Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
17773f6ab422d27012d0f813eec77035
-
SHA1
e148f243044c22dd5374d41d4d9c5ae066c454cf
-
SHA256
34b764f92f6aa319f62bf730e82f02a914cda5c7d7fa665c20a8f2c5430acc4a
-
SHA512
6e0f75cea50dd43eb019fa5eb66d7e92262b2a7fdc12ab872afbd6339c069856427ce0e7cfd86fcbf17943d7c180a15ce12a9799561330173f485cafaa4ace88
-
SSDEEP
49152:j5i0B6cfbpQIZyuOO26+iiaSwVgQJwXBUdlOauf7w:jb6cflfSiXNOtRUxuT
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
cryptbot
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4000 created 1388 4000 ff0cba5a40.exe 21 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 6f7726db19.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2140312ed8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ff0cba5a40.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6f7726db19.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 839ef93e55.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b760039495.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HJJJJKEHCA.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2260 chrome.exe 2452 chrome.exe 872 chrome.exe 788 chrome.exe -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6f7726db19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 839ef93e55.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ff0cba5a40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HJJJJKEHCA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 839ef93e55.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b760039495.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ff0cba5a40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2140312ed8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2140312ed8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HJJJJKEHCA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6f7726db19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b760039495.exe -
Executes dropped EXE 17 IoCs
pid Process 2776 skotes.exe 3016 Cq6Id6x.exe 2300 x0qQ2DH.exe 1972 41ecec5f2e.exe 1100 6f7726db19.exe 1716 839ef93e55.exe 536 Cq6Id6x.exe 1040 b760039495.exe 2884 db52daa04d.exe 2712 2140312ed8.exe 3528 805f7762a9.exe 3724 41ecec5f2e.exe 4000 ff0cba5a40.exe 2800 035b9b7b5f.exe 3120 HJJJJKEHCA.exe 3292 IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe 1812 GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine b760039495.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 2140312ed8.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 6f7726db19.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 839ef93e55.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine ff0cba5a40.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine HJJJJKEHCA.exe -
Loads dropped DLL 26 IoCs
pid Process 524 file.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 3016 Cq6Id6x.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 2776 skotes.exe 1972 41ecec5f2e.exe 2776 skotes.exe 2776 skotes.exe 1040 b760039495.exe 1040 b760039495.exe 2776 skotes.exe 2776 skotes.exe 3364 cmd.exe 1716 839ef93e55.exe 1716 839ef93e55.exe 1716 839ef93e55.exe 1716 839ef93e55.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2140312ed8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\839ef93e55.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016966001\\839ef93e55.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\b760039495.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016967001\\b760039495.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\db52daa04d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016968001\\db52daa04d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\2140312ed8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016969001\\2140312ed8.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00050000000195b7-149.