amadey | 364c1f1ccf4a537fe8705390bce9a94aeb634c8021f0bcb60ee9bda35e3f3d87

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4DDGX_file.exe
Size

4.9MB
MD5

354e2562477ecab1cc52116cccb91c20
SHA1

bc507791496a806c8376180718aef5a54447d6fb
SHA256

364c1f1ccf4a537fe8705390bce9a94aeb634c8021f0bcb60ee9bda35e3f3d87
SHA512

9d025986b00d8e8488b9d88b61b9368b2d6b0907843722921bcb0528bb241dc6fd406f26ef578dd2936f4f388479b723dfdef40d28d1e5a3d7358b936e124b1d
SSDEEP

49152:GRye3nUtlBqd4sS6ptYA/d5R/2EPdbgktps:Gce3nUtlMd4sSAtYA/3R/fPF/s

Score

10^/10

amadey cryptbot lumma stealc 9c9aa5 drum credential_access discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

cryptbot

Extracted

Family

lumma

https://dwell-exclaim.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

https://atten-supporse.biz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	1129240a4e.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BY5BeYh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f5f16a6c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	217c7d2614.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1129240a4e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4DDGX_file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BAEBGHCFCA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2000	chrome.exe
408	chrome.exe
1704	chrome.exe
2308	chrome.exe
1636	chrome.exe
2624	chrome.exe
2944	chrome.exe
2740	chrome.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4DDGX_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BY5BeYh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1129240a4e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4DDGX_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BY5BeYh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BAEBGHCFCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BAEBGHCFCA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0f5f16a6c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	217c7d2614.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0f5f16a6c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	217c7d2614.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1129240a4e.exe

Executes dropped EXE 7 IoCs

pid	Process
1616	BAEBGHCFCA.exe
604	skotes.exe
2384	BY5BeYh.exe
3028	0f5f16a6c5.exe
2768	217c7d2614.exe
2524	670129fc15.exe
2812	1129240a4e.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	217c7d2614.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	1129240a4e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	4DDGX_file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	BAEBGHCFCA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	BY5BeYh.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	0f5f16a6c5.exe

