Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 03:25
Static task
static1
General
-
Target
691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe
-
Size
5.6MB
-
MD5
80a06daf6ed8a048bdb8e984944b6dda
-
SHA1
cb5607827f1cf72c7348da9cee31e0fe2f172798
-
SHA256
691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90
-
SHA512
a44e709575bddbfca2a9be133ba3a3a436ce1f1375e1a42e4aeeafc9ad63ca8d1ba0bf11b4bb9cf0e119fb04401d1a50fc01f385184f503992cc5547e244b751
-
SSDEEP
98304:7cs0H4FuUhefPoROiItH1uPUvWlpu0hPyc9/Y3CroeUjsJJyRCMStCAnPEjKKTD1:QsHThKPok1uPNlpu0hTw3CkeqsJANStW
Malware Config
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 756bdabc62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 756bdabc62.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 756bdabc62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 756bdabc62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 756bdabc62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 756bdabc62.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2Q3467.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3X95f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4p222w.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0f622b7599.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 681f30718d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 756bdabc62.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4p222w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2Q3467.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 756bdabc62.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0f622b7599.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 756bdabc62.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4p222w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 681f30718d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 681f30718d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2Q3467.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3X95f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3X95f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0f622b7599.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 4p222w.exe -
Executes dropped EXE 12 IoCs
pid Process 1748 b0P62.exe 2272 2Q3467.exe 3020 3X95f.exe 5040 4p222w.exe 4400 skotes.exe 3460 681f30718d.exe 4664 skotes.exe 4924 0f622b7599.exe 3464 cdddc72bd2.exe 5856 756bdabc62.exe 6492 skotes.exe 4408 skotes.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 2Q3467.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 4p222w.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 756bdabc62.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 3X95f.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 681f30718d.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 0f622b7599.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 756bdabc62.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 756bdabc62.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\756bdabc62.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004008001\\756bdabc62.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" b0P62.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\681f30718d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004005001\\681f30718d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f622b7599.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004006001\\0f622b7599.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdddc72bd2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004007001\\cdddc72bd2.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000023caf-87.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 2272 2Q3467.exe 3020 3X95f.exe 5040 4p222w.exe 4400 skotes.exe 3460 681f30718d.exe 4664 skotes.exe 4924 0f622b7599.exe 5856 756bdabc62.exe 6492 skotes.exe 4408 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 4p222w.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3520 2272 WerFault.exe 87 1768 3460 WerFault.exe 105 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 756bdabc62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0P62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3X95f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f622b7599.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2Q3467.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 681f30718d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdddc72bd2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4p222w.