Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 10:33
Static task
static1
Behavioral task
behavioral1
Sample
0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe
Resource
win7-20240903-en
General
-
Target
0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe
-
Size
2.8MB
-
MD5
97dab65220334cfd17d462ce425588af
-
SHA1
faec1845571a3da9ef65f4f8125eebc0d64b87cd
-
SHA256
0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053
-
SHA512
e4af99f91c81590a4fcd54584441769c3abe6fd45882c14094852a933244944ddd7639475ba1ae3b5c1e80c9fbd5d2d0b35faab6ab91d2b6fcba1669667dfb8d
-
SSDEEP
49152:KOHJ5+mYpkNQKKptdFeuGFUf5Ao3WkrWquOWnyBqSa23HL+QJN:KOpxYpkNQtdFeuGWyomi3Ynb23HL+W
Malware Config
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://pollution-raker.cyou/api
https://hosue-billowy.cyou/api
https://ripe-blade.cyou/api
https://smash-boiling.cyou/api
https://supporse-comment.cyou/api
https://greywe-snotty.cyou/api
https://steppriflej.xyz/api
https://sendypaster.xyz/api
Extracted
redline
1488Traffer
147.45.44.224:1912
Extracted
lumma
https://sendypaster.xyz/api
https://steppriflej.xyz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 66b18e4fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 66b18e4fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 66b18e4fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 66b18e4fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 66b18e4fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 66b18e4fb5.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1924-572-0x0000000000D30000-0x0000000000D82000-memory.dmp family_redline -
Redline family
-
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF dcc1c57267.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a477f3b90d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SdVB3P2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0df347b66f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 66b18e4fb5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dcc1c57267.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DBFHCGCGDA.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4cf0357266.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 170e5774f2.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2748 powershell.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2548 chrome.exe 1788 chrome.exe 1972 chrome.exe 1900 chrome.exe 2652 chrome.exe 2372 chrome.exe 2484 chrome.exe 3044 chrome.exe -
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0df347b66f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0df347b66f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DBFHCGCGDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DBFHCGCGDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SdVB3P2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4cf0357266.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a477f3b90d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SdVB3P2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dcc1c57267.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 170e5774f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a477f3b90d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 66b18e4fb5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dcc1c57267.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4cf0357266.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 170e5774f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 66b18e4fb5.exe -
Executes dropped EXE 20 IoCs
