87a805580f
SHA2562d4a84e48cc5692d678b425cedf7999212bf60e7c12ebf1ccd06fa5ffef97d15
SHA51255c17188dd069afaf70ea6d10a5a5aedddac1878df5d6bef2baee9cb17a24405c7d72b1b3ae4a2ed900300f52e89cb1af8a3669d20689ffcbf2636391089239f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b24dfc7830762bcc186513681b78b47c
SHA1c1efdc68a8be92bb4e399073b481647604b1d53f
SHA256905bbcbfa6d5aeb7c5abb064baa8dce7404851fc50a1d28994c24e3afe1a5949
SHA512859d6e9d8ab8008d6edadf44ad969e0f5f7d6a9bbc49dc8f8f37991789dad3c45bde7f2404c8a4198515e9a648aee1547f39276686479333ce0a9cf95ec5aa09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500ef245e1c43b9c3e2408a572c3b2fd5
SHA1d8c2f8d4ae13258b17ab2b5f6dd97a4d1ce58af5
SHA256e97201731649e3fb9803656a4fc4ab414bda44151f95ce84a4c22d06bc8f8591
SHA512c740ae9affe6ee4f4f7c54f17d02dfee7195aa39bcbae6462a5fe202bf9697168294608803ab39e04f8a023a04c00a876f9e281848985c612a514fd0de0ebdf4
-
Filesize
40B
MD529acc7d11d4391748f3d1253849a2e0b
SHA13ff5749dfe8a28085a4a40cb88a60e498cbd9175
SHA2568e133e9d24921ee093ae9b9b18270faa284d0adb2d88ee326ec85cb0642ba8e5
SHA5120a6eec4b96e4f9f9886f5607684d94a603f240d5a2964e9f5698bdb8c93eada7c7c6959d0a339c2ebc5c21069412074199b26ef82969222ae1700150134eeaac
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD5589c49f8a8e18ec6998a7a30b4958ebc
SHA1cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA25626d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
136B
MD55ecbe14a95703a1ea45585bed0512ae3
SHA1a68e9e986e97c66779f718cb04e37cba080e4589
SHA2567babdf34d1ca25703f405681fc51bcc6c890e405c1498b66858c3cd1ca8016e9
SHA51267b899dcdcc6dd30df4658a5a2f676e2554805d161149bb296183e79295c1b917addd607803e16bdae9f2ace9bf973df1762e77b78c8bb107f849f233b80d57c
-
Filesize
50B
MD578c55e45e9d1dc2e44283cf45c66728a
SHA188e234d9f7a513c4806845ce5c07e0016cf13352
SHA2567b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec
SHA512f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3
-
Filesize
136B
MD523ed54ca631a2e834a67cee58c87b948
SHA1256641b295bc6a46a2073d44ca943b38160685cb
SHA25603a6cecb29aaef1c4dd7d5c980205d7cf56d94f88637d6dc7b9069bf66ecbcd7
SHA5124d5bcbbae73ac356b2068d3cfc8b91472d359bfe762ecc7149906410b437efc84346b7b02bfbf83a2d54692079b9c981eadcc654366ef93f28dcf4f48cf01c39
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007
Filesize107B
MD522b937965712bdbc90f3c4e5cd2a8950
SHA125a5df32156e12134996410c5f7d9e59b1d6c155
SHA256cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1KB
MD5b598df23549718d247a3b994e466a285
SHA1e01c4faca55b1a8edfcbf6451f1d1fc12c65b984
SHA256de8696de18260272e6a37e4f80bc00cddc34f4bc7835c9ecc5dd4e9ba096b50d
SHA512b5985edbf24623d4356ee157aae6bb43b7412dc2221bfb214756050f3be001cc528a2ce16740d7e8b6a5383530bb83fa414cbaaef428e413c6d954baf974f6d4
-
Filesize
2KB
MD595414a5209f87e66d276e533a0d6494c