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 524 file.exe 2776 skotes.exe 1100 6f7726db19.exe 1716 839ef93e55.exe 1040 b760039495.exe 2712 2140312ed8.exe 4000 ff0cba5a40.exe 3120 HJJJJKEHCA.exe 3292 IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe 1812 GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3016 set thread context of 536 3016 Cq6Id6x.exe 38 PID 1972 set thread context of 3724 1972 41ecec5f2e.exe 65 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db52daa04d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2140312ed8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cq6Id6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff0cba5a40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cq6Id6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f7726db19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b760039495.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 839ef93e55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41ecec5f2e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41ecec5f2e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language db52daa04d.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage db52daa04d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b760039495.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b760039495.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 10 IoCs
pid Process 2624 taskkill.exe 3844 taskkill.exe 3360 taskkill.exe 3688 taskkill.exe 3740 taskkill.exe 1692 taskkill.exe 3584 taskkill.exe 3660 taskkill.exe 2252 taskkill.exe 3772 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 524 file.exe 2776 skotes.exe 1100 6f7726db19.exe 1100 6f7726db19.exe 1100 6f7726db19.exe 1100 6f7726db19.exe 1100 6f7726db19.exe 1100 6f7726db19.exe 1716 839ef93e55.exe 1040 b760039495.exe 1040 b760039495.exe 1040 b760039495.exe 2260 chrome.exe 2260 chrome.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2712 2140312ed8.exe 2712 2140312ed8.exe 2712 2140312ed8.exe 2712 2140312ed8.exe 4000 ff0cba5a40.exe 4000 ff0cba5a40.exe 4000 ff0cba5a40.exe 4000 ff0cba5a40.exe 4000 ff0cba5a40.exe 2884 db52daa04d.exe 1464 dialer.exe 1464 dialer.exe 1464 dialer.exe 1464 dialer.exe 536 Cq6Id6x.exe 536 Cq6Id6x.exe 536 Cq6Id6x.exe 536 Cq6Id6x.exe 1040 b760039495.exe 2884 db52daa04d.exe 3120 HJJJJKEHCA.exe 1716 839ef93e55.exe 1716 839ef93e55.exe 1716 839ef93e55.exe 1716 839ef93e55.exe 2884 db52daa04d.exe 3724 41ecec5f2e.exe 3724 41ecec5f2e.exe 3724 41ecec5f2e.exe 3724 41ecec5f2e.exe 3292 IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe 3292 IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe 3292 IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe 1812 GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 3016 Cq6Id6x.exe Token: SeDebugPrivilege 1972 41ecec5f2e.exe Token: SeDebugPrivilege 2624 taskkill.exe Token: SeShutdownPrivilege 2260 chrome.exe Token: SeShutdownPrivilege 2260 chrome.exe Token: SeShutdownPrivilege 2260 chrome.exe Token: SeShutdownPrivilege 2260 chrome.exe Token: SeShutdownPrivilege 2260 chrome.exe Token: SeShutdownPrivilege 2260 chrome.exe Token: SeDebugPrivilege 1692 taskkill.exe Token: SeDebugPrivilege 2712 2140312ed8.exe Token: SeDebugPrivilege 3584 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeDebugPrivilege 3844 taskkill.exe Token: SeDebugPrivilege 2252 taskkill.exe Token: SeDebugPrivilege 3360 taskkill.exe Token: SeDebugPrivilege 3688 taskkill.exe Token: SeDebugPrivilege 3740 taskkill.exe Token: SeDebugPrivilege 3772 taskkill.exe Token: SeDebugPrivilege 3668 firefox.exe Token: SeDebugPrivilege 3668 firefox.exe Token: SeDebugPrivilege 3292 IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 524 file.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2260 chrome.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 3668 firefox.exe 3668 firefox.exe 3668 firefox.exe 3668 firefox.