pid Process 2180 DBFHCGCGDA.exe 3032 skotes.exe 1984 SdVB3P2.exe 2360 I0XmI2t.exe 1924 DJj.exe 2992 rzqP7V2.exe 2872 mdjw5me.exe 820 mdjw5me.exe 2216 ae7ce685ed.exe 352 80f4a556b4.exe 2324 80f4a556b4.exe 1100 4cf0357266.exe 888 170e5774f2.exe 1704 a477f3b90d.exe 2448 0df347b66f.exe 2672 adb637f45a.exe 2868 66b18e4fb5.exe 3216 9a7a95adde.exe 3548 graph.exe 3608 dcc1c57267.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine SdVB3P2.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 170e5774f2.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 0df347b66f.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine dcc1c57267.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine DBFHCGCGDA.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 4cf0357266.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine a477f3b90d.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 66b18e4fb5.exe -
Loads dropped DLL 29 IoCs
pid Process 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2420 cmd.exe 2180 DBFHCGCGDA.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 2872 mdjw5me.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 352 80f4a556b4.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3032 skotes.exe 3216 9a7a95adde.exe 3032 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 66b18e4fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 66b18e4fb5.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\a477f3b90d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1020939001\\a477f3b90d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\0df347b66f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1020940001\\0df347b66f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\adb637f45a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1020941001\\adb637f45a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\66b18e4fb5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1020942001\\66b18e4fb5.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" 9a7a95adde.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 191 drive.google.com 192 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 201 ipinfo.io 202 ipinfo.io -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000400000001d8da-771.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2180 DBFHCGCGDA.exe 3032 skotes.exe 1984 SdVB3P2.exe 1100 4cf0357266.exe 888 170e5774f2.exe 1704 a477f3b90d.exe 2448 0df347b66f.exe 2868 66b18e4fb5.exe 3608 dcc1c57267.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2872 set thread context of 820 2872 mdjw5me.exe 69 PID 352 set thread context of 2324 352 80f4a556b4.exe 73 -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f 9a7a95adde.exe File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip 9a7a95adde.exe File created C:\Program Files\Windows Media Player\graph\graph.exe 9a7a95adde.exe File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip 9a7a95adde.exe File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f 9a7a95adde.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job DBFHCGCGDA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66b18e4fb5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DBFHCGCGDA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DJj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a477f3b90d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language adb637f45a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0df347b66f.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage adb637f45a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdjw5me.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cf0357266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 170e5774f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80f4a556b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adb637f45a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SdVB3P2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rzqP7V2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdjw5me.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80f4a556b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcc1c57267.