Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 12:40
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
2.8MB
-
MD5
7e8f2b155ad2523c4f6d8099bc59dca1
-
SHA1
b25ad7de030c34e10808888e1a8e9b82fb40ea10
-
SHA256
ad27642caa9ccf53582f5a9b49538b71e41aff847cc09acf24418f72e4948641
-
SHA512
69f1b6d5f29efc3030bf222948996cce772a75a59b98ca4836c7b8e595dd1e622ca43a0a6cfcb893f7d8f0b953e0ad26e5690dbe33c9c01a5956a0537f12108a
-
SSDEEP
24576:vVo6YZDys0fiiKPdZE0WQ3ec8hM0GSwFY3dKY8n74RWO2wbKvOlpZx18HhEWvjSO:dohbqK8WFY3dKrn7GpKvOlpR78D46o
Malware Config
Extracted
lumma
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
doma
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Signatures
-
Processes:
Y1B4BLRMG0YGD6JRFV3CR.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Y1B4BLRMG0YGD6JRFV3CR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Y1B4BLRMG0YGD6JRFV3CR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Y1B4BLRMG0YGD6JRFV3CR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Y1B4BLRMG0YGD6JRFV3CR.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Y1B4BLRMG0YGD6JRFV3CR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Y1B4BLRMG0YGD6JRFV3CR.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exeskotes.exe0ff2e76fcf.exeskotes.exeC71YVQFBV8EDB8YNGDO8IB104BCW9RK.exeY1B4BLRMG0YGD6JRFV3CR.exe95b8de942e.exeskotes.exefile.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0ff2e76fcf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Y1B4BLRMG0YGD6JRFV3CR.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95b8de942e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
skotes.exeY1B4BLRMG0YGD6JRFV3CR.exe0ff2e76fcf.exeskotes.exeskotes.exefile.exeC71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe95b8de942e.exe5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Y1B4BLRMG0YGD6JRFV3CR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Y1B4BLRMG0YGD6JRFV3CR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0ff2e76fcf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0ff2e76fcf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95b8de942e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95b8de942e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exeskotes.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 10 IoCs
Processes:
C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exeskotes.exeY1B4BLRMG0YGD6JRFV3CR.exe95b8de942e.exe0ff2e76fcf.exe3a2e9f760b.exenum.exeskotes.exeskotes.exepid process 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe 4360 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe 2020 skotes.exe 1888 Y1B4BLRMG0YGD6JRFV3CR.exe 4468 95b8de942e.exe 4500 0ff2e76fcf.exe 3380 3a2e9f760b.exe 3044 num.exe 3916 skotes.exe 5464 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exeY1B4BLRMG0YGD6JRFV3CR.exeskotes.exeskotes.exefile.exeskotes.exe95b8de942e.exe0ff2e76fcf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine Y1B4BLRMG0YGD6JRFV3CR.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 95b8de942e.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 0ff2e76fcf.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Y1B4BLRMG0YGD6JRFV3CR.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Y1B4BLRMG0YGD6JRFV3CR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Y1B4BLRMG0YGD6JRFV3CR.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\95b8de942e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000964001\\95b8de942e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0ff2e76fcf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000965001\\0ff2e76fcf.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a2e9f760b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000966001\\3a2e9f760b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000967001\\num.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000966001\3a2e9f760b.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
