Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 04:57
Static task
static1
General
-
Target
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe
-
Size
1.8MB
-
MD5
b3d3107faf89ed1b14eba469e5f6442c
-
SHA1
8c3ceda065d74eda75374cf6fd10bca04ac9a745
-
SHA256
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd
-
SHA512
e9f27839f957ad699f4cb6546e66805f47e8e924d576cb8bb200b5235bbf5bc47402177668d2a624b9b5ba5d277f8d69c5414e36a61c40fb91a644bcc536ae86
-
SSDEEP
24576:zbvASigrLPOWtFShEsrZTD8UeNeDpDV5Wv/YUqivrJ64Pc6p9C+NrTh7K:gzQPFvyfTGNWpOvECE76fFT
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
https://seallysl.site/api
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
skotes.exe05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exe7ef385d5ba.exed8126a40c8.exeskotes.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7ef385d5ba.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d8126a40c8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 856 powershell.exe 4428 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d8126a40c8.exeskotes.exeskotes.exe05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exe7ef385d5ba.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d8126a40c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d8126a40c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7ef385d5ba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7ef385d5ba.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exeSession.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Session.exe -
Executes dropped EXE 10 IoCs
Processes:
skotes.exewintoolsone64.exeSession.exe7ef385d5ba.exed8126a40c8.exec17ec4b31d.exeskotes.exenum.exepdf.exeskotes.exepid process 3580 skotes.exe 5020 wintoolsone64.exe 4112 Session.exe 3488 7ef385d5ba.exe 4216 d8126a40c8.exe 3972 c17ec4b31d.exe 1916 skotes.exe 2088 num.exe 5908 pdf.exe 4200 skotes.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
skotes.exe7ef385d5ba.exed8126a40c8.exeskotes.exeskotes.exe05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 7ef385d5ba.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine d8126a40c8.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c17ec4b31d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002541001\\c17ec4b31d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002542001\\num.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ef385d5ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002539001\\7ef385d5ba.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8126a40c8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002540001\\d8126a40c8.exe" skotes.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1002541001\c17ec4b31d.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exe7ef385d5ba.exed8126a40c8.exeskotes.exepdf.exeskotes.exepid process 1912 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe 3580 skotes.exe 3488 7ef385d5ba.exe 4216 d8126a40c8.exe 1916 skotes.exe 5908 pdf.exe 5908 pdf.exe 4200 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wintoolsone64.exedescription pid process target process PID 5020 set thread context of 2484 5020 wintoolsone64.exe BitLockerToGo.exe -
Drops file in Windows directory 1 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exedescription ioc process File created C:\Windows\Tasks\skotes.job 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5524 5908 WerFault.exe pdf.exe -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