Loads dropped DLL 14 IoCs

pid	Process
2336	4DDGX_file.exe
2336	4DDGX_file.exe
1484	cmd.exe
1484	cmd.exe
1616	BAEBGHCFCA.exe
1616	BAEBGHCFCA.exe
604	skotes.exe
604	skotes.exe
604	skotes.exe
604	skotes.exe
604	skotes.exe
604	skotes.exe
604	skotes.exe
604	skotes.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\0f5f16a6c5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012724001\\0f5f16a6c5.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\217c7d2614.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012725001\\217c7d2614.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\670129fc15.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012726001\\670129fc15.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000400000001d6c2-596.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2336	4DDGX_file.exe
1616	BAEBGHCFCA.exe
604	skotes.exe
2384	BY5BeYh.exe
3028	0f5f16a6c5.exe
2768	217c7d2614.exe
2812	1129240a4e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	BAEBGHCFCA.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4DDGX_file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BY5BeYh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	217c7d2614.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BAEBGHCFCA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f5f16a6c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1129240a4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	670129fc15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	670129fc15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	670129fc15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4DDGX_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4DDGX_file.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2928	taskkill.exe
2784	taskkill.exe
1520	taskkill.exe
2200	taskkill.exe
2448	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2336	4DDGX_file.exe
2336	4DDGX_file.exe
2336	4DDGX_file.exe
2740	chrome.exe
2740	chrome.exe
2336	4DDGX_file.exe
2336	4DDGX_file.exe
2308	chrome.exe
2308	chrome.exe
2336	4DDGX_file.exe
2336	4DDGX_file.exe
1616	BAEBGHCFCA.exe
604	skotes.exe
2384	BY5BeYh.exe
3028	0f5f16a6c5.exe
2768	217c7d2614.exe
2524	670129fc15.exe
2524	670129fc15.exe
2812	1129240a4e.exe
2812	1129240a4e.exe
2812	1129240a4e.exe
2812	1129240a4e.exe
2812	1129240a4e.exe
2812	1129240a4e.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	3040	firefox.exe
Token: SeDebugPrivilege	3040	firefox.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2740	chrome.exe
2308	chrome.exe
1616	BAEBGHCFCA.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe
3040	firefox.exe
3040	firefox.exe
3040	firefox.exe
2524	670129fc15.exe
2524	670129fc15.exe
2524	670129fc15.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2740	2336	4DDGX_file.exe	31
PID 2336 wrote to memory of 2740	2336	4DDGX_file.exe	31
PID 2336 wrote to memory of 2740	2336	4DDGX_file.exe	31
PID 2336 wrote to memory of 2740	2336	4DDGX_file.exe	31
PID 2740 wrote to memory of 2656	2740	chrome.exe	32
PID 2740 wrote to memory of 2656	2740	chrome.exe	32
PID 2740 wrote to memory of 2656	2740	chrome.exe	32
PID 2740 wrote to memory of 2744	2740	chrome.exe	33
PID 2740 wrote to memory of 2744	2740	chrome.exe	33
PID 2740 wrote to memory of 2744	2740	chrome.exe	33
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 664	2740	chrome.exe	35
PID 2740 wrote to memory of 1040	2740	chrome.exe	36
PID 2740 wrote to memory of 1040	2740	chrome.exe	36
PID 2740 wrote to memory of 1040	2740	chrome.exe	36
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37
PID 2740 wrote to memory of 2944	2740	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4DDGX_file.exe
"C:\Users\Admin\AppData\Local\Temp\4DDGX_file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7379758,0x7fef7379768,0x7fef7379778
    3⤵
    PID:2656
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1340,i,3818387852616879133,17368572557006575162,131072 /prefetch:2
    3⤵
    PID:664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1340,i,3818387852616879133,17368572557006575162,131072 /prefetch:8
    3⤵
    PID:1040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1340,i,3818387852616879133,17368572557006575162,131072 /prefetch:8
    3⤵
    PID:2944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1340,i,3818387852616879133,17368572557006575162,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2540 --field-trial-handle=1340,i,3818387852616879133,17368572557006575162,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2548 --field-trial-handle=1340,i,3818387852616879133,17368572557006575162,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1132 --field-trial-handle=1340,i,3818387852616879133,17368572557006575162,131072 /prefetch:2
    3⤵
    PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d59758,0x7fef6d59768,0x7fef6d59778
    3⤵
    PID:3068
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:2
    3⤵
    PID:236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:8
    3⤵
    PID:316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:8
    3⤵
    PID:2920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2372 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2708 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2812 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:2
    3⤵
    PID:1104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3800 --field-trial-handle=1312,i,14065464820174225880,13217374556096701685,131072 /prefetch:8
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\BAEBGHCFCA.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1484
- - C:\Users\Admin\Documents\BAEBGHCFCA.exe
    "C:\Users\Admin\Documents\BAEBGHCFCA.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:604
    - - C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\1012724001\0f5f16a6c5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012724001\0f5f16a6c5.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\1012725001\217c7d2614.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012725001\217c7d2614.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\1012726001\670129fc15.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012726001\670129fc15.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2524
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:2276
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3040
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.0.472632975\336343775" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80499de9-03c1-4888-84fc-ca8d641133c6} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 1296 117f2e58 gpu
        8⤵
        
        PID:2460
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.1.814452692\2132493169" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd159bbf-b5bc-45b8-9a7d-966530183552} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 1500 e71b58 socket
        8⤵
        
        PID:1240
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.2.1772970939\1172806711" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eeeef4bc-ae8c-4ad4-8756-b2b6b1c04a2f} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 2072 11764358 tab
        8⤵
        