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 2140 taskkill.exe 4572 taskkill.exe 3436 taskkill.exe 1464 taskkill.exe 4140 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2272 2Q3467.exe 2272 2Q3467.exe 3020 3X95f.exe 3020 3X95f.exe 5040 4p222w.exe 5040 4p222w.exe 4400 skotes.exe 4400 skotes.exe 3460 681f30718d.exe 3460 681f30718d.exe 4664 skotes.exe 4664 skotes.exe 4924 0f622b7599.exe 4924 0f622b7599.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 5856 756bdabc62.exe 5856 756bdabc62.exe 5856 756bdabc62.exe 5856 756bdabc62.exe 5856 756bdabc62.exe 6492 skotes.exe 6492 skotes.exe 4408 skotes.exe 4408 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3436 taskkill.exe Token: SeDebugPrivilege 1464 taskkill.exe Token: SeDebugPrivilege 4140 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 4572 taskkill.exe Token: SeDebugPrivilege 4308 firefox.exe Token: SeDebugPrivilege 4308 firefox.exe Token: SeDebugPrivilege 5856 756bdabc62.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 5040 4p222w.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 3464 cdddc72bd2.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 3464 cdddc72bd2.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 4308 firefox.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe 3464 cdddc72bd2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4308 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5024 wrote to memory of 1748 5024 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe 86 PID 5024 wrote to memory of 1748 5024 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe 86 PID 5024 wrote to memory of 1748 5024 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe 86 PID 1748 wrote to memory of 2272 1748 b0P62.exe 87 PID 1748 wrote to memory of 2272 1748 b0P62.exe 87 PID 1748 wrote to memory of 2272 1748 b0P62.exe 87 PID 1748 wrote to memory of 3020 1748 b0P62.exe 99 PID 1748 wrote to memory of 3020 1748 b0P62.exe 99 PID 1748 wrote to memory of 3020 1748 b0P62.exe 99 PID 5024 wrote to memory of 5040 5024 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe 101 PID 5024 wrote to memory of 5040 5024 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe 101 PID 5024 wrote to memory of 5040 5024 691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe 101 PID 5040 wrote to memory of 4400 5040 4p222w.exe 102 PID 5040 wrote to memory of 4400 5040 4p222w.exe 102 PID 5040 wrote to memory of 4400 5040 4p222w.exe 102 PID 4400 wrote to memory of 3460 4400 skotes.exe 105 PID 4400 wrote to memory of 3460 4400 skotes.exe 105 PID 4400 wrote to memory of 3460 4400 skotes.exe 105 PID 4400 wrote to memory of 4924 4400 skotes.exe 109 PID 4400 wrote to memory of 4924 4400 skotes.exe 109 PID 4400 wrote to memory of 4924 4400 skotes.exe 109 PID 4400 wrote to memory of 3464 4400 skotes.exe 110 PID 4400 wrote to memory of 3464 4400 skotes.exe 110 PID 4400 wrote to memory of 3464 4400 skotes.exe 110 PID 3464 wrote to memory of 3436 3464 cdddc72bd2.exe 111 PID 3464 wrote to memory of 3436 3464 cdddc72bd2.exe 111 PID 3464 wrote to memory of 3436 3464 cdddc72bd2.exe 111 PID 3464 wrote to memory of 1464 3464 cdddc72bd2.exe 113 PID 3464 wrote to memory of 1464 3464 cdddc72bd2.exe 113 PID 3464 wrote to memory of 1464 3464 cdddc72bd2.exe 113 PID 3464 wrote to memory of 4140 3464 cdddc72bd2.exe 115 PID 3464 wrote to memory of 4140 3464 cdddc72bd2.exe 115 PID 3464 wrote to memory of 4140 3464 cdddc72bd2.exe 115 PID 3464 wrote to memory of 2140 3464 cdddc72bd2.exe 117 PID 3464 wrote to memory of 2140 3464 cdddc72bd2.exe 117 PID 3464 wrote to memory of 2140 3464 cdddc72bd2.exe 117 PID 3464 wrote to memory of 4572 3464 cdddc72bd2.exe 119 PID 3464 wrote to memory of 4572 3464 cdddc72bd2.exe 119 PID 3464 wrote to memory of 4572 3464 cdddc72bd2.exe 119 PID 3464 wrote to memory of 3952 3464 cdddc72bd2.exe 121 PID 3464 wrote to memory of 3952 3464 cdddc72bd2.exe 121 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 3952 wrote to memory of 4308 3952 firefox.exe 122 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 PID 4308 wrote to memory of 4664 4308 firefox.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe"C:\Users\Admin\AppData\Local\Temp\691c7ddc3e39d23fded313d5fd9e2f2e2a73e20358e674621675f1d0b5e27c90.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b0P62.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b0P62.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q3467.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q3467.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 15924⤵
- Program crash
PID:3520
