Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 22:33
Static task
static1
General
-
Target
38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe
-
Size
3.0MB
-
MD5
5a092b8d63ea7739340befc06c399e8a
-
SHA1
c2fd010bac59febb5704c0c8cc41f08fe9beadbf
-
SHA256
38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6
-
SHA512
0b2a096f1cf4ceb673ea3598db7cbb0f5810dab76df5e5735a5d11144de2ea254c2e46b83deffc72776b6b03068dcb1f9fb02cb8bfa740f8313f7c4cb286f74b
-
SSDEEP
49152:xk86k8R7HD8Xwx98A3iXrzl52cZMZgxbqud+keg1YdkZb:xkxk8RMI98A3iXrzlP6ZabqUYdE
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection fe878f1681.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" fe878f1681.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" fe878f1681.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" fe878f1681.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" fe878f1681.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" fe878f1681.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1b67255eb4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 376769cf3c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fe878f1681.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CAAKFIIDGI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 10 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 6488 msedge.exe 6460 msedge.exe 5220 chrome.exe 6096 chrome.exe 3640 chrome.exe 7148 msedge.exe 6088 chrome.exe 6580 chrome.exe 6712 msedge.exe 7140 msedge.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 376769cf3c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fe878f1681.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CAAKFIIDGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1b67255eb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1b67255eb4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 376769cf3c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fe878f1681.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CAAKFIIDGI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 376769cf3c.exe -
Executes dropped EXE 11 IoCs
pid Process 3264 skotes.exe 916 dd26023dd5.exe 2968 1b67255eb4.exe 1548 2cf614f217.exe 4932 376769cf3c.exe 2484 fe878f1681.exe 1928 e7fb860341.exe 5860 e7fb860341.exe 7084 CAAKFIIDGI.exe 2844 skotes.exe 3980 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 1b67255eb4.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 376769cf3c.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine fe878f1681.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine CAAKFIIDGI.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe -
Loads dropped DLL 2 IoCs
pid Process 4932 376769cf3c.exe 4932 376769cf3c.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features fe878f1681.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" fe878f1681.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2cf614f217.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014245001\\2cf614f217.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\376769cf3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014246001\\376769cf3c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fe878f1681.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014247001\\fe878f1681.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023ca5-72.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4220 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 3264 skotes.exe 2968 1b67255eb4.exe 4932 376769cf3c.exe 2484 fe878f1681.exe 7084 CAAKFIIDGI.exe 2844 skotes.exe 3980 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1928 set thread context of 5860 1928 e7fb860341.exe 133 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 6188 916 WerFault.exe 84 7008 2968 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7fb860341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 2cf614f217.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd26023dd5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2cf614f217.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 2cf614f217.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 376769cf3c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe878f1681.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7fb860341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAKFIIDGI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b67255eb4.