file.exeC71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exeskotes.exeY1B4BLRMG0YGD6JRFV3CR.exe95b8de942e.exe0ff2e76fcf.exeskotes.exeskotes.exepid process 5028 file.exe 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe 4360 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe 2020 skotes.exe 1888 Y1B4BLRMG0YGD6JRFV3CR.exe 4468 95b8de942e.exe 4500 0ff2e76fcf.exe 3916 skotes.exe 5464 skotes.exe -
Drops file in Windows directory 1 IoCs
Processes:
C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exedescription ioc process File created C:\Windows\Tasks\skotes.job C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe0ff2e76fcf.exe3a2e9f760b.exetaskkill.exeskotes.exeY1B4BLRMG0YGD6JRFV3CR.exe95b8de942e.exetaskkill.exetaskkill.exetaskkill.exefile.exetaskkill.exenum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ff2e76fcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a2e9f760b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Y1B4BLRMG0YGD6JRFV3CR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95b8de942e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language num.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1200 taskkill.exe 4908 taskkill.exe 628 taskkill.exe 2364 taskkill.exe 4932 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
file.exeC71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exeskotes.exeY1B4BLRMG0YGD6JRFV3CR.exe95b8de942e.exe0ff2e76fcf.exe3a2e9f760b.exeskotes.exeskotes.exepid process 5028 file.exe 5028 file.exe 5028 file.exe 5028 file.exe 5028 file.exe 5028 file.exe 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe 4360 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe 4360 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe 2020 skotes.exe 2020 skotes.exe 1888 Y1B4BLRMG0YGD6JRFV3CR.exe 1888 Y1B4BLRMG0YGD6JRFV3CR.exe 1888 Y1B4BLRMG0YGD6JRFV3CR.exe 1888 Y1B4BLRMG0YGD6JRFV3CR.exe 4468 95b8de942e.exe 4468 95b8de942e.exe 4500 0ff2e76fcf.exe 4500 0ff2e76fcf.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3916 skotes.exe 3916 skotes.exe 5464 skotes.exe 5464 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Y1B4BLRMG0YGD6JRFV3CR.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exedescription pid process Token: SeDebugPrivilege 1888 Y1B4BLRMG0YGD6JRFV3CR.exe Token: SeDebugPrivilege 628 taskkill.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 4932 taskkill.exe Token: SeDebugPrivilege 1200 taskkill.exe Token: SeDebugPrivilege 4908 taskkill.exe Token: SeDebugPrivilege 2224 firefox.exe Token: SeDebugPrivilege 2224 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe3a2e9f760b.exefirefox.exepid process 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 3380 3a2e9f760b.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe -
Suspicious use of SendNotifyMessage 31 IoCs
Processes:
3a2e9f760b.exefirefox.exepid process 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 3380 3a2e9f760b.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 2224 firefox.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe 3380 3a2e9f760b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 2224 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeC71YVQFBV8EDB8YNGDO8IB104BCW9RK.exeskotes.exe3a2e9f760b.exefirefox.exefirefox.exedescription pid process target process PID 5028 wrote to memory of 4632 5028 file.exe C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe PID 5028 wrote to memory of 4632 5028 file.exe C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe PID 5028 wrote to memory of 4632 5028 file.exe C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe PID 5028 wrote to memory of 4360 5028 file.exe 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe PID 5028 wrote to memory of 4360 5028 file.exe 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe PID 5028 wrote to memory of 4360 5028 file.exe 5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe PID 4632 wrote to memory of 2020 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe skotes.exe PID 4632 wrote to memory of 2020 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe skotes.exe PID 4632 wrote to memory of 2020 4632 C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe skotes.exe PID 