SHA1acaa7564a4951debdfc72e60cbccf9967ae14bb0
SHA256d1defc1ba88cbb0fbea24378710e04d03f364523bca580ff2aa8da923edd3096
SHA51209c0bae1343e1480edd2d6d921a54b346c7e5bed12ccf86f4e112eb300d6095e448c340aead92477d5c0a5122628ff66128b17184a489ad6748fd66b8d4f6735
-
Filesize
250B
MD5a480caf08f5f7e69e59ccd36fcc686b8
SHA1f490a820f86a1b9a108938676b141f6ea931a1f8
SHA2564ef133d564347e16cbf98be8cb78437568a0b4d73b35506a6c1649032e2fccce
SHA512859c07249e7c4e3df855e3fd6661a5f3810d4fd56c0782c29964845544a57f76eed6df97dd2315aa49e24163adee984811d50c0c625cb403fd61386bb0c69146
-
Filesize
250B
MD517955c6a1bfe62d0dc5fef82ef990a13
SHA1c4bc3f9ccf3fa9626c9279ecb1a4cbfbf4a0fcf5
SHA2561cba135964cd409db09911c7cd4699112622596ff633cea868a83c54088c03a7
SHA5125fb73bb4f7eb1c9e26f34e5d0f310783c7e629e717760ee38731a52a8e3fba6831d77abf0f37631fed820839a00c9242a582e59266de08d3c92c5c4f83c8e7a3
-
Filesize
249B
MD527654494286755f6317ab073e91cbbc2
SHA1ce4bb80688b7c679568bdce8ffd8e44807cd8cdc
SHA256bedf0223bea95a16a31f42411d022df1e79fb322a53a9e002b1be559a2f78c60
SHA512bbf80026905c613b17673a007a0acab63e6a48b733fb5834b3f78bc4c349549f3b0771b30e631d6efa4dbc3ae67a7d69bda3fa1eccc766559478664bb3569ffb
-
Filesize
98B
MD51c0c23649f958fa25b0407c289db12da
SHA15f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574
SHA256d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf
SHA512b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52
-
Filesize
34B
MD5fe62c64b5b3d092170445d5f5230524e
SHA10e27b930da78fce26933c18129430816827b66d3
SHA2561e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4
SHA512924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
249B
MD5ef1988c40c68077d8bd57a8a6d316256
SHA14a82c863cf6bb975803a0ea052bd3a2878729992
SHA2566471e95dc9f507ab3479047878dc5550b5d0e82641bc7155989f5a63daec7c66
SHA5121470d479ed7e959b3c22bff00d64a182ae36efbbdd008282c6f0e3cc8c72ecf4c77f0df13822fa5d6c2c85ce8d2788198e090d7dc6ad3fb6a1f2ca4d04afb3d4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007
Filesize118B
MD5d5842b6fb90a67708c353f0f3a33be85
SHA148a9e06c9bcf2791ac6376622d6dea179689255e
SHA256c63523f14d423eee3b43947283056d5219edd0c63318007b1b876e24ab101d03
SHA5121a5f288211bfdceedc802fe9de9cda4596d3db06222a742600a67262671f5084feb4ac797d39a10c02854590f680d47df39cd81bd41312a0807db597beabbaec
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp
Filesize32KB
MD5b02e04c15b57ec90b725641166520ff3
SHA13b8b09afd65c111fca3d5147e864353439d47a3c
SHA256db4c71e8602a3b80630109a4c2ec1f79e1ac5705fcf3732ad9da3de72497fb27
SHA512644010160c031e93b78303b408dbeb31f72b1a1041aeea4d71e52a63f64cff241130a81abe3e87d87d810c5b6500d155f26cd51b671b6141e3a4956d24590369
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
1.1MB
MD57f8c660bbf823d65807e4164a91dd058