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 776 taskkill.exe 1552 taskkill.exe 2172 taskkill.exe 552 taskkill.exe 2640 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a mdjw5me.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 9a7a95adde.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 9a7a95adde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 SdVB3P2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a SdVB3P2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a SdVB3P2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 mdjw5me.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2652 chrome.exe 2652 chrome.exe 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2548 chrome.exe 2548 chrome.exe 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 2180 DBFHCGCGDA.exe 3032 skotes.exe 1984 SdVB3P2.exe 2748 powershell.exe 1924 DJj.exe 1924 DJj.exe 1924 DJj.exe 1924 DJj.exe 1924 DJj.exe 1924 DJj.exe 1924 DJj.exe 1100 4cf0357266.exe 888 170e5774f2.exe 1704 a477f3b90d.exe 2448 0df347b66f.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2868 66b18e4fb5.exe 2868 66b18e4fb5.exe 2868 66b18e4fb5.exe 2868 66b18e4fb5.exe 3216 9a7a95adde.exe 3216 9a7a95adde.exe 3216 9a7a95adde.exe 3216 9a7a95adde.exe 3216 9a7a95adde.exe 3548 graph.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3548 graph.exe 3548 graph.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3608 dcc1c57267.exe 3548 graph.exe 3548 graph.exe 3548 graph.exe 3548 graph.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2652 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeShutdownPrivilege 2548 chrome.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 1924 DJj.exe Token: SeDebugPrivilege 2992 rzqP7V2.exe Token: SeDebugPrivilege 2172 taskkill.exe Token: SeDebugPrivilege 552 taskkill.exe Token: SeDebugPrivilege 2640 taskkill.exe Token: SeDebugPrivilege 776 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 1972 firefox.exe Token: SeDebugPrivilege 1972 firefox.exe Token: SeDebugPrivilege 2868 66b18e4fb5.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
pid Process 2652 chrome.exe 2548 chrome.exe 2180 DBFHCGCGDA.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 1972 firefox.exe 1972 firefox.exe 1972 firefox.exe 1972 firefox.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 1972 firefox.exe 1972 firefox.exe 1972 firefox.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe 2672 adb637f45a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2652 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 31 PID 2376 wrote to memory of 2652 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 31 PID 2376 wrote to memory of 2652 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 31 PID 2376 wrote to memory of 2652 2376 0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe 31 PID 2652 wrote to memory of 2764 2652 chrome.exe 32 PID 2652 wrote to memory of 2764 2652 chrome.exe 32 PID 2652 wrote to memory of 2764 2652 chrome.exe 32 PID 2652 wrote to memory of 3056 2652 chrome.exe 33 PID 2652 wrote to memory of 3056 2652 chrome.exe 33 PID 2652 wrote to memory of 3056 2652 chrome.exe 33 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 2052 2652 chrome.exe 35 PID 2652 wrote to memory of 1108 2652 chrome.exe 36 PID 2652 wrote to memory of 1108 2652 chrome.exe 36 PID 2652 wrote to memory of 1108 2652 chrome.exe 36 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 PID 2652 wrote to memory of 2040 2652 chrome.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe"C:\Users\Admin\AppData\Local\Temp\0ac8efcc206f2d7397ecc128aa3108e6ab3cd581e5d68348daf21edc77dc8053.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7a29758,0x7fef7a29768,0x7fef7a297783⤵PID:2764
-