        PID:1956
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.3.2128471825\802928822" -childID 2 -isForBrowser -prefsHandle 2548 -prefMapHandle 2556 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6c26a08-49f7-41a5-bc77-b73fea117482} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 2572 1b619b58 tab
        8⤵
        
        PID:868
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.4.1013194342\1513177866" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1452f02-a89a-4983-b766-109bc88c5b10} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 3744 1a64be58 tab
        8⤵
        
        PID:2236
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.5.1679628192\1844379004" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3856 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5d8e422-4887-437d-9958-9297bc64e23e} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 3840 1a651258 tab
        8⤵
        
        PID:1420
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3040.6.1421112212\131010428" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90bf15e0-3424-4a4c-8665-d3ba5d533acc} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" 4012 1a650358 tab
        8⤵
        
        PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\1012728001\1129240a4e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012728001\1129240a4e.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2244

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9ca337524816226bf5da651706d62f51

SHA1
6f8a551c620e75e45b2340aac6720452d2886a26

SHA256
ba3dc56f607d63a68f065d56b69cefc8ab6dd4991fa972d80a1ff4ee388f4877

SHA512
97d45a79a646fe20a2ac9ef7aa142fe9483d95a6d2d9d007e7043f1b0776fbdf10616ba3fc93acd15404549bdd8c6e58706a76774fba18958dc8c1e76acc6e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Affiliation Database

Filesize
32KB

MD5
69e3a8ecda716584cbd765e6a3ab429e

SHA1
f0897f3fa98f6e4863b84f007092ab843a645803

SHA256
e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

SHA512
bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
db0d5b9cfb061c4895d2e0af3328edbc

SHA1
66cecc7cdf6cf792b9c6482d98f57b18fc590b6a

SHA256
a08449cc4db8af27ffab41d044ece137a899ac9c53675b622a606cff2d16affe

SHA512
b54eed84023e75e8fad5c24e82dd3d8a9ae74022dade6b9b171073c5ff1e766c6a3532c0f5a8ae6d8c51fe8976ed45d5dfc19a92bdd237a12cc29256fa4cecfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
2cd3bb98c4458f8c2db54ecc096ac4b4

SHA1
639f9fec2d8304d8962ce273a4b3ce65b5b46cee

SHA256
7be40eefceec44ea2f75da3c8deb841aa1e0c6cffdf32a0ce2454ade6f13f9d6

SHA512
e12bdf1980c0cfb634ac145231f46ca1b36883ed9a92def9269a641fccb8ca753173b1406f3251e6f081ea408679fcd42a4dc06fa705f3e72f45c9b1fad31ba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000003.log

Filesize
76B

MD5
cc4a8cff19abf3dd35d63cff1503aa5f

SHA1
52af41b0d9c78afcc8e308db846c2b52a636be38

SHA256
cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a

SHA512
0e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\LOG

Filesize
192B

MD5
6b5658578b5eaa4edec85882c56b52b2

SHA1
1e0e219c39d62b6b1f139fa3a8ddebff8ba8183f

SHA256
b65487442e987ba73cc0d12189ccb41f2e3a0981dc8afb02e84b32c0712c3e60

SHA512
0c653d8e0900df58101b70c4d70af9dcad2f626a695fd771d8760dc0cb324d7064ccdd3fc02df1554a42b54c90d9ee3c6005ab4df4cc9826ef48408041a9058d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\LOG

Filesize
196B

MD5
14b8543cfc054a3a4d303246e7c319f9

SHA1
7c3d7fe94b51d99b33dfb4a67e470def4b900f74

SHA256
178d9d1b2521129493466a07ccfc0598312e8384339cb0f1083c3effc9ae6ef3

SHA512
db542073cbc041119cde9a0822087720690194abc3a607b076585e58aa56db5c6dc666ea31884f91a4cd529b51da71d894a5388e813b3c4b6a385229cfcf94d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Login Data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\LOG