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 2884 db52daa04d.exe 3668 firefox.exe 3668 firefox.exe 3668 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 524 wrote to memory of 2776 524 file.exe 31 PID 524 wrote to memory of 2776 524 file.exe 31 PID 524 wrote to memory of 2776 524 file.exe 31 PID 524 wrote to memory of 2776 524 file.exe 31 PID 2776 wrote to memory of 3016 2776 skotes.exe 33 PID 2776 wrote to memory of 3016 2776 skotes.exe 33 PID 2776 wrote to memory of 3016 2776 skotes.exe 33 PID 2776 wrote to memory of 3016 2776 skotes.exe 33 PID 2776 wrote to memory of 3016 2776 skotes.exe 33 PID 2776 wrote to memory of 3016 2776 skotes.exe 33 PID 2776 wrote to memory of 3016 2776 skotes.exe 33 PID 2776 wrote to memory of 2300 2776 skotes.exe 34 PID 2776 wrote to memory of 2300 2776 skotes.exe 34 PID 2776 wrote to memory of 2300 2776 skotes.exe 34 PID 2776 wrote to memory of 2300 2776 skotes.exe 34 PID 2776 wrote to memory of 1972 2776 skotes.exe 35 PID 2776 wrote to memory of 1972 2776 skotes.exe 35 PID 2776 wrote to memory of 1972 2776 skotes.exe 35 PID 2776 wrote to memory of 1972 2776 skotes.exe 35 PID 2776 wrote to memory of 1972 2776 skotes.exe 35 PID 2776 wrote to memory of 1972 2776 skotes.exe 35 PID 2776 wrote to memory of 1972 2776 skotes.exe 35 PID 2776 wrote to memory of 1100 2776 skotes.exe 36 PID 2776 wrote to memory of 1100 2776 skotes.exe 36 PID 2776 wrote to memory of 1100 2776 skotes.exe 36 PID 2776 wrote to memory of 1100 2776 skotes.exe 36 PID 2776 wrote to memory of 1716 2776 skotes.exe 37 PID 2776 wrote to memory of 1716 2776 skotes.exe 37 PID 2776 wrote to memory of 1716 2776 skotes.exe 37 PID 2776 wrote to memory of 1716 2776 skotes.exe 37 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 3016 wrote to memory of 536 3016 Cq6Id6x.exe 38 PID 2776 wrote to memory of 1040 2776 skotes.exe 39 PID 2776 wrote to memory of 1040 2776 skotes.exe 39 PID 2776 wrote to memory of 1040 2776 skotes.exe 39 PID 2776 wrote to memory of 1040 2776 skotes.exe 39 PID 2776 wrote to memory of 2884 2776 skotes.exe 40 PID 2776 wrote to memory of 2884 2776 skotes.exe 40 PID 2776 wrote to memory of 2884 2776 skotes.exe 40 PID 2776 wrote to memory of 2884 2776 skotes.exe 40 PID 2884 wrote to memory of 2624 2884 db52daa04d.exe 41 PID 2884 wrote to memory of 2624 2884 db52daa04d.exe 41 PID 2884 wrote to memory of 2624 2884 db52daa04d.exe 41 PID 2884 wrote to memory of 2624 2884 db52daa04d.exe 41 PID 1040 wrote to memory of 2260 1040 b760039495.exe 44 PID 1040 wrote to memory of 2260 1040 b760039495.exe 44 PID 1040 wrote to memory of 2260 1040 b760039495.exe 44 PID 1040 wrote to memory of 2260 1040 b760039495.exe 44 PID 2260 wrote to memory of 2976 2260 chrome.exe 45 PID 2260 wrote to memory of 2976 2260 chrome.exe 45 PID 2260 wrote to memory of 2976 2260 chrome.exe 45 PID 2260 wrote to memory of 1288 2260 chrome.exe 46 PID 2260 wrote to memory of 1288 2260 chrome.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:536
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"4⤵
- Executes dropped EXE
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\1016964001\41ecec5f2e.exe"C:\Users\Admin\AppData\Local\Temp\1016964001\41ecec5f2e.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\1016964001\41ecec5f2e.exe"C:\Users\Admin\AppData\Local\Temp\1016964001\41ecec5f2e.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3724
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016965001\6f7726db19.exe"C:\Users\Admin\AppData\Local\Temp\1016965001\6f7726db19.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\1016966001\839ef93e55.exe"C:\Users\Admin\AppData\Local\Temp\1016966001\839ef93e55.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe"C:\Users\Admin\AppData\Local\Temp\IITVAX8EIWKNBL8AOIEBUGY4RE9S.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Users\Admin\AppData\Local\Temp\GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe"C:\Users\Admin\AppData\Local\Temp\GA6BYW6IE7H5IFHX1M5W6ISZMOMBB4.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016967001\b760039495.exe"C:\Users\Admin\AppData\Local\Temp\1016967001\b760039495.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b09758,0x7fef6b09768,0x7fef6b097786⤵PID:2976
-