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 376769cf3c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 376769cf3c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 4936 taskkill.exe 1932 taskkill.exe 2072 taskkill.exe 516 taskkill.exe 4416 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784443479786963" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 4220 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 4220 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 3264 skotes.exe 3264 skotes.exe 2968 1b67255eb4.exe 2968 1b67255eb4.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 5220 chrome.exe 5220 chrome.exe 2484 fe878f1681.exe 2484 fe878f1681.exe 2484 fe878f1681.exe 2484 fe878f1681.exe 2484 fe878f1681.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 6980 msedge.exe 6980 msedge.exe 6728 msedge.exe 6728 msedge.exe 6728 msedge.exe 6728 msedge.exe 6712 msedge.exe 6712 msedge.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 4932 376769cf3c.exe 7084 CAAKFIIDGI.exe 7084 CAAKFIIDGI.exe 2844 skotes.exe 2844 skotes.exe 3980 skotes.exe 3980 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 6712 msedge.exe 6712 msedge.exe 6712 msedge.exe 6712 msedge.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 2072 taskkill.exe Token: SeDebugPrivilege 516 taskkill.exe Token: SeDebugPrivilege 4416 taskkill.exe Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 1600 firefox.exe Token: SeDebugPrivilege 1600 firefox.exe Token: SeShutdownPrivilege 5220 chrome.exe Token: SeCreatePagefilePrivilege 5220 chrome.exe Token: SeShutdownPrivilege 5220 chrome.exe Token: SeCreatePagefilePrivilege 5220 chrome.exe Token: SeShutdownPrivilege 5220 chrome.exe Token: SeCreatePagefilePrivilege 5220 chrome.exe Token: SeDebugPrivilege 2484 fe878f1681.exe Token: SeShutdownPrivilege 5220 chrome.exe Token: SeCreatePagefilePrivilege 5220 chrome.exe Token: SeShutdownPrivilege 5220 chrome.exe Token: SeCreatePagefilePrivilege 5220 chrome.exe Token: SeShutdownPrivilege 5220 chrome.exe Token: SeCreatePagefilePrivilege 5220 chrome.exe Token: SeShutdownPrivilege 5220 chrome.exe Token: SeCreatePagefilePrivilege 5220 chrome.exe Token: SeDebugPrivilege 1600 firefox.exe Token: SeDebugPrivilege 1600 firefox.exe Token: SeDebugPrivilege 1600 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4220 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 5220 chrome.exe 6712 msedge.exe 6712 msedge.exe 6712 msedge.exe 6712 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1600 firefox.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe 1548 2cf614f217.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1600 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4220 wrote to memory of 3264 4220 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 83 PID 4220 wrote to memory of 3264 4220 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 83 PID 4220 wrote to memory of 3264 4220 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 83 PID 3264 wrote to memory of 916 3264 skotes.exe 84 PID 3264 wrote to memory of 916 3264 skotes.exe 84 PID 3264 wrote to memory of 916 3264 skotes.exe 84 PID 3264 wrote to memory of 2968 3264 skotes.exe 90 PID 3264 wrote to memory of 2968 3264 skotes.exe 90 PID 3264 wrote to memory of 2968 3264 skotes.exe 90 PID 3264 wrote to memory of 1548 3264 skotes.exe 93 PID 3264 wrote to memory of 1548 3264 skotes.exe 93 PID 3264 wrote to memory of 1548 3264 skotes.exe 93 PID 1548 wrote to memory of 1932 1548 2cf614f217.exe 95 PID 1548 wrote to memory of 1932 1548 2cf614f217.exe 95 PID 1548 wrote to memory of 1932 1548 2cf614f217.exe 95 PID 1548 wrote to memory of 2072 1548 2cf614f217.exe 99 PID 1548 wrote to memory of 2072 1548 2cf614f217.exe 99 PID 1548 wrote to memory of 2072 1548 2cf614f217.exe 99 PID 1548 wrote to memory of 516 1548 2cf614f217.exe 101 PID 1548 wrote to memory of 516 1548 2cf614f217.exe 101 PID 1548 wrote to memory of 516 1548 2cf614f217.exe 101 PID 1548 wrote to memory of 4416 1548 2cf614f217.exe 103 PID 1548 wrote to memory of 4416 1548 2cf614f217.exe 103 PID 1548 wrote to memory of 4416 1548 2cf614f217.exe 103 PID 3264 wrote to memory of 4932 3264 skotes.exe 105 PID 3264 wrote to memory of 4932 3264 skotes.exe 105 PID 3264 wrote to memory of 4932 3264 skotes.exe 105 PID 1548 wrote to memory of 4936 1548 2cf614f217.exe 106 PID 1548 wrote to memory of 4936 1548 2cf614f217.exe 106 PID 1548 wrote to memory of 4936 1548 2cf614f217.exe 106 PID 1548 wrote to memory of 5032 1548 2cf614f217.exe 108 PID 1548 wrote to memory of 5032 1548 2cf614f217.exe 108 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 5032 wrote to memory of 1600 5032 firefox.exe 109 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 PID 1600 wrote to memory of 2608 1600 firefox.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe"C:\Users\Admin\AppData\Local\Temp\38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\1014243001\dd26023dd5.exe"C:\Users\Admin\AppData\Local\Temp\1014243001\dd26023dd5.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 2244⤵