skotes.exewintoolsone64.exeSession.exetaskkill.exepdf.exe7ef385d5ba.exed8126a40c8.exetaskkill.exeBitLockerToGo.exe05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exepowershell.exetaskkill.exetaskkill.exetaskkill.exepowershell.exec17ec4b31d.exenum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wintoolsone64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Session.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ef385d5ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8126a40c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c17ec4b31d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language num.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2068 taskkill.exe 1216 taskkill.exe 3360 taskkill.exe 884 taskkill.exe 2508 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exeSession.exe7ef385d5ba.exepowershell.exepowershell.exed8126a40c8.exec17ec4b31d.exeskotes.exeskotes.exepid process 1912 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe 1912 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe 3580 skotes.exe 3580 skotes.exe 4112 Session.exe 3488 7ef385d5ba.exe 3488 7ef385d5ba.exe 856 powershell.exe 856 powershell.exe 856 powershell.exe 4428 powershell.exe 4428 powershell.exe 4428 powershell.exe 4216 d8126a40c8.exe 4216 d8126a40c8.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 1916 skotes.exe 1916 skotes.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 4200 skotes.exe 4200 skotes.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Session.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exedescription pid process Token: SeDebugPrivilege 4112 Session.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 1216 taskkill.exe Token: SeDebugPrivilege 3360 taskkill.exe Token: SeDebugPrivilege 884 taskkill.exe Token: SeDebugPrivilege 2508 taskkill.exe Token: SeDebugPrivilege 600 firefox.exe Token: SeDebugPrivilege 600 firefox.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
c17ec4b31d.exefirefox.exepid process 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 3972 c17ec4b31d.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
c17ec4b31d.exefirefox.exepid process 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 3972 c17ec4b31d.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 600 firefox.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe 3972 c17ec4b31d.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exepdf.exepid process 600 firefox.exe 5908 pdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exewintoolsone64.exeSession.exepowershell.exec17ec4b31d.exefirefox.exefirefox.exedescription pid process target process PID 1912 wrote to memory of 3580 1912 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe skotes.exe PID 1912 wrote to memory of 3580 1912 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe skotes.exe PID 1912 wrote to memory of 3580 1912 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe skotes.exe PID 3580 wrote to memory of 5020 3580 skotes.exe wintoolsone64.exe PID 3580 wrote to memory of 5020 3580 skotes.exe wintoolsone64.exe PID 3580 wrote to memory of 5020 3580 skotes.exe wintoolsone64.exe PID 3580 wrote to memory of 4112 3580 skotes.exe Session.exe PID 3580 wrote to memory of 4112 3580 skotes.exe Session.exe PID 3580 wrote to memory of 4112 3580 skotes.exe Session.exe PID 3580 wrote to memory of 3488 3580 skotes.exe 7ef385d5ba.exe PID 3580 wrote to memory of 3488 3580 skotes.exe 7ef385d5ba.exe PID 3580 wrote to memory of 3488 3580 skotes.exe 7ef385d5ba.exe PID 5020 wrote to memory of 2484 5020 wintoolsone64.exe BitLockerToGo.exe PID 5020 wrote to memory of 2484 5020 wintoolsone64.exe BitLockerToGo.exe PID 5020 wrote to memory of 2484 5020 wintoolsone64.exe BitLockerToGo.exe PID 4112 wrote to memory of 856 4112 Session.exe powershell.exe PID 4112 wrote to memory of 856 4112 Session.exe powershell.exe PID 4112 wrote to memory of 856 4112 Session.exe powershell.exe PID 856 wrote to memory of 4428 856 powershell.exe powershell.exe PID 856 wrote to memory of 4428 856 powershell.exe powershell.exe PID 856 wrote to memory of 4428 856 powershell.exe powershell.exe PID 3580 wrote to memory of 4216 3580 skotes.exe d8126a40c8.exe PID 3580 wrote to memory of 4216 3580 skotes.exe d8126a40c8.exe PID 3580 wrote to memory of 4216 3580 skotes.exe d8126a40c8.exe PID 5020 wrote to memory of 2484 5020 wintoolsone64.exe BitLockerToGo.exe PID 5020 wrote to memory of 2484 5020 wintoolsone64.exe BitLockerToGo.exe PID 5020 wrote to memory of 2484 5020 wintoolsone64.exe BitLockerToGo.exe