5028 wrote to memory of 1888 5028 file.exe Y1B4BLRMG0YGD6JRFV3CR.exe PID 5028 wrote to memory of 1888 5028 file.exe Y1B4BLRMG0YGD6JRFV3CR.exe PID 5028 wrote to memory of 1888 5028 file.exe Y1B4BLRMG0YGD6JRFV3CR.exe PID 2020 wrote to memory of 4468 2020 skotes.exe 95b8de942e.exe PID 2020 wrote to memory of 4468 2020 skotes.exe 95b8de942e.exe PID 2020 wrote to memory of 4468 2020 skotes.exe 95b8de942e.exe PID 2020 wrote to memory of 4500 2020 skotes.exe 0ff2e76fcf.exe PID 2020 wrote to memory of 4500 2020 skotes.exe 0ff2e76fcf.exe PID 2020 wrote to memory of 4500 2020 skotes.exe 0ff2e76fcf.exe PID 2020 wrote to memory of 3380 2020 skotes.exe 3a2e9f760b.exe PID 2020 wrote to memory of 3380 2020 skotes.exe 3a2e9f760b.exe PID 2020 wrote to memory of 3380 2020 skotes.exe 3a2e9f760b.exe PID 3380 wrote to memory of 628 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 628 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 628 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 2364 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 2364 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 2364 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 4932 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 4932 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 4932 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 1200 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 1200 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 1200 3380 3a2e9f760b.exe taskkill.exe PID 2020 wrote to memory of 3044 2020 skotes.exe num.exe PID 2020 wrote to memory of 3044 2020 skotes.exe num.exe PID 2020 wrote to memory of 3044 2020 skotes.exe num.exe PID 3380 wrote to memory of 4908 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 4908 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 4908 3380 3a2e9f760b.exe taskkill.exe PID 3380 wrote to memory of 1736 3380 3a2e9f760b.exe firefox.exe PID 3380 wrote to memory of 1736 3380 3a2e9f760b.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 1736 wrote to memory of 2224 1736 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe PID 2224 wrote to memory of 2520 2224 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe"C:\Users\Admin\AppData\Local\Temp\C71YVQFBV8EDB8YNGDO8IB104BCW9RK.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\1000964001\95b8de942e.exe"C:\Users\Admin\AppData\Local\Temp\1000964001\95b8de942e.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\1000965001\0ff2e76fcf.exe"C:\Users\Admin\AppData\Local\Temp\1000965001\0ff2e76fcf.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\1000966001\3a2e9f760b.exe"C:\Users\Admin\AppData\Local\Temp\1000966001\3a2e9f760b.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4908 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4728463b-359f-42cd-927d-a036c547e4cb} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" gpu7⤵PID:2520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41611709-c4ea-49c9-a87d-9d633ea1a63f} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" socket7⤵PID:2028
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 3420 -prefMapHandle 3312 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cddd2015-63ca-4181-9125-95298c8a0978} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab7⤵PID:436
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3988 -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5accf168-c591-4de3-b496-6fe1dad997f1} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab7⤵PID:3652
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4492 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4596 -prefMapHandle 4684 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87f705b1-33f3-4168-b1e9-949ae1364031} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" utility7⤵
- Checks processor information in registry
PID:5304 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5176 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4cf8634-6f30-428d-98b6-f340b27fbc18} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab7⤵PID:5832