SHA197ac83cbe12b04fbe1b4d98e812480e1f66d577d
SHA2565a45b35e922d52f1bc47530634465ed1f989d9916684bf9591006a6172542509
SHA51289872cc15ca3a91d43b0b4261b04c38b8ac545c9b4afdb47d2b0288167b512fbe709de04fd2d1809ca1afee67a5a799aa7943f5aff65a5aa3197f9e10545c919
-
Filesize
3.0MB
MD52b918bf4566595e88a664111ce48b161
SHA1e32fbdf64bb71dc870bfad9bbd571f11c6a723f4
SHA25648492827286d403668996ae3814b2216b3b616f2fb4af2022bf3d2fc3f979a26
SHA512e3d58adbe13befe91fb950cc52b16d6d2fcb8f6d65bab4020222713207b07ce78b76e2e2532cf3de23149e934ba1e1cb9046a95a18424a668bfa4a355af6f44a
-
Filesize
22.3MB
MD5719dcf184f232c140a40a69f05ae2ae7
SHA1ac1e40daf79114c78ca756f2cfe5619cd2804cc2
SHA2565b5856719e14b1dcf6297e51e69b147263a72203e2f7bc5d938ae41f01312270
SHA51236ec8a14ee9f579f221662f29f08882f6f9dc59637100a99bc782cddbdf3aa1c27925ca5ff94e7b3e52e092a789104713e781226050466841d01cc04960bf2a5
-
Filesize
4.3MB
MD50473a8e8e6d92ece5fe21d23552391d2
SHA15f8b811f0df1a5c7c5de0d7d20965809b120e034
SHA25642c6787fac49fff1f3b622983357d0346048598dd8c7f790fcabd5ed5503a127
SHA5127672688ee9e1c7a204b03d611c110c2930b7a46559111379b34d5abac2d0ce6b38dcc52060fc855e6620cc5fff54ae5783358b0b7d2df24d4e5439427efaa0b7
-
Filesize
1.8MB
MD52c82b5398fb301bc2a2b3a9716e214ef
SHA1540d9ac0bdba4130643627dbb578004a71b68302
SHA256ae0615aebbe333c96a367f391103f4079076aba81341abf0081247addbb5c208
SHA51204f8e6fa29b442642bbea31e8759472f6faabf61a038ec0579401599bc123cc3bbf3f8376df44045ad0a8b721a916723ee4d35e5d4701cdb49828e1ede57ef65
-
Filesize
1.8MB
MD540fbf66fe2c47dcd8d2de9191b48b355
SHA1eb7260a1cf345b9a225fa6250727db32e391ffd6
SHA256c5723c29a13feb389fd9e72e6e81d914c0693d9846c2810d1d0bad4e3307eb78
SHA5122d4328dea1251bd7694c4f1b42f7bf5efad6b8712364bd42db6f8ba612dffd430b6e4bc158756c5e68d9aa24b0904cdff7ac7fde06cdf2826f062077415d0690
-
Filesize
900KB
MD59c130f43a75b749916375fada08cf486
SHA1b0787ab9ce67d0954c9027d58c2fb7782a42a11e
SHA25695cdc1cb2dc25c23029e61e302deb9f5f1607d382a204f487e9b2eb4d52b3044
SHA5120f29a5634383206fbff2779a505e327e7468bf3c3d07825e615cb442513531cea2862a264d8b2cf47bb849e4978865902445b483172b635b1f4358587320bf3e
-
Filesize
2.7MB
MD59ec7150c51a4d30753fbab8a457121ee
SHA15a18ca834905608395d17b6ac0e3c90fd982a67c
SHA25627574e7abdb7c3ee82ac007aa592e907b1c101b58e16263a629750be72c978d2
SHA5120ee554a5a05536fc59ad14f339e374d324ee0b5ea2b17cc3621d9e83422aa0b745471eeac47409d8295fa46c30b866c3f5987f2e63d170e91998ae739e9a5197
-
Filesize
540KB
MD5c3f398f77bbc21294aa17caf6b0e6994
SHA19753fe7ddb15ab965155838192ca6aed909ff56b
SHA256776d72e984f777c04609464a94576539908202dece7b8631feee29ab5b6ece50
SHA5126b43a9bc32725c3e25abae17f6a7accb83b13f446479f1253630b72ab3c4ccb3dd4e36be26cf65b910f36f3bf3b48138c3c2684782dd361477a7e4e2bb4ac463
-
Filesize
97KB
MD5287cadd3b072c264654b2e6e2566fb2b
SHA15e382082ef2dcfcb9b0312b9d8d76ac07625449e