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:1288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1380,i,15678962607325577151,14787725511236152354,131072 /prefetch:26⤵PID:1908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1380,i,15678962607325577151,14787725511236152354,131072 /prefetch:86⤵PID:1076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1380,i,15678962607325577151,14787725511236152354,131072 /prefetch:86⤵PID:2252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1380,i,15678962607325577151,14787725511236152354,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:2452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2376 --field-trial-handle=1380,i,15678962607325577151,14787725511236152354,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2384 --field-trial-handle=1380,i,15678962607325577151,14787725511236152354,131072 /prefetch:16⤵
- Uses browser remote debugging
PID:788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3320 --field-trial-handle=1380,i,15678962607325577151,14787725511236152354,131072 /prefetch:26⤵PID:2732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\HJJJJKEHCA.exe"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Users\Admin\Documents\HJJJJKEHCA.exe"C:\Users\Admin\Documents\HJJJJKEHCA.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3120
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016968001\db52daa04d.exe"C:\Users\Admin\AppData\Local\Temp\1016968001\db52daa04d.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:3892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
PID:3900 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.0.1117539478\1309797397" -parentBuildID 20221007134813 -prefsHandle 1148 -prefMapHandle 1108 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {decc3c86-8acd-48c1-92ac-724726f628a4} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 1296 12607e58 gpu7⤵PID:3264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.1.1408196975\986113365" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1504 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e4e1233-8b75-4269-8d28-20515aa9d744} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 1536 eaebb58 socket7⤵PID:3332
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3900.2.1670520446\351553354" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {201d5d68-7411-4ad5-9b28-1231d719a770} 3900 "\\.\pipe\gecko-crash-server-pipe.3900" 2260 19753858 tab7⤵PID:3016
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:3800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3668 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3668.0.695016977\2058670622" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 20847 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25b6d246-fb45-43b6-b236-72a54adb44d4} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" 1260 134f6e58 gpu7⤵PID:1560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3668.1.1668911582\534880775" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21708 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8df9efad-39a5-4c47-b812-714929075f2c} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" 1476 e73658 socket7⤵PID:2096
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3668.2.452779171\647261805" -childID 1 -isForBrowser -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 21746 -prefMapSize 233496 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f48642e-ffe8-4e6c-9049-fc3706e31836} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" 2320 19b16c58 tab7⤵PID:1504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3668.3.696314178\1321639494" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26216 -prefMapSize 233496 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da5f5778-0c04-441c-8838-36b22718c54f} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" 2824 1bc25558 tab7⤵PID:3384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3668.4.1156202027\676296662" -childID 3 -isForBrowser -prefsHandle 3616 -prefMapHandle 3620 -prefsLen 26356 -prefMapSize 233496 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2828c70c-73f1-45cd-b2fe-29dbcbd30fbd} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" 3596 1f705958 