- Program crash
PID:6188
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014244001\1b67255eb4.exe"C:\Users\Admin\AppData\Local\Temp\1014244001\1b67255eb4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 6364⤵
- Program crash
PID:7008
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014245001\2cf614f217.exe"C:\Users\Admin\AppData\Local\Temp\1014245001\2cf614f217.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:516
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {524319ab-b207-4b47-b165-7802e846215c} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" gpu6⤵PID:2608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1413438-66b4-40cf-9a07-09b391aaa97c} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" socket6⤵PID:3188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42805475-c401-4c75-b627-1ba026e83d6c} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab6⤵PID:1168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3932 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76b5f789-80cd-4815-b3c7-bf1f93f3f3c5} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab6⤵PID:1932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1276 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4368 -prefMapHandle 1268 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51f192a7-247c-4a50-842e-590aaac470fe} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" utility6⤵
- Checks processor information in registry
PID:5408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0657d09e-f09f-40c2-bf06-b23ad82a5fab} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab6⤵PID:5912
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94957039-f0e4-45ea-83b6-028db5af6293} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab6⤵PID:5924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2630eab7-2697-48e9-8c09-e66d740e1a08} 1600 "\\.\pipe\gecko-crash-server-pipe.1600" tab6⤵PID:5936
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014246001\376769cf3c.exe"C:\Users\Admin\AppData\Local\Temp\1014246001\376769cf3c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4932 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5220 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffae018cc40,0x7ffae018cc4c,0x7ffae018cc585⤵PID:5280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2332,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2328 /prefetch:25⤵PID:5828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2364 /prefetch:35⤵PID:5836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1972,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:85⤵PID:5844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
PID:6088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:15⤵
- Uses browser remote debugging
PID:6096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4460,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:15⤵
- Uses browser remote debugging
PID:3640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3636,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:85⤵PID:4480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:85⤵PID:5584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:85⤵PID:5764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:85⤵PID:5144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5304,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4732 /prefetch:85⤵PID:4328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:85⤵PID:6376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5800,i,5265495333842700380,17685753454121012090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5760 /prefetch:25⤵
- Uses browser remote debugging
PID:6580
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae38c46f8,0x7ffae38c4708,0x7ffae38c47185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:6728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10910152797543811535,14239085310620391699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:25⤵PID:6976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10910152797543811535,14239085310620391699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:6980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10910152797543811535,14239085310620391699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:85⤵PID:7076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,10910152797543811535,14239085310620391699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:15⤵