PID 3580 wrote to memory of 3972 3580 skotes.exe c17ec4b31d.exe PID 3580 wrote to memory of 3972 3580 skotes.exe c17ec4b31d.exe PID 3580 wrote to memory of 3972 3580 skotes.exe c17ec4b31d.exe PID 3972 wrote to memory of 2068 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 2068 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 2068 3972 c17ec4b31d.exe taskkill.exe PID 5020 wrote to memory of 2484 5020 wintoolsone64.exe BitLockerToGo.exe PID 3972 wrote to memory of 1216 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 1216 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 1216 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 3360 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 3360 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 3360 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 884 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 884 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 884 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 2508 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 2508 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 2508 3972 c17ec4b31d.exe taskkill.exe PID 3972 wrote to memory of 548 3972 c17ec4b31d.exe firefox.exe PID 3972 wrote to memory of 548 3972 c17ec4b31d.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 548 wrote to memory of 600 548 firefox.exe firefox.exe PID 600 wrote to memory of 2332 600 firefox.exe firefox.exe PID 600 wrote to memory of 2332 600 firefox.exe firefox.exe PID 600 wrote to memory of 2332 600 firefox.exe firefox.exe PID 600 wrote to memory of 2332 600 firefox.exe firefox.exe PID 600 wrote to memory of 2332 600 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe"C:\Users\Admin\AppData\Local\Temp\05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\1002431001\wintoolsone64.exe"C:\Users\Admin\AppData\Local\Temp\1002431001\wintoolsone64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\1002474001\Session.exe"C:\Users\Admin\AppData\Local\Temp\1002474001\Session.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428 -
C:\Lipras\pdf.exe"C:\Lipras\pdf.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 14765⤵
- Program crash
PID:5524 -
C:\Users\Admin\AppData\Local\Temp\1002539001\7ef385d5ba.exe"C:\Users\Admin\AppData\Local\Temp\1002539001\7ef385d5ba.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\1002540001\d8126a40c8.exe"C:\Users\Admin\AppData\Local\Temp\1002540001\d8126a40c8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\1002541001\c17ec4b31d.exe"C:\Users\Admin\AppData\Local\Temp\1002541001\c17ec4b31d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ada0703d-6f5b-4a8d-8aad-a7dcaec6f34b} 600 "\\.\pipe\gecko-crash-server-pipe.600" gpu6⤵PID:2332
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f92efe9d-e292-4e22-9494-e57f868a166c} 600 "\\.\pipe\gecko-crash-server-pipe.600" socket6⤵PID:1128
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 3584 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47642368-7754-429a-9feb-d819cc64fc74} 600 "\\.\pipe\gecko-crash-server-pipe.600" tab6⤵PID:700
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3944 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69b9f721-93ef-492e-a191-8baba271c97c} 600 "\\.\pipe\gecko-crash-server-pipe.600" tab6⤵PID:4272
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4824 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71930ffd-2f0f-447f-9fd4-08e980636099} 600 "\\.\pipe\gecko-crash-server-pipe.600" utility6⤵
- Checks processor information in registry
PID:5664 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4388 -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4336 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4773f15c-9e51-474b-afc3-e63a6e270ac7} 600 "\\.\pipe\gecko-crash-server-pipe.600" tab6⤵PID:5980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5184 -childID 4 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b73df797-4b6f-4e50-b511-3543c6b9eae3} 600 "\\.\pipe\gecko-crash-server-pipe.600" tab6⤵PID:5996