Filesize
204B

MD5
2a948671d17d538201e0c11ea067c874

SHA1
95394b4dcb1f2caa38d10f39ae22495b67540f41

SHA256
5e2b356669bb6257b1e46755a1754aba0b29726dccceade3ad1c34c50269161f

SHA512
b888729685b2708e742f2cefae53af050ea35f5681444245fefefc11f183787be2e70de811cd4a02f3ca97c3cbd1c53aa554a18dc7c77270f676fda28d12e82b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG

Filesize
192B

MD5
9f3da266d135cdd31b05aed856448e77

SHA1
92a167084f08649981c3b4c0bbe2bf3bf5405d08

SHA256
6e49ec2dfd3a8fccdcd2ad9c0b17c6d2a75718cde293b489faa2459b21738d9d

SHA512
6525b8ba2b1ccb4b37e018a6dec994cfc13f66cdf5e1dcfbda551dbc37bc4624ec04253a520605f6c3a14445b01c3795a93b79155b212401b4a686503ca4e727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Visited Links

Filesize
128KB

MD5
10a79d1dfe1a8f7f91b6157badb2fb4d

SHA1
4f96cfbb023a74a3af8a80185f0d681640abc524

SHA256
f3510d366336c3c31ae46ff6720c3cba0cbb0c46e4fd95a066d287264e4da80d

SHA512
b61061712d2c9ce7acd2023b916dd955edb90cce7873a57e740ff44a85039b1051d474b37388a65c4db8a6fde2ac9f5f15bbbf4751b837efb02f7efa493814c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
b623bb9096f80bca6097950841d39861

SHA1
bdf25de391d6d03f9304266ebeca79e38fc76972

SHA256
385f53d636c03e281258bc55f44c11be03125ff9cbb1d9117bee49a42b4e3b2d

SHA512
1b3d10338a9e72aae3422ca49f4578907f1ba7cef80f2c56620076dcca5dda418e60be0e831a458cfcec3fa1e3da41debba2b392b848846f09896c3347a5d1fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
01080df165b1c1d92fd0db456f486b04

SHA1
2f1a830d5529d8a7791070293e2e90ea873cc66e

SHA256
3692a7e75fd65200b3620bf9d84fe8f6500f29047f2eab920544402455cd22f7

SHA512
e74485fe2156d41abf5fe8e106a7fc0f9a3c7652f0f01e9ec32f0b33916f0815bab81692c0d5d7c0ed0ca76f5967961ac4bfae6e23b0950953034fba199ff5cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\LOG

Filesize
193B

MD5
13d49290b0efd16acd0c8ec00332145f

SHA1
a930cbcaf0eea66219a4016ca523f463f6ec9415

SHA256
db680d31988b7e440933a114fbc7007f53e5150c6290d2ac60bd6e9dfa6313cc

SHA512
6bf809fd4638fa05f6b45c3c805075cb390fc57647322e1a03c8c15b544be07aff5642ca7b4870dec7247aa3bedbaf1ec413e218ce732a100caf69513cd3e1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Favicons

Filesize
20KB

MD5
3eea0768ded221c9a6a17752a09c969b

SHA1
d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

SHA256
6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

SHA512
fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\LOG

Filesize
197B

MD5
99590d9478c9f2f4679f0f3c695c7e39

SHA1
91e4e89d296822adccdf20a929bfe54869ebf6d2

SHA256
db018d1175fb455112b594662e5e285c111ebeb6ffe3a71da37b8aed40192303

SHA512
7fb5baf5d7ed94c1e4dbbdf475f549387e97726a94d6200f3522d68166ffdbdea994c73291744c949918b9421c06e978058c1a5af4ff13aeb86dd027f16ab4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG

Filesize
205B

MD5
42f8c7bdbfe9b9786e826488d005acb9

SHA1
ea617afa4ec5af6a5f384ccb9dd2ec32f5d6551a

SHA256
0062e9280a2ca10354cc2923c7b8d86a73b0bbc968438f2cb60dc81c695a25f9

SHA512
6c2d4b1ae8f716615b6bb54c42190db84ab53df8b0f7bf2a631bbe7f0c1fe548531432772e461cbb5001f570018c6fffc0427077a1c2b34492ae13f6475965f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG

Filesize
193B

MD5
3ef6c471472f63ac6b3886a0fe94e99f

SHA1
0b9337d7043174d636c862804df55f7dda52dee4

SHA256
6680aa9cc19d7f09106e3d416149fbcc417fa66d467b502dc2a5cbc12f393ec1

SHA512
c3e66fad30537b98100d672afe7ac14b8c92bec86d64010f4c609a96f3f4b056593896e1cf0f715e4754f6b0997c9a258be4f0ec4abe83667a38c5291eb0b13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links

Filesize
128KB

MD5
4e0e7ffe725d1023c8379291e3df5140

SHA1
7c38df729af05c39b44688886d5185b68a501d44

SHA256
63cb1a22e21269176b082d979273dca0c539f22e68e346087c30670c141d9ba0

SHA512
543ac02a9b92ca478c579e17694e0b2a4b38041c54b4522bd66b841dc85b480a4a2f25f7691560ed72862c7f7b5e13d7dfa116d4526f88aab722117e9b01c5e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Web Data

Filesize
92KB

MD5
32c8e3549120316a9736af6487832f5f

SHA1
5c619bdd9cc0aeafaefa01d01555ee7da9b0e41c

SHA256
a04fa00adf069c721d30d5c88cf55daac8c05114e6d04b5f464eb093a2502a51

SHA512
9e8825f1258ff9b276c82db259a4300950fbd8bed4ed9b08b5db8342102d1749b265b11e01c1221ba2dc117f0f3241a3e96a0cd33ccade40621a74aec2097007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f1cdd5b4-612f-4139-9607-bdd67907f9cc.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
a6979bbadece2a551f1516cc36810bfb

SHA1
2f461e7eba97b66b870e7278399c274dcffa6819

SHA256
58152be87997e0eb3867c28f15f0b438c9d02b963af9bbe27ffa0d26819c225e

SHA512
61b87cde626c088272ab1fde35f0699bba28c0491c0d724c29196dfab387bc7d8b582f7f50d5b14d5179d441dc0f29ef3b57c6f0f0788c8a7891881af0507938

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe

Filesize
1.8MB

MD5
f64bfb2f10922691f73d024caa447e48

SHA1
196536819a64cb13c1b78710bfb18cb8be4c5777

SHA256
deb36787b95129fcabcd43d10401c2fe47d9e0b30aebf206f83acda4660ac32c

SHA512
c688f5e34771bd8ad4b4b86f7c0670f49193fa281c1b56fe6d220131a0c38b4221585e1e38f3dc00d51f286472b3143c9943abd57b6a62dbe8047e8e388ace5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012724001\0f5f16a6c5.exe

Filesize
1.7MB

MD5
97463b8b882ab753434f3ecf6928ea85

SHA1
e01f33b1d9bfc05e951719087458566ce4ffee4a

SHA256
898520b99f7979c913999ecc5c8ab1e416d19c226464bf8e4b3ac2d8cd023a8d

SHA512
fbc4d697f6147575fbcd0fafd21e2facddb9c3d72f0abd39f2a9524f15879b79e3be92573178d785af079abbc010910e257527e7ed3901c2a2231932680b7352

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012725001\217c7d2614.exe

Filesize
4.9MB

MD5
354e2562477ecab1cc52116cccb91c20

SHA1
bc507791496a806c8376180718aef5a54447d6fb

SHA256
364c1f1ccf4a537fe8705390bce9a94aeb634c8021f0bcb60ee9bda35e3f3d87

SHA512
9d025986b00d8e8488b9d88b61b9368b2d6b0907843722921bcb0528bb241dc6fd406f26ef578dd2936f4f388479b723dfdef40d28d1e5a3d7358b936e124b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012726001\670129fc15.exe