SHA256c3bcb56ffda3326608d754fdae6fa5785161206d8c9f06abbfa6f0cf3a05e459
SHA5123c3988f6810772f112f2d05b8b4baf31c23ac1e0b441be93c9552fb2f64eec8d8779b3da2d08515cdbbf41140e8500a2982712fefbd6c8b03ad3168b1b21c734
-
Filesize
15KB
MD5cf4a755aa7bfb2afae9d7b0bae7a56cb
SHA1f6fe9d88779c3277c86c52918fc050c585007d93
SHA2562853c2f9d3db94ea67286c50a896f30c0eb4914763d8d74b450ac3faeea2c5d2
SHA512bc185b1886fe438418b282df25d234b92f80386697bdd743d568849de572776439d0336263b3b9ffc4d6994e79316747e4483067ead4c5b8ec5ed09f6f592967
-
Filesize
51KB
MD531772333ac1e8ac850ac86b9fda3ee23
SHA1153a8bf471248744befd0fff259d515c875b4b1f
SHA256a9101d5b78c38b72c53eed0ec896c4fbaa3bfdc9f72cd5c44688b48d66e31b6c
SHA5127ebfe1dab4d62a0174487b70ccb7befdab182d1bc6f2f0319a27a7bc7b398e87968bbc6b59e4bf3058a5ebfabb2efe96561535c6b01d44943ab82ea26e0a488b
-
Filesize
59KB
MD58d89a2fed5fe22eb7fd25f7f84feefc1
SHA17f9b5b806071b312b4d9e95391d6d96dbd66dde3
SHA2565c16191e8d38db8381d2e67a324d0dc481c97f2647010a1b343e26277ab2d689
SHA51288b04c9030d1ad1844f05134682c3a9b3adfabdfb22d1145d730a6508ff4ea0a81e21e46f493ff715acb9d3a4e6bb341c885d8b735cea601a86b8e54e9a52b12
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
74KB
MD5ba279e43bc3824f4dd387a5a6c15bd60
SHA1857ce7750d1bf83461965e5069f6734c483ceae4
SHA256fff37d64d11ab1cd68e00abf6774656e314388b6cca79fc19e01e33e7bd8c688
SHA512c91b53e8c4b674ab7219e0b41899f95828aecf32b86733174a20700f9d70e658063b1ee26368412c977dd1b3aa812b82073d8d2d3321c3504c4d68c3cb50b784
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
51KB
MD51214c7903301b6105f1751d35f8677a6
SHA143097cbab70e5007ed435eca7839cf693310a632
SHA2569021d861a44500218566588391a3a17f1b1f0b00ab781b27fad7f57a1aa46c52
SHA51293e1b42da3aa5bf7809ac8e4c51fe9bbffc53b54997b0e877c2adeb3d2459f8cde91ab3cd7913146491d5ded88a6b6815fc3b44f4d59844d7e4baa78e6ed37bc
-
Filesize
92KB
MD5ebcaa458524017b6b69e50610fdcdfdc
SHA1dde54c9c52267d42df70d932182413757a524050
SHA25695365d774498df62fb358077e847f1dbad95ba6d09b1d6cc76c22d35b0bc9118
SHA512dd146de78e15a86184350ef355cf48b63abbdeda20c10d6bc7507a8699f55e1bc80250986a9cb091f621e9cc5b34cdac552f7ad95f6aed7b09c3988d89471e22
-
Filesize
66KB
MD5d6e907bcb5843d6825949565bb20cab4
SHA1722862a965ce62a21ee20b0b1fb80aa3ca1fdead
SHA2565339cbc5d3fc6aacdcf8a4ff313696b3c23af83a6823f779d769a647df85750b
SHA512f1563a7b3a2f102fc6eff61b35736c2cc3d0bde304532485afb88c434152d283096415905d5c7accf0ea6394fd3e8c1c5b34957688241f14befdba88a0d7bcea
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
50KB
MD563b9ae899f5a5c8bfe0ab9d6d583bd01
SHA1013d6416534001cb5be061efd020af56e47eea1f
SHA256e0cfff56e7141f31a568781504048ad5e0308b22227629d4e2885a58a0499b18
SHA512bcadf064b072a29a34ef4593161d8ee7bbe3e1079b1bf08dc7422249fe4181e881084a98b5ac3edbbacbe9de0c3d6804c7f4b2694a51f74840e89f6bca117e3d