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 4 -isForBrowser -prefsHandle 5320 -prefMapHandle 5212 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce0abc8b-ca9e-449e-9d36-066766f3e83d} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab7⤵PID:5844
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5620 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f210dbd6-c61a-4b7e-83f0-a41f4c19a9ea} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab7⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\1000967001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000967001\num.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe"C:\Users\Admin\AppData\Local\Temp\5Z1FT16XGREVTSIU5TXL9J6QDH7XU.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\Y1B4BLRMG0YGD6JRFV3CR.exe"C:\Users\Admin\AppData\Local\Temp\Y1B4BLRMG0YGD6JRFV3CR.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD54247acaeb1ceb808b27d374cd3ba9652
SHA1b53a28fa0f5b09b09ce2b3cbcb853f4e49b021e8
SHA256634e5c5927546f09cc31f662db017f1c03e5a456e9414aacb22e5bbe799305e9
SHA512d931ade14e371104910c2aff65522749f36436c532ce80ad38be50db0e87ebfbeaacc6d71da30929f93d834abd1d40b9a2c6d3073a6d547d169b4032dcd5c773
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3
Filesize13KB
MD532588dec355aa65fc8f3d98766d0d0e4
SHA1d094a9ebd8cca72e69f3efbf4307b125b21bd492
SHA256c17fdd106a771a0d5557b90ffb2f5031ce24fde4d68466faaf50cee230561cb6
SHA512e59f88df1a9481909888c36fd55f8c2577a5c6c2fe5b3fb440157916d364a7a5cdf8feb51f56f727fe4cfd1ae3bbde43e472c81d36ba55836e11b4822883410e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5aa836d046737a3e458e8f212b56e4ff6
SHA1e9a73cc7ddf1178f99dce9da61ad03b9282b0184
SHA2563877efc559bb38f66b36a1965ebe2979ce799e58b10cf4fcec24a4bb4ac98d42
SHA512482138b85b3f67b3c2238933720558ce77c9df005b79e5a81f01882d1a71205a2aa582a881ce87828243614ba3b53c93bce6162b49cd520686d6d759b48f5210
-
Filesize
2.8MB
MD57e8f2b155ad2523c4f6d8099bc59dca1
SHA1b25ad7de030c34e10808888e1a8e9b82fb40ea10
SHA256ad27642caa9ccf53582f5a9b49538b71e41aff847cc09acf24418f72e4948641
SHA51269f1b6d5f29efc3030bf222948996cce772a75a59b98ca4836c7b8e595dd1e622ca43a0a6cfcb893f7d8f0b953e0ad26e5690dbe33c9c01a5956a0537f12108a
-
Filesize
898KB
MD53574065807fcbf8a5305452473eb1a70
SHA1e893e61cc530556d95754f4f6f07e8199492d334
SHA2569ae04956c4164e9f7ccf6b74423396f21443bcecab5b98f8faff29bfe3483dbf
SHA5121baa0966aa698fe714a022eebd9d7c0d7d6af4b5d553af3018d09ed524123d46e84e183746ce2541fe0c2a1ff0e53386effdf34eb4496291d8a9db1a0ba8918f
-
Filesize
307KB
MD5791fcee57312d4a20cc86ae1cea8dfc4
SHA104a88c60ae1539a63411fe4765e9b931e8d2d992
SHA25627e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d
SHA5122771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c
-
Filesize
1.7MB
MD5bc44a9ad64b1ab4bb57897cb26ad7003
SHA139de0615a7ee36c80355fe66fdb16d0b7d5fa168
SHA2566ff34c76f942f695391be5c6c560caeadc070d2856642f91aeeaa96aa724b6d2
SHA512bef7822e1af65b69c029daf5ea408766d4fdef3ada96a045ff803e7297e7266bdf3dc7f669f2a1dc82957a9b17818509e9bed1d6d6c7e599249acb7029a4c547
-
Filesize
1.8MB
MD55dd3e02e1116e438cd2e2c5d5bcdba1e
SHA19b78e3c327c43e388e2186b8b7ddabb434d753af
SHA256b4522e10c97134481931b75a9e8989034d1d35e812ab2c83166e37f078acb787
SHA51217fa15e8dca2db8bc0676f269b5622783d9d54bb1529a5ad5e198ffdb1831aed4bfb65f49133b8ff35095b41752c41922f4f6076f6142e6a84d04fe570fbc0c7
-
Filesize
2.7MB
MD582542238bdf4858f0555112fedd781c3
SHA17a27ae5f35e28676dcdfb6d3841f35f9b0bd4dc2
SHA256de0d163a43b493b412f2a4e15eeb8ed135f32dc252e1176e6f32ada9fb9155df
SHA512c8ade7f2e06c69957bfabe93a561c46b03546c78a27f7e9bd26186adde8fc162a8ab3a702283b0558a806aca84dc1b025a055b7bc894e0f074caf3599dde4f3a
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize18KB
MD5c5bd5b85104f2b2bd6a2ad2de37cf489
SHA1cb15a53ec759ea50879ccb6bafa74802d0dd443b
SHA2561ece03d83ef39d10d8a8c5e8ec05f5cda1de1eea4934b44542b3761498a524ac
SHA512d46ef8b9f3cdae1a4e55a7287c9392075cc06d5a28818947ebd8adee366a493b49e1bcda84802b42e6296be6004764ec674851d917dfed56fe04934df6d08a01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize7KB