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:3056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1384,i,8958329868826921731,8756226150249326948,131072 /prefetch:23⤵PID:2052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1144 --field-trial-handle=1384,i,8958329868826921731,8756226150249326948,131072 /prefetch:83⤵PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1384,i,8958329868826921731,8756226150249326948,131072 /prefetch:83⤵PID:2040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2088 --field-trial-handle=1384,i,8958329868826921731,8756226150249326948,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2300 --field-trial-handle=1384,i,8958329868826921731,8756226150249326948,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:3044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2308 --field-trial-handle=1384,i,8958329868826921731,8756226150249326948,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1780 --field-trial-handle=1384,i,8958329868826921731,8756226150249326948,131072 /prefetch:23⤵PID:1628
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2548 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7409758,0x7fef7409768,0x7fef74097783⤵PID:492
-
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:23⤵PID:2144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:83⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:83⤵PID:1088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:1788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1156 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:1972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2700 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:1900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:23⤵PID:2664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 --field-trial-handle=1336,i,4032584452678015535,2109233991432060048,131072 /prefetch:83⤵PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\DBFHCGCGDA.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\Documents\DBFHCGCGDA.exe"C:\Users\Admin\Documents\DBFHCGCGDA.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe"C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\1020826001\I0XmI2t.exe"C:\Users\Admin\AppData\Local\Temp\1020826001\I0XmI2t.exe"5⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABqAGgAdwAwAHYAaAA0AHQAcgBvAHgARQBOAEkATABQAFYASABWACcA6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Users\Admin\AppData\Roaming\jhw0vh4troxENILPVHV\DJj.exe"C:\Users\Admin\AppData\Roaming\jhw0vh4troxENILPVHV\DJj.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
C:\Users\Admin\AppData\Local\Temp\1020927001\rzqP7V2.exe"C:\Users\Admin\AppData\Local\Temp\1020927001\rzqP7V2.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:820
-
-
-
C:\Users\Admin\AppData\Local\Temp\1020935001\ae7ce685ed.exe"C:\Users\Admin\AppData\Local\Temp\1020935001\ae7ce685ed.exe"5⤵
- Executes dropped EXE
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\1020936001\80f4a556b4.exe"C:\Users\Admin\AppData\Local\Temp\1020936001\80f4a556b4.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:352 -
C:\Users\Admin\AppData\Local\Temp\1020936001\80f4a556b4.exe"C:\Users\Admin\AppData\Local\Temp\1020936001\80f4a556b4.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324
-
-
-
C:\Users\Admin\AppData\Local\Temp\1020937001\4cf0357266.exe"C:\Users\Admin\AppData\Local\Temp\1020937001\4cf0357266.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\1020938001\170e5774f2.exe"C:\Users\Admin\AppData\Local\Temp\1020938001\170e5774f2.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\1020939001\a477f3b90d.exe"C:\Users\Admin\AppData\Local\Temp\1020939001\a477f3b90d.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\1020940001\0df347b66f.exe"C:\Users\Admin\AppData\Local\Temp\1020940001\0df347b66f.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\1020941001\adb637f45a.exe"C:\Users\Admin\AppData\Local\Temp\1020941001\adb637f45a.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:2968