tab7⤵PID:2548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3668.5.1227547475\811329410" -childID 4 -isForBrowser -prefsHandle 3648 -prefMapHandle 3636 -prefsLen 26356 -prefMapSize 233496 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f744fd2-c80a-42a7-8b57-3c77d57e5faa} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" 3724 1fadde58 tab7⤵PID:2272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3668.6.2105818482\622807637" -childID 5 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 26356 -prefMapSize 233496 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4012c76-92a2-465c-90e3-f18f3c524c81} 3668 "\\.\pipe\gecko-crash-server-pipe.3668" 3868 1fade158 tab7⤵PID:3136
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016969001\2140312ed8.exe"C:\Users\Admin\AppData\Local\Temp\1016969001\2140312ed8.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\1016970001\805f7762a9.exe"C:\Users\Admin\AppData\Local\Temp\1016970001\805f7762a9.exe"4⤵
- Executes dropped EXE
PID:3528
-
-
C:\Users\Admin\AppData\Local\Temp\1016971001\ff0cba5a40.exe"C:\Users\Admin\AppData\Local\Temp\1016971001\ff0cba5a40.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\1016972001\035b9b7b5f.exe"C:\Users\Admin\AppData\Local\Temp\1016972001\035b9b7b5f.exe"4⤵
- Executes dropped EXE
PID:2800
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1960
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD522bf9d80e91d94e61031b14bbeefc33d
SHA1043659b68a4f22152b903c4d2e7a589d445adafc
SHA2564cf15628b3654c26ca0274daa590753204f4cd402ef3c8c8b134f090368a793f
SHA512bc42d4da621401f14ae5045b152bd32a0db7adc4b1821904929daaeaf5ed848d3a8cc9dec5a99bc073c61f79064a42ec2db320c5ddd8174fc2e8a0a4e83db430
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000002.dbtmp
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT~RFf77b9ed.TMP
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5c809abf062d4b0bb322bbb730f843185
SHA1fc1cdada94fc691d4a9189f7b43bdf0968533974
SHA256ce6bf51097efc3f41a5415db523f9d347563d431a767c34161b1a944be2f6942
SHA51246653ec7af6f90f4ac01de8fcd995b1c35c089f548c6d351c0cdf9844614c126fa78b3f1fc9bcc5fb9ba5683f07923c4794833afcbc467dde1fb7a27ce6c0f73
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
17.6MB
MD53c224e3fc892719dc1e302378e533579
SHA10a65062e1426a95bfeca355398b6fdc4912fb6b1
SHA25664cc7f7906fe1ebf0b6977892abd9aa36f5e525cb241964c3986ee9e1a18312d
SHA512554a26e9654eccce831e4adcee49d5e2507956935e562b134a86f332d867debfcd1f64fdb88fccb2e1eee810975d565dbc6ea1376516817ee38765e4bd733a49
-
Filesize
4.2MB
MD58841698b335573b0abe7875b85b653d6
SHA1e74926dcb5b7e996d4f4961a763d2c4d8e8e24d0
SHA256490fc3ac1830a381350813ad614c258eb761886aad612879a592461edffd719b
SHA5122f8941aaf2724687e70f4c742ac2f3a2009df18776d8e182a3042eb33422463df109e1e666d8f8a66cd7f6312e86aa9dd4a127c5559e04cbd57a6da51077e037
-
Filesize
1.8MB
MD56a31ef4963e7f7d4fcc0927f58a5dbf2
SHA108180799961431fd8fbe0e32c1147d560ab258ad
SHA256e0bb02c3593df3fb9b89b57840abf4c80dc7a3951efe4804c23feb13f3e1c34a
SHA5124a796c9d2dc9c16f471d51e68c5e50ba40a179444a1ecf7beaaeb823bf46b973ea6ca4a421d899aabc7a1ee331832c654d788882627bbb4ec77340ee87f7169b
-
Filesize
2.8MB
MD53bb75cb881e430e48ec13d73d43abe49
SHA1dffcad869a875b9fa9a142bedf34d781db72e709
SHA2561e632d695c7204f2b42e9ce49001d02c81aad32216b0375f94e710f6190aeb6a
SHA5128bfd4b91c00b20e3cbcea3d0c19f80af8813fe5142eb59b30827e3bca0308b70f40754288345fa7b10de49e949792e81f084994e83197d857ef248f8f29d6eeb
-
Filesize
945KB
MD54e38b1008d236084740a6c44fbc4ebf6
SHA1fc8bd7f661e78127932bf4f0fed8651044c3ec28
SHA256d18ee20816febb7f9c68c906651376a94130383b54cc739aa9cbe55a9c4659bf
SHA512e5d0445f8c1de74a66934f4e21784fd4ab2d7bbe05047a5c2d826a3aaba8047f76cb084bec23bb7a243d68fcee72310541aafde2818b84edf703d59dae93ef7e
-
Filesize
1.7MB
MD57be93aff7cef5ad80c82706349b7fed3
SHA13ecee88fe03d1128fdd9687aadfefbc30422881e
SHA25603758fcdba856326a849effda02aa9185ab135b95c1c0854e9ec7d2d3889c0f3
SHA5127d620e39f4d1498765f733078c41f2db5c5f273e2e8781bfc517aee9d444bd6cbba817f0c925a95c2acb76f6f4467fa56a8306f6d372e321e7e1c69495a25db0