Filesize
945KB

MD5
8fc933172f3c7af2dace64e968b0fe6e

SHA1
f794103213345eab73f12db2e54fbaf21cf789c8

SHA256
629cc6613193ca5d906dc5c43b5e13d3b0d4273f406e2f2d1eafbbb4ec0d30b9

SHA512
a4e6bc67fcd8fb1a606c45564544792520c0b7cea8be3e0df04f9bbe2b9810b2162fb89a93b14902d7eb7462cea3cd9a1795c8bfe03c637f64037f814302ca9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012727001\a894011244.exe

Filesize
240KB

MD5
e35f88592827f3d166b5aece4705d302

SHA1
4cbb5047589add8159d16e2b6c0667c1e64a3a7f

SHA256
44f5e1432a647cc937076fe03f7929c5525f1ff26e70689438109809000f8982

SHA512
fbc689d03e670b0ce82c4afd8fb649c3046a9fa6742079180edcc52c153473bdaf8b93cf8d58acd3fd653cb04da96268269376629d44e23930374f51e025c242

Download Submit
C:\Users\Admin\AppData\Local\Temp\1012728001\1129240a4e.exe

Filesize
4.2MB

MD5
261d511a3420cda4b383cab204e3ec7b

SHA1
59c3c24f34d2381869a203180b409631e0008918

SHA256
5325d6080593f6f09f4cccd1dd6a29980c2a03eb3029f275ca10673d6d437157

SHA512
215fdcd8bbe2ac24b69e71a2f34df24c4ed3f5dfff2f8c0930f6ebe7ca7a7f1cebcbe0b3a7bed358d716c427368a8e35a7cefdc488dd780ae24769b07e662146

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.1MB

MD5
881b7f6c92cb1897610bcfdca6d5aa1a

SHA1
2cfc19c420a638697581e266c3b4dc1e5b3399be

SHA256
c8ea05d9a336d3422f011b7e4493adce1d352330defe24ac6bc3861a02e592bd

SHA512
84bad11f96e199f337ea9dd3d24a072796d4f32cf56039d3c5805aa57fd1f79fc3f6d2cfbd9b9203ad95523b89edc9c420bacc2f160f4006dc0700d4f3336ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3bf14f157fa94ad2cd94f0f7d98229e4

SHA1
7d5b8e9725c0d787ae295cedeed46094e52186d2

SHA256
b4f68117db792dd2bae26e530c886279690723862ad249a79c5456d4d4be7915

SHA512
2159d0fb683a2f23e45cef4a2007a9b19ced1866eb229af94f5e0cfb58ed4cb5de70c522a63cd44d59eb3c14983582a49ee82409c5d84ea2efb870e579590eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\dbd25f7f-fa72-4c74-9195-cc52b480d679

Filesize
745B

MD5
5a9ccf2699cddfce656a84a2decba6c0

SHA1
c1183f7650864f8d1eaa70ac30b1fd985d4c7371

SHA256
961808c0b8b10546afa340570df8eaf4458755e41e1bb3b8d78634ae5fd67814

SHA512
d25781ef1675fc2df0edd3fce762608dc275dd709cc82e110c18be254be193d1cbec7c3cc6c643507e9a546139387263527333f32c1bd3ce90cad6be4778122c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\f5ffac96-0619-4b0a-aeb5-a075b18e2134

Filesize
12KB

MD5
b07e9cd8a8e08a32c5b8c9a142863019

SHA1
91ff30e3402cd60eab358dec4ad74c5b51de1b4e

SHA256
2b4c8bda5a0948e2c492326432b6b51067356c36f28eb5035d21383efa8ec44a

SHA512
207b3efda191e8a7fe03350660df9fdef9e4b8e2b43ef7bb88d6945842d610646305a22e2e2ae7546ee19c7159eb4322116604a64706ea39c9e5d5d52c7c3646