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 5 -isForBrowser -prefsHandle 5468 -prefMapHandle 5464 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc8a2682-249e-4589-940c-61109911b7ef} 600 "\\.\pipe\gecko-crash-server-pipe.600" tab6⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\1002542001\num.exe"C:\Users\Admin\AppData\Local\Temp\1002542001\num.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5908 -ip 59081⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD521eb0b29554b832d677cea9e8a59b999
SHA1e6775ef09acc67f90e07205788a4165cbf8496ca
SHA2569aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656
SHA512e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5a769fdd938b16ed2b27193276784f65c
SHA1da05b1768fe9a67e7b995c0ab07c96913144dc11
SHA2565f9d88142afdfd76409c0ff0871a85ae96591b7899852809bb86ac23551e18e5
SHA51286bc041043a7da4fc6f7ae2f27d8de7efef9bc4d1055e2e6fcd81a2a71a4ff099ca57f1998455c71163733f0ad78970d23b714a763b3235fc6746e622841df8b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json
Filesize30KB
MD51ee65b5400e01f3ce89c6c66bb99b259
SHA151d2701958bd39b52561e75e93db5f80bec35e99
SHA2561d19bc0bdc418ae3ec3a7a6e8925055977aca0186b30bb03d7e10edc75a51901
SHA51264fd730345d9093c88d7a95fe6ac19c11b59b29e2948bb99abb517894ee10a5c2eb5dceee993aa6ce6774a2b0d8214d394d6bc5c2c868b91f63d1a83d2c77c95
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5e162f97a54d9443e480e6e8a6315263c
SHA122596f8ee5c13910b3d4c4885a64c87d8e3b1b1f
SHA2565809c78997e92163a5949d0ea2ff4b1c777aaac34227846588c3b8e2225ac2e7
SHA51285162a1b734f0a500beb671ca95fd3f02235363e2ac02a92e41935bc6ecb104d8c2158694a9718a1a962958579af640a8b8af2dc937f8ee121485e1c3cdd0ba7
-
Filesize
11.3MB
MD53a408188540d593a618c37ff3b9fa378
SHA17298ef70541efda3185b81dbfada7f8c1998e75c
SHA256883170fb01d121dd32d3de0c16f987429da0cf1d137e3ce6a92fef44947ae53a
SHA512b2399171504df008ca2d3007d33858002c704cb0d892b78ea41e751051f8ccd96b8e887ba5c393daa4124132dce96daf631808d96e70b4a799b282f9133d477a
-
Filesize
21KB
MD53ba35e9d091539ec658813e3d15e4b89
SHA13baf91a24418399f05d99206f8f004ae48d6a134
SHA256aa133af788a57f91449a01402067a28f744172154f3a5d3f8d0d47f350037ec8
SHA512a815b64909b9a81c39385c98f00666644d9f0281dcf53582752f84da1eaab3a76fb16d76ff4b47057bab0a9249eb3263bf7fecf88a554daa986c8935281393cd
-
Filesize
2.9MB
MD57f339d0252f408065abe57ac23eed91c
SHA11f07e6f292500fd235ec540cb56045a3081efa6d
SHA256c94e84bee19b31c4663f8df36368ed87dd16e2021b5727a45c973ed8cf04dc0d
SHA512b9e8c24fdce5011437d4080baf884065656c1f8d3760914580307ff0ada32b008c5e44e6b0ce4bbfd7f43471ddcd8ee1e82f2dd40d776afbaf7359c54033a4db
-
Filesize
2.0MB
MD50d30eb6a4023a6dce770ce3d6388cb9b
SHA183e8c18d4ad2b7c36d6699e7a9e25a7b552b9779
SHA2567ea542ed634733c045e8d30777ae4f1c9a0a87d532f336158d36887483a6af7c
SHA512a961fae055e2f8e69e8f0e2501b38d03282c522435e51d1a8c484c2997df0c571aae580d8c1d6e0efdf95fcd32686d0badca1a772250efc9e42941ae8eebe66f
-
Filesize
898KB
MD590ea7d80c37af043396d189144583971
SHA1baf234de90b9fcc4f4a13cad020b854faaecea91
SHA256cdb7076e6706a7a45a01db49f26851d9b4682732fbb53f320111c48003d7379b
SHA512e37fe88a8ea39d4fd339dbafb7215f68887b28ef3f833d6b2a2a837bbd3609cac523736e2aa5b48c206ea33e84d1689c8f3267913a06f2972a2829d49c2fa327
-
Filesize
868KB
MD5f793d9e588c6bf51f1daf523ab2df1ce
SHA1f63ce1f9eee9f3ae643e270c7fc854dc51d730d0
SHA256a8addc675fcc27c94ff9e4775bb2e090f4da1287aae6b95cecc65ccf533bc61d
SHA5124d0d8bf366f4b4793154f31aee4983df307b97edc83608b76628168418d48227eb46f6213469eb4d3a088d891a143b30b3b02acbb194df834da1b61d182607eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5b3d3107faf89ed1b14eba469e5f6442c
SHA18c3ceda065d74eda75374cf6fd10bca04ac9a745
SHA25605fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd
SHA512e9f27839f957ad699f4cb6546e66805f47e8e924d576cb8bb200b5235bbf5bc47402177668d2a624b9b5ba5d277f8d69c5414e36a61c40fb91a644bcc536ae86
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin
Filesize10KB
MD540bea1ca184893fca0cbe07c5e544ca8
SHA10bf724aeed922c8ac89a4bb9152ac3f026b972e0