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD511d561cd72447d5d11cb7391464a9e53
SHA107c7b0c26926d4a8bafa40ce74bc33b17f5807b8
SHA2560d0a13791319f4bb131b9bc6714e5cd421dbafb4747f9d1d733a4a03a5f7a786
SHA51263eedf53bfffdc3ac6fa8073a7ada5d42ea3976521aa3abde5df3e3bcdb3c7f81b4207ff83c41d5681f428f270313255dc9320b21e71f72a220ae07b08db69b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\bdedd8e5-2cf0-441e-8110-d590c48eab51
Filesize12KB
MD5ebdbe6a2efe4e1c7dae4230fa639d3b5
SHA18930a909ae3950a376b0dd13eeb9b7a66cf9aaab
SHA2560f7731da6ec00dd84253127fa9659f96b8517170cca41452fd4accb1ecc81b6e
SHA512a3917a27576079ab951153b3d02fddf965d02e4a0b9da7745590c53746c2e97a98304dbfa2d4dfab58ce5d2479121b2fdc06272b50c98fd9c30423291c2a8508
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\c86d6003-4e76-473a-bece-96666b5600b0
Filesize745B
MD5eb33d7431ebed572e6eefce261d60cd7
SHA13be5cbdebd65dacd2a3ebf42216d81ce4b28bded
SHA25616d0ee5dd887ec59d8f53d6f46977e4538bc4d156a30177829c703f8006c3a17
SHA5123860b35389096558bf3f739f36a1c0ba947e200f592a67ad58d68c7861c2ea9dde3ec08193981a72efcad08f37c1fc4bf06dfc7ac850c8e71032b69f9753c7dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD501f6c2afda928bc46cc4a98f6547cb33
SHA188b000d7402d36b9513cc802af8b59ee35cf906f
SHA25679014707ce049258bb4591702cad9e361a8ffbe710992e836eefc5ec4a78b0fb
SHA512d4604218c9428139f12a7029d4c409ad50c8410003fd1d37f0a41a61d8abb881fd96a0523f219c058cac93f676a1c1954ea078a757d6a18502842ea2ab50e62f
-
Filesize
6KB
MD503d795d9e7bdf0e040f79313b27d6cb2
SHA15fdeb6694f0483388c833e4b57b617671d94549b
SHA2568f4773495d77ff4cdf1c03a59d57640e2795767b38b2ff594df0b862f6db1928
SHA512bd8eb75c0157442200729c9a0d39a3ba7dfd0ee9726df20c54b07adb857b9c911d8618e9bc01d96e9d07a3579b5defbfc0b4c11d5f2ca9df0dd7f48c361c88b6
-
Filesize
7KB
MD5a00b40bf08454cbfa5a26fb3966c827d
SHA186ea3ea83d38915b07194718cd09255e5669b008
SHA256e17dcee613b7656f05b1748bd13e1fcdee6944370749ae985b9b93125693a878
SHA512aa36dbea8073b662c6c047cb469f12a235be56aae20035a9fd6812399c82617f0307ea652a93a96d9f1802dbf954defff25eba5f578848ef9f9f336ee8f8da3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD556897c7e968764efc773cffc182f40be
SHA14fd7bdeb58b73c6f0a21612c4e71b2295a0cc46a
SHA25644bac755cbddb8164c33e654c190f4b8e30e085acb882e02705501bbc43083a0
SHA512b25870c800691738b82850d309671a96028fd269a75e29a2c0035255fdf8cd9ea49214339f3d70feb3a5d139972903b727d6aa238a119cd6c3b1208595e9f2a3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5fa098b363f56394eb669a96201d3521d
SHA176ecc170b800c1ec06e738a7b5e36e71233f8f2a
SHA25640fc948cd1a58cb92a7a43d066fd250ef34ad52984efb82950c20bd60e7cf21f
SHA5120c16d78ab94169f9b82dbbe5fabba0a1b4d8dc7294bb8cd7186334cd9e324a1b09d12bc40c10e661101247f85fdae1c1a409750d4d906b1a54ec59b9a030b66f