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.0.1453403498\591190941" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4236e149-db7a-43b1-95a8-b3c507818606} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 1332 10fd9e58 gpu8⤵PID:2812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.1.46180557\531306441" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0c4b985-f2d8-46de-bd14-d864a2b98458} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 1516 f4f2158 socket8⤵PID:1568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.2.878137297\9709799" -childID 1 -isForBrowser -prefsHandle 1956 -prefMapHandle 1952 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {809912ea-6b8e-4a84-8469-a761216b90d0} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 1968 197bd758 tab8⤵PID:844
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.3.1071689967\1183340155" -childID 2 -isForBrowser -prefsHandle 2608 -prefMapHandle 2604 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0823b86b-df1c-41f1-acdb-ed42fa039f75} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 2620 1d53da58 tab8⤵PID:1948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.4.2045470505\538563524" -childID 3 -isForBrowser -prefsHandle 4028 -prefMapHandle 4020 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9deb236f-41dd-47d1-ad88-c85b019b1062} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 4040 2115e558 tab8⤵PID:840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.5.897473275\1301327545" -childID 4 -isForBrowser -prefsHandle 4152 -prefMapHandle 4156 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c422b50-7fc8-4c1b-9f6a-68316f10ded6} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 4140 2115ee58 tab8⤵PID:1768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1972.6.1735788764\883253773" -childID 5 -isForBrowser -prefsHandle 4316 -prefMapHandle 4320 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4b992d8-e2fa-4553-acba-0e8df1ee2665} 1972 "\\.\pipe\gecko-crash-server-pipe.1972" 4304 2115e258 tab8⤵PID:324
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1020942001\66b18e4fb5.exe"C:\Users\Admin\AppData\Local\Temp\1020942001\66b18e4fb5.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\1020943001\9a7a95adde.exe"C:\Users\Admin\AppData\Local\Temp\1020943001\9a7a95adde.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3216 -
C:\Program Files\Windows Media Player\graph\graph.exe"C:\Program Files\Windows Media Player\graph\graph.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3548
-
-
-
C:\Users\Admin\AppData\Local\Temp\1020944001\dcc1c57267.exe"C:\Users\Admin\AppData\Local\Temp\1020944001\dcc1c57267.exe"5⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1560
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
40B
MD566b458a927cbc7e3db44b9288dd125cd
SHA1bca37f9291fdfaf706ea2e91f86936caec472710
SHA256481bc064a399c309d671b4d25371c9afba388960624d1173221eac16752dea81
SHA512897fade0ea8f816830aee0e8008868af42619005384e0a89da654ad16102cd5e7a607440bd99f9578cf951390d39f07020054cca74231cdc42a3cffa363d9869
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000009.dbtmp
Filesize16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
32KB
MD569e3a8ecda716584cbd765e6a3ab429e
SHA1f0897f3fa98f6e4863b84f007092ab843a645803
SHA256e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487
SHA512bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index-dir\the-real-index
Filesize48B
MD5f554a1734ed1984dafd4a346b59562a8
SHA125028b4b29dc782ebfea0ddcb9e2aa940a870b2b
SHA256c38b749635b2e64d1266aafd53867276f39f4ddd94ba3f5f2cb0f89af9b65fb2
SHA512b115fef31740fead6a3f659fe165ab2c7d02008f58ecc135b9da43f526f6286769317ce04368b8039ceb2c2af07a8248568ff78ce5be2f096d192812aff9338c
-
Filesize
76B
MD5cc4a8cff19abf3dd35d63cff1503aa5f
SHA152af41b0d9c78afcc8e308db846c2b52a636be38
SHA256cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a