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
6KB

MD5
db1be5753463adb8488e486fad125351

SHA1
3402163b4d7cbde0f57095cc83b38410dd14cd8f

SHA256
8b0ce1dfd92ea3f44e52623ee9c11f807e62d6e739e242499c1d47c3fccd5c2f

SHA512
539126c51dc1e08a4a53fab40b7252a8b4854e1a12efe244f40df0f631bbf2a7865a627f6d22be3c2080f3f3aeac2c02d3fdafb3c979a8330ef04d9e75159bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
7KB

MD5
437721f70b65ffbe2ac3b75afbbcbca1

SHA1
66bdda09f0f4820d2999548d63e1418b6dfb3b2c

SHA256
aa39a707f9bc09b40398da9f9485af0a9a0eb30fe669e77bc042e83dc1a22e68

SHA512
6b648367288b46e67caff60ca8fddb85e0dc681d3f595945f87786a85680649a2c17123b66d83294f8c91981fec0273ea16e34ee364ef9866e0fa380c542dc64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
7KB

MD5
fae8b906966666a9504615d287465b70

SHA1
8a35afb9655f7230dc5b1707ac6b71ba907cd6f0

SHA256
e1e45c95c7807b8d8b4cc5072f18152c773e2033ad79f98a502a777f0b9a9823

SHA512
31a36a15c7465dcdaa48ef714e9e5277d086e68f928a69151444777b3ce35f76c99eab26550859aa5c4d19266da3de1f672c39c8a14d631545439113a76f1e16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

Filesize
6KB

MD5
9dd5fd16c188382ef8a3875b29193859

SHA1
339f6d59583294118cff0e004ac82d7d4f688750

SHA256
0bf0f6804e7ddef150a2e81adc079e8962a181675055c6cd467f09977a09ae69

SHA512
e311ca368ce0397dc670c69a449c23f6f4d70cf46214db5b972a4d1ddcc08b38c2147442d8de26373122e12b5559a822c0480e7aee089e6fb16fdcd59d96fda8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js

Filesize
6KB

MD5
064afd5d46062d9cb66b7ae2337984b2

SHA1
9c7aebf9e6200cf43f3cfcb653f450449bed0ff1

SHA256
98d14366507037c19c6ae73633746ace7fe28da0612f1cd0485a28d7a42edbde

SHA512
703fec7ced9995a6c268b4b894dfd154f109438eb91e4923a36c7c980796937a837b0f3baced770f11e59f576f4fa1028978b061179f4d2acdb19f8f755aa31b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
efbb346e0c1c3c9abd8934b4894ac865

SHA1
2673727b582cdbaa1b981443c0f63187c38eed80

SHA256
a968e649795e96e43643dedb71059f266e870010165d9fd1d855844c5a66066a

SHA512
77b9d26b79cbbb59ed14990b3a6b9ca02e78ef67eacd184019d6178cd289bdb450bc05d9c5fc4221c5a957368b1245949fafa9e9ade0fbb8e2546fff174a859f

Download Submit
memory/604-927-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-603-0x0000000006A20000-0x0000000006F0B000-memory.dmp

Filesize
4.9MB

Download
memory/604-928-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-570-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-916-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-913-0x0000000006A20000-0x00000000076D4000-memory.dmp

Filesize
12.7MB

Download
memory/604-587-0x0000000006A20000-0x0000000006F0B000-memory.dmp

Filesize
4.9MB

Download
memory/604-586-0x0000000006A20000-0x0000000006EAF000-memory.dmp

Filesize
4.6MB

Download
memory/604-589-0x0000000006A20000-0x0000000006F0B000-memory.dmp

Filesize
4.9MB

Download
memory/604-912-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-911-0x0000000006A20000-0x00000000076D4000-memory.dmp