MD5d97aa67feb6b118d3da30e693f54e358
SHA136e9892e9524193a17f318c0ec0260d1fc256fa0
SHA256e8739313e370bee968cc6c7aeb1d71d452d89f6f91a665306ab6d64a00e9f31f
SHA512cf40e79f6ae8b62d41178b236db54f4f6658eb0fee2328490ef4fad7372a2db25d545210de6f54e413309b45ba6bac246cc97f6409c26264e041ceb7ae64da60
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize11KB
MD5e4d16e746669c04f87f1a6ed1cdcf70c
SHA18e251cd21fee64801f60f9a5999742dbc174ac96
SHA256ea6ce6dde1c3471c4649a99ce193435970e1340ab1d1f2da7c31c28deadc23f3
SHA512c31088de31eda6aa39af41366f038a2e9eeb4f0bfdedb538b7cb2d0cea9b6bb28069c2122ebecf5b381be13cca78680511258d067c37ba81fc5cc427d0314c39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5f62073e603a328ab14994347f8a84eaf
SHA1252e183615dc3a8bd0a05d352084f9c6f71d316c
SHA25648d3e4d2367ca1f99760953c167ad29c93c29ecc1d1a564eb999c04fe6d8fa18
SHA5126f72e3a2e6e45a06dd429e1d7810ca430f3cba9aff1b78350412850a2b1e4c236af648180fff3d383a86ad7a2c81b5153f8cd833473ffa6d7d217eb7909c5a43
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5131d8aa67be23990ee17abb03f501c0a
SHA14dd9a5a3ac3ed764cbfb8b89b7cefe80812fdbe3
SHA2561ba8f1c4b291c169a0430a69087b300b9e6e060569c4f613d95b3dc35d1c3e43
SHA51213ac4acec051ef7ad747dcbc6fcb24e5c5c1b70859fadd06d77288de1ecb31f64c4a15f627707f660d3481d6171a861cc08e843ebae32149261e403f4b0b707e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5ed673be2f4da7df937dc8c2f94917f08
SHA1b59632b6e8e93a1e05c7125f0a135310b0230ed7
SHA25674b4531e1f9080b58f592be21685192c2c1ecd9f3253929134fe99f8dbf6cec5
SHA512d1abd1b7f4af799dd1b8d17ca016290e23761d8f1e0b41327e2e08b30064c84648d916291d21245a88f9916fb6a9fce0ae9b89c06c34fc33b24f2ccb31c0ca72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\15ee9800-3953-492d-8419-72737c1f021a
Filesize27KB
MD5a8037a655b2b63cf23aeda2c22715bb9
SHA109599154381f84ff60192875de746679696f45b6
SHA256f2b28d598b1c0667f662abb51d5f3abffeaa55d4e24ea566ea94cd087798cbc2
SHA51206bde884f0da1a8cc9e5681ee0a9641f6dfed49f08eb0621b8205003ef713ee879ed859a8bed584ff196acee61fe8a003324ad65fcfbbb28d17e430c973a7936
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\a8ddb183-e0e8-42d0-9c90-8bfb4544afe2
Filesize982B
MD5920c780d1ca52db37e62d12a08a35850
SHA1c1e2a24714964c3b0dee070d5de9973a1da1eae6
SHA2562420583278cf5ed7acfb7dc5709df9871b28446596cb3f84553decf9700328a0
SHA512c1aed4e8be3a43a740b29920817c244025ba1885b51ca138ad2139c48bba64e14deceb6e6b7098086606520532e1276b073699dad974ffa846a72e32891e3be8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\c7565779-537a-410c-a208-58b532a52f0a
Filesize671B
MD591b612efba06a529f820d620447fd8b4
SHA110f16dca9a2662fd644f678eadcf0bbaf497c7ed
SHA256584778a0aca4bd648e6be7fb7f8afea077b201b192a040578206feda57e72c07
SHA512cecbdee3cb59e9ce8ea7d620b0ebc5a349611184a0dc026d35a94f2755f116e7053d459c64d507c5c9858f7e84b02812dda6b30834c1e81660a5915223ebbf74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD50cbebaeb287a3c9339e769938fcaac12
SHA10695edad950dd15af2d07f99a091c05c49c2f718
SHA2565346074ef16ee76a60cc334912f6c7ccec43b6676bbd19df53804c500427f2ac
SHA51243128468c145cd3bfee654a8f0b65a090311a09510604476c22bf0ef2644d71131b8ee47b8f2c1611b11e4c17396c17ba2e3006bf1f320ef30522ec3e3ffdf7e
-
Filesize
10KB
MD5f670cc93a11bc5b09f86a07c994a8903
SHA197bb520b83e5b603bfed22c4210be424e769240e
SHA256d1ec13524476eb3ca3eecdf151d4cdbb894a482108c7c8acc56cb2ac32266e31
SHA5129eaa92f3a838013219dad4668305259e1e12b6082ce6507a15c97df71a6c3c1d4fab92b5331694d7eba243186f1c2bce860fdafb2fad6f3fd7844bbb49149428
-
Filesize
11KB
MD5c190c9272136de3a922fb37c87edcd71
SHA10257af40a61dbeb084b97680184e3255c52a934f
SHA256255d145ee18d8af5a13bb6db676cb4e122913b498ba13f513c35f0af4679a10f
SHA512b4090b6c819c8278135b0c32b0f42213334ae1dc9f420af5185fb2e5943866b424cee1b2429bcdda3987afd70a52a416fd6c06f7293067d8c8431cffe6b3bf61
-
Filesize
10KB
MD532e7e8ed3fac60addf263f846af02c32
SHA1049337d61a874cfca9dd50b459dde3f6c4f9052d
SHA256ba7e567e54836bfc4ad27d910bb26ea98300ec9656720c4ee69e0ed1617c73ea
SHA512e9e0c7965979e2aa54c5ffdbebef1658b9695c5927b7e44e6d2a0ae250999d5b427243414fcf916934b9aba81c3625d47e81870755ef6fab7507aa747b4cb33e