- Uses browser remote debugging
PID:7140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,10910152797543811535,14239085310620391699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:15⤵
- Uses browser remote debugging
PID:7148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,10910152797543811535,14239085310620391699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:15⤵
- Uses browser remote debugging
PID:6460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,10910152797543811535,14239085310620391699,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:15⤵
- Uses browser remote debugging
PID:6488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\CAAKFIIDGI.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5304 -
C:\Users\Admin\Documents\CAAKFIIDGI.exe"C:\Users\Admin\Documents\CAAKFIIDGI.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014247001\fe878f1681.exe"C:\Users\Admin\AppData\Local\Temp\1014247001\fe878f1681.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\1014248001\e7fb860341.exe"C:\Users\Admin\AppData\Local\Temp\1014248001\e7fb860341.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\1014248001\e7fb860341.exe"C:\Users\Admin\AppData\Local\Temp\1014248001\e7fb860341.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5860
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 9162⤵PID:5156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2968 -ip 29682⤵PID:7016
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7f1dd44e-c494-4861-be9f-049a5d5b222b.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD535ba432d5edc26d9f5f496529bcf43f8
SHA1324861602a7259d335cd4ad47faaa990aaf11824
SHA256cd2ce527f761087fae95a0627775f8cf2ac29aee0314677d8511948290be3d5c
SHA512ee098fb92e120ad537948693dcf2f2df68103cdab99d3abb2e7242eb07d6a5b7e76ef8b00e5008c3003d42281a8333d4417e56979e0ea017a5cc3e11a30917a5
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD53b80d073722a919799a0b53cbdbe1e5f
SHA1ccc415590da6c80c4574dd4253e6cad3539af8e5
SHA256125d07d5b28853170c58ed332fd5dfc42b02e6eedcf9ea9c230b1082d9b7fa58
SHA5121928af084069c73adc740f8f73697f98838babcfbefe7d560966baac2ee36ab0d7f1c50c7e649cd7550201f6ef7a934583d0b466fbe3288f87b5ac4a73f8179b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5bee9aa6aa0871fa51049673d0b9586d0
SHA17a8a5cdf7d5aeb91ff4c75d61c4f9ec3968e8d8b
SHA256e2ae154cffd619fef5198335a698a97fcfa995361b15eab1dede99ad339c4b08
SHA512344285e489ce1fae1f69207c53d21305bbd477828b1cc8ba866e3222a59a50a1003521f1cc244b4627b86f73e00eaa1ba00e7fea87f74023be0f5ee9a96a0fd8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.9MB
MD5b41262ec07ede72b2dd68a202d341cd0
SHA1e4b86ac987fa89cb60df784125295d8560a4584a
SHA256759fc69e10ee72da985726abbe72f9c2ea46cc1517f27960922a3d66cfa996c8
SHA512937d322547b2911ff36de9c762164e5b9ef59ac79c7c9a35068327bcca15ada6ed3579e9b06e3adc4abff2a123688c7c8f51216b50fc7a0bb26dd5b8978343ed
-
Filesize
945KB
MD597cbf540ce4be6297748e9242919477f
SHA1d428b68ae26f29d75e2ceff8fd60ac8d4cadb235
SHA25672cd085404803f2d324bcded80e4e7f5f85422d7fbed82b25dfe8b6868f89a25
SHA512efcee5e60e758b0a374b77adac8591aca9842588ae0ad19a9504195558df3b40910c081627a8e72dd73c65bf2f785c93b5b552e16ab9aa9551477e65d1b39184
-
Filesize
1.7MB
MD5039f3a3212526175709fc44ab3520993
SHA1a0ab9b621974da2bbac97b3f312268651985cca0
SHA256e3099fcf1b2c3583ab423bea894b8c3382de3647443ef90bef157d6593eff31c
SHA512a332a0fb26489267896ef806c8dc83ee436172dadfeb4ce2e8f75b21a78deb4c2e5ba7684324e47cb789038ec4f615ec8a32eab0b25a50c687e66c13940fc056
-
Filesize
2.7MB
MD5a8b5991e09ce4327c3dc6454e1ba9818
SHA1f3903c130e0e209051a1fb6d08a3a336493749ff
SHA2562164957626fcf6b193ea8261a9f7fba73c54d3762ac26996fdf09b10142b8240
SHA512ba62dc7f35a41aa3c0cb57bcb0f1ef29c3754be6ef0d3c67eba3fc83ae5357d59aa569fa9578efde6d1e6bccc50bc6cb5eda6feb7a6d0ca541925f9e8c70126c
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
3.0MB
MD55a092b8d63ea7739340befc06c399e8a
SHA1c2fd010bac59febb5704c0c8cc41f08fe9beadbf
SHA25638cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6
SHA5120b2a096f1cf4ceb673ea3598db7cbb0f5810dab76df5e5735a5d11144de2ea254c2e46b83deffc72776b6b03068dcb1f9fb02cb8bfa740f8313f7c4cb286f74b
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir5220_1124020625\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir5220_1124020625\fb71be70-54ac-463b-97b2-8a73eab11705.tmp
Filesize135KB
MD53f6f93c3dccd4a91c4eb25c7f6feb1c1
SHA19b73f46adfa1f4464929b408407e73d4535c6827
SHA25619f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e
SHA512d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize6KB