SHA5120e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320
-
Filesize
192B
MD59b1fb2c836a2c6cf32719a5aac007ce0
SHA1a90ec825e72d9c4d1dd0cb94eeff519d42fadd9c
SHA2569f45a7f19cb61845db9b017915edf526686b335e35da167d645dd4f43e9937e3
SHA512576ccdd6e9b96247a9601dd2bd6b0458af629fd84995c6f0ac9a563aa388c5577999fe53886aacd601a0e02ec8fc7a36e417920b41c22cd8383100fe91ee046d
-
Filesize
20KB
MD53eea0768ded221c9a6a17752a09c969b
SHA1d17d8086ed76ec503f06ddd0ac03d915aec5cdc7
SHA2566923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512
SHA512fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9
-
Filesize
196B
MD5ac3978b4bee60811d6320ea9238d9b59
SHA14ecb2d75ca7484957c3ddcd0d9a550d2b2e0a32f
SHA256f9ace3cb29024872e0188d13d9254907621c6306e168bde491932bbebd9e3a38
SHA512564e4a25a4d032e530e3dd359be30108c68a621b31063579492884c8890006673873bb791053b4ed9fb0d8c80deeb491e399870f25fa349ead0f15c0a30194d6
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000003.log
Filesize40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\LOG
Filesize204B
MD5f6aa4a1a7e172d47f0c848de3a383d48
SHA1fa3d3d66089292e96b0301dfe098aca09f92b0b9
SHA25660fa468d195f303d2b1bdf95ae11171e47567d7f2a2ff598852284fa7d402455
SHA5120a112e7cee645973211ed30019f153a7eaf65db2c8ba55f592c0fa58f790f79136c9e0205cd834fc40a5e6c6774da14f94701247a9a707bcade0e7a0de219d26
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
192B
MD5e37187928cb3266cf85bc3efa95ced07
SHA18260ce59fbe11105f2e9e586b3f0859ac50e0dcb
SHA25609c8d91c10829b63b4e912980c1442bf2c7a0b552ae0594325ebc4dfd56866fa
SHA512a914f8768fd497f9eec5a3ed06bf647eb0e3bbe1571a710d7c2c2017d7826ecab3ef0f4161ec30038e1df508d8085a28dc01bc2af8bbad97b59fd0d5bab3b542
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
128KB
MD51ff459f2e8f31d4993819d449a160839
SHA1275a9f20a0fb9b0f2da5d1cc9b18d342edcf1616
SHA256e382a505c4f592487c29772b1502c9b4efbdae16bc7ef2050febac3e6969be60
SHA51209e550f8d40c381b0a1c6fb1790db7ff201fa76fecf75bf3cc3ee90f126b71a9b953409e16bd99ec4d046e69801cb257414606226af33b305f79c58812765bc1
-
Filesize
92KB
MD5c525a3a8383f76e32c46702f9586de6e
SHA12601023cc7c6038b3438ee8c7db4cf49c1cbac12
SHA256bc69f19579786bdf40a1e3f180e2d344edcbf5cf9a05142a2445087f14c067a3
SHA5123c5dae26d8ee5bfed7ad081fbf56d7b92f2b63205b5c0398f1b920b64b3fe39b760f78bec6086a91628d74280acda4bf55e2cb3c4c14086eded60070240c5db3
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5ca55c0d2b9db19814a10a000e62a5fdd
SHA1ace14434d23b3f24b76208f33df85250d95c5ca5
SHA2566f5804c3653b6d7960fba692a2a35ae4a738cf69090ec1f8f703faa0387331ae
SHA512feb225b39fffa7c6f245d80b02a8e4216a31a78ecea5d4c6314fb7a45ba5a25d5adab2067d61ba7411cbd11f594b3c6e288bd4b3c748d130b2e3689fff0f5e9d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index
Filesize48B
MD5ada50670d1c9320de93ee439afbd775b
SHA113adc5a8f4b2c82253cdda80f22eb57933ae4728
SHA256d593706074af594b766df1e9c8961398d807afafb513684780106ecf88938d79
SHA51263ff8fdd1753a8b7ee96bc8dce7a9c67871eb5539559eeb49c9b38e647e68976c9960a594d4acda55a7ecb6a0c9d0706a4c898f220d311a87ae04c6f7f00e29c
-
Filesize
193B
MD5e95b1765119a6bdca331c9b24b3f8702
SHA1a24322d482e00ef723df67baa2e0fb52eaa0d211
SHA256d5f878f8c6c1f9858fc682c51b237ccca79b286c008eae2ddfe8d7b68e0e1b70
SHA512cc82c85bba023d606c5f37440291935db922fb6a56904480a2ed841e9c54aaff7f7a87015475040e60a589b7982eb60b61e5bfc8e6dd3c6d96d0ac422040c9b8
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
197B
MD5560d87fb0e88029230e222b88dffca95
SHA176b59d84b43c640723077b94291320c6af951217
SHA2564515c9ffe0c7cad7ce63d8c82c789f7b685a7cf74b8eb65d49b1fe4f20971f6c
SHA5121df81a91ee094f5d72eacc70db1af17cd2608c2fc3a485170341ba520b9d29b2417228f6cfabc74de387ce034b711d5c8a75245cb25b06d0951c39f414b14104
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\MANIFEST-000002
Filesize50B
MD522bf0e81636b1b45051b138f48b3d148
SHA156755d203579ab356e5620ce7e85519ad69d614a