SHA25670f8c52e379cf9cc733ada1cda5861f62a3d998deb294a00b5b22e70086063b7
SHA5128b707b3b616b6b884573b24b95d9f7ee94966f8532c58c9cbb1fdff56839ad88cc2539df3ea3fba13fd2c0031088dfc6ce0237fad0867a007940787657f3be83
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD53e5f463fad1b4fe67725379effa1ce7b
SHA1558369f1d0b79e45d204cd947918127458e0121d
SHA256db844c7908f6558dfb674523f5b237527a8c09b37fbf4f1eb06d4ec36d669e63
SHA512727aeaac380faebffe98cfd3ca56449ac92e16f44a22bcee19ccdb8a70107f82fab52e96dd4b142899c914cbc245c8a98c3e40e3f2badb646ef348c68c08369c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD511afb540378dfaf0d85555ae97d0fd89
SHA1fe0858fb1ad5ab7374bb9aab01564c4bdb3ecce4
SHA2561c077a7ef3c43ed4cf31a75c299f06ec2ec12831b91356aee2db73a73603e506
SHA512314d65097c001c35bc8b15d98f71bb9a973f6edbc0e7319ef6bc30b74292e80e93c1fa2c390dbd89a784fc5533393c0abeb0be3bb20a7c093717272d61328a01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5ed25b0ce14edd1b9e29f0ede4613c1d1
SHA1ab9c6bc3c79720ba410c9954495b5128aefe707e
SHA25602c2256954de19d6a62ad4b6f0a3c1b12628ca3476cdbd6d2ef28c16bf3f5203
SHA512cbb534c6830edff322f850c535d80446d71eb35ead1d6ae6f99dae1d9aa18e1161531d97ea14cd81ee12eafbc74c1399190950f1bf927f584cfed1d4c2d95779
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD53bfc2bc3e0840bb7ac0d23cf81a77de8
SHA15e8be9cba9ce3a5c0f90c1df55703d10b6d896e0
SHA256d6edb42f2ba8259016da7091bf944f38df86ca13b109ea46564687c3f76b170d
SHA512cb6cc089289795aba3d688fdc6652c3cb033bd86fae3773913babdc9dba124803ec5d00dfc3700d6db19cd7828de26be91b056ea7d56eef997e6cc05f08ac220
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\71828b1e-2d74-40b4-b19d-e9fac1909eb6
Filesize982B
MD505fe9140ee8dc89ad6eb05b9099797b6
SHA1370af3ffe457c044c5f4464b4a040ad3d1842c49
SHA256d2b7f61c18500e59e5945cf2c1042c5feeb231490e756c63b5b981f739960d3c
SHA512352f165e6f251a5646b1ec14854a86caeedc4df381340f541b7e25c707924958a0827b29e7a9038a0d100b8c5c160ff4904acd0c1a4a5e0f9d925c190cd7577a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\889d1e38-0aa3-4373-ad56-2701f7e25fc2
Filesize671B
MD54dce7d8f1a490557b106e5297479af21
SHA199c9c004ced5c4e34acae5a8fce4facf8c8f33cc
SHA256b34d193c4077621d65d717e5565b1bc1c6ee452a8a6bf0ba4483083b7e65bcc2
SHA512e193e2bc44bf1a2c37de120f6e4f40a6ff7b66ddf0e25e539f8dd5fab2930ec2b8febc7f89b6864c77a1a00502337f0639920167fa2e95cfa717992349d7e52b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\e1789597-b85a-4ec5-a738-02418ab9ec25
Filesize25KB
MD52df052b8575ff710fec35dd370cb66ed
SHA1cb560dee9cee56828ad28a5692a14f1169d7ce2b
SHA2562d6c15971e53cfda7a683480f2e5dba78eb15f48761d04f656d84b928c2a5b10
SHA512da85f5a114cc73d02aaa26087ae386dbd37d5d79a6be4a7eac185ab4c353ec446197dfb733590924e035b9f964473d0e0c611eec15adb26dbc77c666d99bb7a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
16KB
MD5de08b743a9059bf168dd09fd38a6c882
SHA1eb9cfe6aa0974d96ff87a649c40f275a862bc169
SHA25667b6e4a60b15cbaa2786be5f8299fbb15fdd520213c9191c48840b3a646942f3
SHA51228cf375f45a729ca7b95cca04c5079c875983af374c354447d6fe96166b61411a92a2a9c3a73ce1e827af1bafaa7b1c3075f834b21466da165b0dde5ad33596f
-
Filesize
11KB
MD59b19458491c3275990703af85d49faa7
SHA111f3790c8a638adc64862a857a7b84489d9e4c0a
SHA256dc970e97f2574a58a39c5553b4991172e77eba2084a193f65868d6d37641085a
SHA51271120a3f429ee4ae4d6041ff0c8c03b0e25deae6525518e0c1051806be2a3df7abad15fe2656e3e7d3ebef3caba51e363910bd2e3a04096543d5739343ff868a
-
Filesize
11KB
MD5e7b8d12a36e17dbc6059e712587c7733
SHA1fb5f00dbffbf14a94ebb387143d6f0c7ad52d0bb
SHA2564fc8b1384176df6dd094dd57332fec49bc40cff001a6a2ee182234c4ed3abc27
SHA5121acfdf7c8a96da9643582d9e45dc6e7443a71147ffbd420235f7fd890c4777e79b180f0b02bb60fb03af07a2acbb80fb3b16d796377a5a629c40d0ebffb7fb9d
-
Filesize
11KB
MD5271d62e97f2cd183ff4855021e7fdc3a
SHA1d0b4c42bfb1831dba9c79e641f247bc894d0380f
SHA256700ae265392029527c50bbd7f7f302e5c4d729f0e3fd505b088ec63274ec1818
SHA512cdf34220f4740aa9ecb022362b91d712553ab63b8c20a9f056bd4d93c6fb3bbff9c92bdb200a58ad21ea65b98e6fce15a94778718fa9ee151a3b81f53156be88