Filesize
12.7MB

Download
memory/604-591-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-910-0x0000000006A20000-0x00000000076D4000-memory.dmp

Filesize
12.7MB

Download
memory/604-567-0x0000000006A20000-0x0000000006EAF000-memory.dmp

Filesize
4.6MB

Download
memory/604-550-0x0000000006A20000-0x0000000006EC8000-memory.dmp

Filesize
4.7MB

Download
memory/604-614-0x0000000006A20000-0x0000000006F0B000-memory.dmp

Filesize
4.9MB

Download
memory/604-533-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-896-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-554-0x0000000006A20000-0x0000000006EC8000-memory.dmp

Filesize
4.7MB

Download
memory/604-553-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-552-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-838-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-771-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-549-0x0000000006A20000-0x0000000006EC8000-memory.dmp

Filesize
4.7MB

Download
memory/604-793-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/604-929-0x0000000000F50000-0x0000000001264000-memory.dmp

Filesize
3.1MB

Download
memory/1484-517-0x0000000002300000-0x0000000002614000-memory.dmp

Filesize
3.1MB

Download
memory/1616-518-0x00000000009E0000-0x0000000000CF4000-memory.dmp

Filesize
3.1MB

Download
memory/1616-535-0x00000000009E0000-0x0000000000CF4000-memory.dmp

Filesize
3.1MB

Download
memory/1616-531-0x0000000006860000-0x0000000006B74000-memory.dmp

Filesize
3.1MB

Download
memory/1616-532-0x0000000006860000-0x0000000006B74000-memory.dmp

Filesize
3.1MB

Download
memory/2336-3-0x00000000002C0000-0x00000000007AB000-memory.dmp

Filesize
4.9MB

Download
memory/2336-1-0x0000000077540000-0x0000000077542000-memory.dmp

Filesize
8KB

Download
memory/2336-242-0x00000000002C0000-0x00000000007AB000-memory.dmp

Filesize
4.9MB

Download
memory/2336-521-0x00000000002C1000-0x000000000050A000-memory.dmp

Filesize
2.3MB

Download
memory/2336-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2336-2-0x00000000002C1000-0x000000000050A000-memory.dmp

Filesize
2.3MB

Download
memory/2336-520-0x00000000002C0000-0x00000000007AB000-memory.dmp

Filesize
4.9MB

Download
memory/2336-279-0x00000000002C0000-0x00000000007AB000-memory.dmp

Filesize
4.9MB

Download
memory/2336-244-0x00000000002C0000-0x00000000007AB000-memory.dmp

Filesize
4.9MB

Download
memory/2336-243-0x00000000002C1000-0x000000000050A000-memory.dmp

Filesize
2.3MB

Download
memory/2336-0-0x00000000002C0000-0x00000000007AB000-memory.dmp

Filesize
4.9MB

Download
memory/2336-488-0x00000000002C0000-0x00000000007AB000-memory.dmp

Filesize
4.9MB

Download
memory/2384-566-0x0000000000B70000-0x0000000001018000-memory.dmp

Filesize
4.7MB

Download
memory/2384-551-0x0000000000B70000-0x0000000001018000-memory.dmp

Filesize
4.7MB

Download
memory/2768-588-0x00000000013A0000-0x000000000188B000-memory.dmp

Filesize
4.9MB

Download
memory/2768-590-0x00000000013A0000-0x000000000188B000-memory.dmp

Filesize
4.9MB

Download
memory/2812-914-0x00000000003F0000-0x00000000010A4000-memory.dmp

Filesize
12.7MB

Download
memory/2812-915-0x00000000003F0000-0x00000000010A4000-memory.dmp

Filesize
12.7MB

Download
memory/3028-572-0x0000000000980000-0x0000000000E0F000-memory.dmp

Filesize
4.6MB

Download
memory/3028-568-0x0000000000980000-0x0000000000E0F000-memory.dmp

Filesize
4.6MB

Download