SHA256e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG
Filesize205B
MD5a771b27c1fa7247a2f8ecd5c3da1282a
SHA124463bd23ecbfab1170c4125ee9f44e181035c8a
SHA256e94c3cfdeeac0c156b0743124ab5655051a88ddc644c95b441f0a1fa51165f1b
SHA51204c1080dec8891213879adfe4f43bc4c2315d65927f3d7bfe112e2f0826df91757d87d61e19a438c2499a9504fe148a24ae8ebc728ba05a99b25505602db7c61
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
193B
MD53068af09196c2c0705d0ce67463d98f3
SHA19be592cc0a899ded90b8ee4b46bbf99697199f38
SHA256f9be88e62aafa95cf9c17aafa29a9286ff529400e667299652e25554adb723e4
SHA512311f5c5730ce39e3e5a201db92a74db7f49e8b689d2b2c8bfaf471f5931ea5273e4f57d64afad6add346ad98aefcb5fb3ba225d1dc46728dce74e583808cb025
-
Filesize
128KB
MD59dc46bf93155830299d9065c61750c57
SHA1356f7e0b2ef8c67a434aa8e8c1194629e8d5a89f
SHA256589f94481c8f2a7d0aee738ea1f4412e0aa65d9f3f14cb634f2ba01925cfed55
SHA51230e7f04d08d93dc0cacd2a299e9e481f3ff74b52223fb5141b7d6fb1aad68f6e5b45159263999b068e71d24a4ea82488baaeb1813b7da7539b5dad1f3a6f9326
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD58891e9220d0c2efa6f1af59b869fb8d3
SHA1147ae5edf8960fa41bb35a60beaf33b8dd440107
SHA2568112e5d0b43be1fcf9815564bc311c51f58987d6f499b55f621a5ce9c951b310
SHA5120f0fe24f52bce496a49866301a8b6b5474a43ab070eaa451284c70c5082a444d1f7b23b1b206c386ad39ac9f52326d5e19bf6ea9cf8b0e022e966ca275f6001b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD58a0feb447f024f32d1ee001a56d7ee23
SHA139086a8133462fbbdbaad4a313789d216497e68a
SHA256b474d829617220d8d949fa58a39d9eafde02ec488f0c7a4330950fefed66bd86
SHA51209efc757b29341d91d08619e8924b5cbb3acd73f2fe13b1aa21327c4133721102110b17f6717b09e703d1137d4266ab6e563f85bd34e98a1ee03b1b50e7ddbec
-
Filesize
2.9MB
MD575ca34215f6e3916c51c0af34fc17284
SHA13726ba089194df9221b1eed520d62e452d74d509
SHA2564d2340448332a51ceafe2cb2562b2441590eff605b7fc0478001ad103f495955
SHA51251a8285cd0c989ca4a659fb84f401f81e92bcc9a2b03f3f55da565bc2a9b6fefb115ddb0009d675e265e391c65fb4defc6326037b70b03eb6ed1364f1d7dc679
-
Filesize
3.0MB
MD50f66575bf99da9e9ebd2568ed600d084
SHA1d1a57de7090e125e24413e98b848339417fcc4d5
SHA256e451a87dfdc0ce577a571f0ddd1093875adc8a6e497194dade8a2e97b4e1b7bf
SHA5124b19c91e5ca8d414903488f94140607a23f3352ba3c90709483fb920f5bbddbd144313157395a24be510f0d64c96a568616eae27e1e1e492b1fbdf7efc6900ab
-
Filesize
562KB
MD563c8c11ca850435d9b5ec2ea41e50c22
SHA109a92f137462216a052f2a819ce110a0ac2f4022
SHA25689f58c08d1ccdc0aa645f11fb84de4c8a1ee328fd8a847aca63523291465a3a4
SHA512abdb139e86a3268c4d2bb5581c804219eeefc992e1dab87b3eb059db24015c849ce64d16ed0745df43dc8ac7ae49dcd5fd5660e65924752e669deafa6bbaa803
-
Filesize
2.5MB
MD587330f1877c33a5a6203c49075223b16
SHA155b64ee8b2d1302581ab1978e9588191e4e62f81
SHA25698f2344ed45ff0464769e5b006bf0e831dc3834f0534a23339bb703e50db17e0
SHA5127c747d3edb04e4e71dce7efa33f5944a191896574fee5227316739a83d423936a523df12f925ee9b460cce23b49271f549c1ee5d77b50a7d7c6e3f31ba120c8f
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.8MB
MD515709eba2afaf7cc0a86ce0abf8e53f1
SHA1238ebf0d386ecf0e56d0ddb60faca0ea61939bb6
SHA25610bff40a9d960d0be3cc81b074a748764d7871208f324de26d365b1f8ea3935a
SHA51265edefa20f0bb35bee837951ccd427b94a18528c6e84de222b1aa0af380135491bb29a049009f77e66fcd2abe5376a831d98e39055e1042ccee889321b96e8e9
-
Filesize
1.7MB
MD5e19414bbcf852d1cbf9e572376f9428e
SHA107030ccc002ffe4d99745c72aacbee8a5d3db588
SHA256b238e7c9da0b9db596bf9c6a43113116da9a5fca063a3109bafba32d0bab7fe0
SHA51248d90bbf8113978983cf881731abeeb43209442b356a23ff9a0d1cc91c1cc32febef3f0863fe77bd6fb149ccd6b559c5f3898cfa52f214230f5fc2735e50f5f1
-
Filesize
2.7MB
MD57ca51dd886ec90836bbab5df592b69fd
SHA1d11c96f20c08daf15a347b77e7ec9c3ac1d12066
SHA2565679209abbd756493f76f5ce42abe2fe5762a1142390d6216f1d92fcb7986d34
SHA5124c4708572818d8297297f4e58d90971d0a1058e3e5cf13d41cc768637cc4b3089ffc7d901342fdef4ac77f2801b935d0003620b4ae68150bed449c1a7743d693