MD50069e9e3e40ef3eaac7f3b6fe7d2c731
SHA112cc2373c8dcbb654101c30b0f0551feff1249d0
SHA2562805ccea1ba52db65ae96361b273cafd3ab81c3b45cd76c78b789d49615e0db7
SHA512d43242f412a892b170488c70c8d6fe2d55f7e3f60335d491c1f7510244dcb22642884e7d466d689779adf4810025c4e41f9a4b240f2f149a04302933e2f2220b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize10KB
MD567eb8ee7165d786535ac723b02449131
SHA151887e50037106ab66a930cacaaa053e4e1fd632
SHA256a0d55502d040e23843a8ed466ba69b63b30ad3cfde31056736dbb43a92ffd479
SHA51221699c9ff94d755116b2d8726e13909570b9138076ab4d23b174b722373e8262568a728b8d57bec6bb2e4748a827cfe75b1c3fdd160a90a58fd75a12c11decbc
-
Filesize
256KB
MD54ea94c6af669b63874bf323c29557b3c
SHA1bd594c743bc996e5f66ecf429403926058f17171
SHA2560425af6b7cab9b426486f05edd224e4affde5801182dee3ebe64fe395999fb2b
SHA512bb88abcc954eba08a2412dfd3b5c91915b710a6126756c4cda6c3f467ec525ca8f0cb0283b21840ea0502a6f6ea81a802fbcb5b31303512e9c0f460022b5de1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5d9b0549a06a20d55492c1d3d637b086a
SHA18eadd1fbdd34f859d29d646550d1dac40d9c5044
SHA256d6e5bb4a7d14c5efc03dd31113f2a31c8b1d494585f65a3ad87f62121ff03e05
SHA5126b645183eebfccf750e54abc25d9254a750b5ffea70c17dce9f801d7874452f5b999c9ab44868f22fed8620a2527542ab390430e79cc4b3bcc9c361374b6ea9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5c03c87b8e20e0880d2c7b7dbb2d08519
SHA1fec98982e13a5fe63e2c42f55e4b0a3fdbbb2751
SHA2560d4bd944bd393696611d534f391d736085291ef051fd62823404841aea8252ae
SHA5121f65cefe0878552594e5b4c5c769afb100da53206d91dce92734e7002ce4ef31c9f7eeab5eca293452224bb11424611af71f6d5f899698db1fe4fef1aa65dd5e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD572d7828123d1a890c88e85ab95f7c1df
SHA1572ec55378a5cff53a97da6a62447313d3ce17dd
SHA2561f040a6cb46545a6a29b3121ec13a998a4417012fb97d9da88ddebda5b633c16
SHA51213b05775d443dd83528ec9b03021a2e0e65faaa74c407fa97f3a4b86a96cdbd6476ef0c73911b88ed40cd0521df72e297e47181f93130d915f72f657810b0509
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\80023151-2e48-4c0c-8dfe-eb46d03a495b
Filesize982B
MD5e4abbe3693db0eba3721f2337e45887a
SHA196c66905a8af28d55a723f3568ab33ac7d588fab
SHA256afdbc91ce7ea8ace57b737f2de26ce6c091e6216a3057ddb0ee01d30438c747e
SHA512eb548915535128b0cfa61f5f203b0ea53fbc890d3656c62e386a9fab3eb86e4cce284b9e2511f9de09ae987d0c1d8b269eae29159c7dd5d9d02e82960311c4c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\dae6e5bf-e7af-40a6-9093-73c3a356c6d7
Filesize659B
MD512c25f4bd91384b0ccbce33246b54723
SHA1b69d5a492ad78694d21986836445e494dbc57fc1
SHA256ce7193797e69b92bb901fe337e0119c071d4c4a267f501f61b326dde407fbf89
SHA512992a069518220377c0a050e98526cac61928784f5fe61969347e17198dbebdeca95ccfb6db0982014409002b77200b47ef76ad1c6c4591d85d2af24acb7235d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
1.4MB
MD5b6daecb2f03aa0a78ee967f8167035cf
SHA12a744e9bfdff724caf9718a94efc5aec28da8468
SHA256167898b544f50801119036f049b5bbbe6e15627b54837694080073b89f8dd44a
SHA5123ecb0a1c7c2b05492160edc7981ce91c36d8a98681a34e1eb36f1f423649ab7f42d8e3aeb50ede9adc2bbac15b8f87580b6b55d00a9f3b8b1a835779a0eeee49
-
Filesize
12KB
MD5a4b57815627667e60af65c759ba6c351
SHA111c80566b57c80adf4ea587b22571189149c11f1
SHA256e58079394fc4000d76a32f56ba20ae93d34f924303a9ec35fb7103b580e8043c
SHA5126c0bd50c67261bd9019b9aa5603167ad9929d6bd4e65b9ab9964bf13c005e87513fd4a918374b3876e108762bf834b582a58a01787d725aff36f72c2683adea2
-
Filesize
15KB
MD50d4519c351de895842291ef633fe0ed6
SHA149c3689eec603ae18867ab549dc38b03f91feddf
SHA256840773b9bcc04461fda3b161e837ab27bd1efad37e4e982a84cb5c48f538031b
SHA5127f5c864a111f74425015dedec9e8991824c097a81c42051be0673a178f2c7b0d7ba688e6f628fafc600434f9bff8969d5cc7f5025e2bacd72db1d8f48e798a31
-
Filesize
10KB
MD5993aaf99d4585cfb6a9fb32d35495344
SHA148b5dc46745e1fafb4a13f26cb4dfa949ca63feb
SHA256a4b8e2d004f94ba9d5d5ef9afd13aa84080e85a98793951d54cc4943cba48c72
SHA51260a7564c67b2f383d1796842047e5f11913f2d89f15eeea063c0a570211e08ab8daa238443d8d7f116c19ec87582ba2e877a2528e4ea3cfce8a5f37388efadf5
-
Filesize
10KB
MD5b37b0376fc62963848ea8350d436b089
SHA1b4b5eb40164738121b58252f67d5f5506c46a7ee
SHA2562408556e87bcbfb8b819370b6b76d5a5e1c1c980f3455deeeeb2bfbd15e124c9
SHA51205784c0fa6127ee9160d564c90d67ce7edbae5d62ffa4be6d74438d368c180f272f3b1ca788a85e78bca6c88edd268a0e91701956cadfe364fdf823f57d105d1
-
Filesize
3.2MB
MD55e1f79c85746f02bba8f07ddf1d40582
SHA1e5121c356beeda93810ce5298cace9fb22ef8367
SHA256fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3
SHA512defbdd6351fc7bcc070894fa6d88939884163161cb5700c839a80a47c1e225456b25c372a1af7852417a22dc38ec7bd825e154ee589bca678b46fb6695ac513e