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.9MB
MD5e7eb9a61aec1e191dcc006e605c7628e
SHA1f931ceab7be44e9efb12b7ff292e0227eadebce2
SHA2560428284ddb962526e13dcf1be7707e0ce1acfcca7eba4dc33a03dc8503c03253
SHA51273856a2a132ea5786860d07b36bd3293facc0562f2b630a08036932331d1e91417e87753815c25d534fa2eb0f6d76e8039a3af6eb407294711eae5bb0b1a1ba5
-
Filesize
747KB
MD58a9cb17c0224a01bd34b46495983c50a
SHA100296ea6a56f6e10a0f1450a20c5fb329b8856c1
SHA2563d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b
SHA5121472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
224KB
MD5a09a00beebd5b095d66eac923cda0ed3
SHA1346f47ead87eb25f831bf592dab64677ec63e22a
SHA256db6bddba824e045c41c3ca60ab807252ef8467e8d88883aaa736b0813144160e
SHA5128a64449a1b96536b078692cf4d4bc45be14c2c0feb964dcbb58f485f95bf1b4cd47584ca6f5f8e9d5f81349dd5518916bad01d51341502c7775b18dc3e439b07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD56a1538fd809c78aea023419e64055d9c
SHA199a65c2925c71e0e0df4925b722a19684bf14422
SHA256a209f2f1aa4bd7ab5f96dd1c6cbd45018ac49b1a2da1252f73ce0a7e25ad6483
SHA5126ffbb8546fd85f22f0fe58a6b7e1cc999f35082c52c443af1d09efc5ed3ea314f068d40590a23596595cc745913eaa7376cc7817c69c16ca7e874d463a4971cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\01d77f15-8645-4f80-b42b-8776c84af527
Filesize745B
MD59d9376401ad1a1c62e3a5966643f0b6c
SHA1ec470a4d60088b37b8d37e31f543dc52776a7bd4
SHA256b1d2d8ad98c05d19048f6c2653383455af55d6a7037294aeeaed2ed66348b0fd
SHA512fdff2a9cc963deb61c710c3d85718bf0fe3cf1712bd60d812e6a70843aae23920979c7b72b9ba3c1ed65204377f28f53208e17f0169769d608811bf87278232a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\a4a89e21-f48a-4c83-ba4d-219141932cb9
Filesize11KB
MD54c4941199045c2b0b36724f07e57228b
SHA1c62b21c2fa279e8f71dc148b31388e2e3318a285
SHA2569630238392a7c3d266ac21b385ff9adf11a4478d0452902cc7aa11d7a433f3ec
SHA5123e5bfc9184425607bbafa8ca684109f7bba04ed024de8fb0e5dfe351dbbdbbb81f9e312b0cb905d848255317ed841159e3f525dd4beea47a8cf523987a39f4df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5179b75b3c0496ea1f9419a23c4f547a6
SHA1a09c012cb6185c1d1bf14404164cdc012f8f073e
SHA256506c4207188981e9af06e0658f181ccc526a2880cc2e937ef930f332f20abfed
SHA51246b8583f20f373f3b5312efc2e78b612c57bb5760421262cbca64dd68992e763d7032fd43c1e9a7bf836fd458cfedf42a0d5e863f8082a08b9798ca7e254e89b
-
Filesize
7KB
MD52357ecabed1d41423a5754d51aae8974
SHA17308d63a2e1610f27eb468afcd20562c9652c59a
SHA2567adde42ada24f10aa42ab3a41b1589c584f8e4002c4f0c93104975f09accda27
SHA512d6c114f05768caa9373d51f4dc9e24e6b50fbea20c2d129f6fe1fddcdff36689fccb397b841e4e7a5359d51e1325d32162b9286cdb428adee8d21cd87c0576e9
-
Filesize
6KB
MD5be8b6c5a0080cfd91ea2ba01d8c7c5e9
SHA18368b9cdfae8fd114dc0c4f5ff0632aa339d210c
SHA25624bd0f3ea01f7da29f3c1aa3aa98379e8fea20096707adc2ac3a138d628737c3
SHA512902d2db7c74f66dbd9ab299e33e790140312b5321bf4eb06fce1e6d37b6d4a38edd3f5ee0120342f45f4d40609e100e18a29885b47c2c684b6b28239aeb18f14
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionCheckpoints.json
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD578749c08607f85a7ee705b8973c167de
SHA1db92a01d0e3ea0c750fd866ac9c073f2a293d4ac
SHA25616210d69bdfec20a3e94b5b993c0d36452eebfb2a2ddf338a164310a112189d4
SHA512c606c64edb9f72423a80845c8b9b4b5df2d1582e12fdb93736ef9c688f5212bfab6c8340c8c6d90dcc497b774eb14c7983b56e2db7fa7933526c18585818fda1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD59ce41f3185d38e7f555526339dd0a90f
SHA1adfd57ed6ed481900517aa751869e1404f2fc79c
SHA256fc8e8d2e1b073d32835f9db381ff77ee61808ae6e9daa9c6787546cd5af721d3
SHA512956981a2e81a58539482a993a9be257a575797ee5ac3339d47245c2a7e2e348e743d438b1b40dc13dd2ae22d9f8f94ba1d977f95af8d04da0e4cd29281d5409b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2.9MB
MD517773f6ab422d27012d0f813eec77035
SHA1e148f243044c22dd5374d41d4d9c5ae066c454cf
SHA25634b764f92f6aa319f62bf730e82f02a914cda5c7d7fa665c20a8f2c5430acc4a
SHA5126e0f75cea50dd43eb019fa5eb66d7e92262b2a7fdc12ab872afbd6339c069856427ce0e7cfd86fcbf17943d7c180a15ce12a9799561330173f485cafaa4ace88