-
Filesize
948KB
MD57cc0f69b0d966568698fcbf740b733f8
SHA134b9f300a23b8d37ebc0472e1ba781479bb99f40
SHA2567712a13112cf120a9997a348676bdb6342ab8f1e280fcc0b703154e908cc890d
SHA51225684344ce8fdf6d37abc0034c1ef58e743c09b5ef6459b4ed2e608ccaab0496abfefa425dd35f4af4fce5a672208c05c20638ed527c5ae46f69d3b1badf7bbb
-
Filesize
2.7MB
MD5081c19c260d66991348aa5c6e657f85d
SHA14a5d3bfe45884c8d85ebf33b74399bf269048b0e
SHA256dd69069a9d3020699a978675a7b49cb2b0a2f69d0225f0bea871eec1403dae4c
SHA5122618f16850e93034601e3067d544d950897b442279cb64dd3b8b332145cf2f8623180faa6f432a9b2b771fa2f4d36fc0d7fc124e7d01c37ccb9b1982203fe71b
-
Filesize
591KB
MD53567cb15156760b2f111512ffdbc1451
SHA12fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA2560285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba
-
Filesize
4.3MB
MD5bb2e8e6f6cddae051b37a622e86a8899
SHA11cc7fd2e26d1d545c3fc76f39558fe9c492ccb7a
SHA256a0c0b9ddb890291ca0abc3df361220a195f0906a7be6683fd8173ced4c7d02dd
SHA51230330d9c0e6dee60fdaa62d04d7a02a75eb76e5c4ebcb1c912a6e786ea74aa0e7ffcafbe27387116d8dc69d9f1788d05f092b17254f3a2aae4810d7eec38c5db
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.1MB
MD5ea4c8dffe806df7f0551458c39d944f6
SHA1a57cbec3d1366cb30e4209bc3801b9e274bdc411
SHA25670ab4ec61c596321c745154ce576c71469dbbadc5d535366d4da986fd8466195
SHA5122cea57e9a8dd2098345aed98a4768567e2fd60f0c754041418809640f6cee16d84b8dc2c6b8a9433914cb7675ad31e1b795f27273ca80512d66cc80f4c3d057a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5c0ae5bdccfcf9938f6ddda1ae595c2f0
SHA1b1b26d11866a46249b59e6cce1bd70fe2f25593b
SHA256551edb93222d2f4d89035a3e85afcd88e4e75fa693ab830a499ccadd560d090c
SHA51217ec65e0dd5d643e2fdb3ff1680776d366fe0c2a973e9faa1952a919d428d9313b104b3a8b95731a4ccf678c8926a0860776cd93c79217471307563c9835eedf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\103a8817-7053-49cf-9279-2df00cf3b74e
Filesize11KB
MD5d02776ad8e9e9a5a468185e5e3808bc3
SHA1d252348ba81d64a9f43ad372defef22372e5f9a3
SHA256db94e6625ab72aed62eb55d14ed010531820b530c9d1066187089fe74f2fd852
SHA51236b07866313df60c6de813f85a6fcac1dc9b71fb4ed2a64fcff485424e7c1883a150a746d35a2d0c5657f921961cd87c8a5dc3e714e4d01d97b25fd4d3911cb2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\57a1cc7d-a539-45c4-8df4-cbc3c1372756
Filesize745B
MD50bcaae8570a96ce98e181e3e69c2a12d
SHA1d153ac0964c5fba19153d7dec703c09af376963e
SHA256487edfcd2bbf8dea35ff899c5fac250b388fdf4d0085d2b98f61c0a83bb4fd76
SHA51289e3286d6b6477107d7a050e554d031980cfc288fcf59a65222c29584fcada119bc2d0d3dfd2e8dccbed15b855ac7fde51aa165d2637ee7d4b2c5e3f12d4f1f8
-
Filesize
6KB
MD598391478660c1fc34b01dba7fccb22e9
SHA13a292200cd9ed665823a24dccdfd98049ecc04a7
SHA256cc0eb952a22c520539fe541a915c515b43a757d12561b5680fae19f7210c0f6f
SHA51236a0dad63053b560d487d6a35aa859a9ee6f7abef7f09ebd559436abc331bc5a161e300d54701a313c2f8584c564644ce3a47a0c428a19a6555c116dd2851e59
-
Filesize
6KB
MD560a9d64af94cba2fb1906c9ff2fc004e
SHA1bf9360ea810ca3324b0c395c0fb40b579c7fcf73
SHA256f0e3dbae04f51f4b855d62cedbd7b69c05994cf3dccecb68147c8fdb1fa2502e
SHA5128e7b670857591192cb7af8df51c40b19152b9c2f834a13aa4ab9700512177778d6bb2c1403a13ed6a3c8f6a4cdeaf501bd870acc449622e79f94608553539275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD50006224526f3baf6fac26d1ab0f5ec8d
SHA18366158061d035b6fa0ce7c125407f709d1e8f59
SHA256e505382d6d07f004bb7d92894885d0834c24783bbb353d4a33e3066078613552
SHA5126830b75b25f63a961aada4f91b039adcbc5b0e99b12b9443cec196478f389377cda4da85184d92ce7252339f304ecae5258238abaffed3273920a8cde0e2df38
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD536d14c392309bef4cc62541a8a425a9f
SHA1bc999e578f6e6b6f06e463cbae56f86a0be3dbcf
SHA256f40b63c65394e4346e988610088e1ca451e17b985e3a945ebab4700c09949f16
SHA5128f86f2715a6f01800f0ee2d208c7fbf9e517d4420ac47285960dea193c4837c75f70f3e4051d94690dba26325da5b1c4c458bb04dca4aec59566cc70f3909234