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3X95f.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3X95f.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4p222w.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4p222w.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\1004005001\681f30718d.exe"C:\Users\Admin\AppData\Local\Temp\1004005001\681f30718d.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 15685⤵
- Program crash
PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004006001\0f622b7599.exe"C:\Users\Admin\AppData\Local\Temp\1004006001\0f622b7599.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
C:\Users\Admin\AppData\Local\Temp\1004007001\cdddc72bd2.exe"C:\Users\Admin\AppData\Local\Temp\1004007001\cdddc72bd2.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2076 -parentBuildID 20240401114208 -prefsHandle 2000 -prefMapHandle 1992 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b600caa-9a94-460a-9519-c89636124af1} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" gpu7⤵PID:4664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b69c180-d161-445e-98d1-defe90479fe5} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" socket7⤵PID:676
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3152 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6e36e9b-85d2-4335-8b93-8c4da259ab06} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:4324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3652 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c07deead-148c-4df2-b4f0-0777ae1cb7e7} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:3156
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4608 -prefMapHandle 4604 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ac4985-2dc8-45d5-b33b-b29186833192} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" utility7⤵
- Checks processor information in registry
PID:6552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5348 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7d388c5-3f98-41fb-891e-7b9416c41307} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:3472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75fb76c-075a-446e-817c-7c916aa09713} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:4940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5780 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97d2f8f1-0848-4b99-a63b-3d936e68840c} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab7⤵PID:4364
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004008001\756bdabc62.exe"C:\Users\Admin\AppData\Local\Temp\1004008001\756bdabc62.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2272 -ip 22721⤵PID:3440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3460 -ip 34601⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4664
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6492
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4408
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD56888c2bd6d83e4cd0ffbbe777d157023
SHA16c062e56538f1aabfcb8d3582ae4bd96abd4bed7
SHA256dbfc1f324e2eb536119e2223f8822ac86e3b74310ea58d3ca37b5d2677fd1229
SHA5124bb1a3ecb5dcdebd08a5d816bddc4d808d3d500394c7cebf535949c272fa250eea474639d8b055115cd3c3efeef0a8d9a95c8f1e05c2d0858cadf9ddf3936242
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD53ec3bde0acb4abe0f64f8b01142d8b8c
SHA1dfad4e59796679c42cc548665212b7f2a70edd9e
SHA256cc462e6eb61feed8ebe8838511026ee7d12d1f5a1b989a0ddb49b7e1c63d751b
SHA5126712792a69b0d1658a9a1de0a7a3bfc9e0b988fda5c90254cac67da5a0afc0629ecbeb9a32e2cee5e3da3d310eeacab7950e6ee23d3fc64241a570b4fa4e7b2c
-
Filesize
2.9MB
MD5cf60ed449e8668f8ee28985018351b0d
SHA14558c970a77f0650c06992b958fcae59153aa70c
SHA25663cf66b3f95e4d1c2e5032967b691eb371046bac41ddbb9166e9b146a090421e
SHA512bfb123fc0fcfcca329d5feb416e7d55ca02f52189bbe52876de8e9d7312a2b45c6432228b194ea3bd1b1fd4a9b6df76c7c90e6f6c5e52e5e9f56abe6ae544e26
-
Filesize
2.0MB
MD53080c431ba635ab40c0bea78645be17e
SHA1e38d82e5f7d12fd180c18ddfd7cdbb5b3fcda553
SHA256dda1026bd3b7331d8bcd84d9766fb1623bf48d879905444c2809e09766729b06
SHA512740d68d68eb267c33777bf0517e856ce8b800d74f0f1a08f983ffbfd5cb015a4ea0e2793713ef3b2dbae74f588d5ff5ff4f90ce43894452b398799f5a678ba6a
-
Filesize
898KB
MD5fbc125173c935d3a74aa2a1a3908cba2
SHA150c7d961cd3ff761854439944ee304e11f0874e8
SHA2564f895492a98dbdfbb6c02c2bcded323ce363511d183e0d4fc3e9ec856445fe2f
SHA512a237225cca9330fde86e7107628642dedfa5c2ddec7226615ca8396114455129f98a4db6fd3b18198f1e3918193d965cf4ee0635a20dbd0e736931261bbf0ac3
-
Filesize
2.6MB
MD502d2fcab91e6dc7756d9be5317c9506b
SHA1a10aa93039af20fdacb0f04d2d357f4f60bcc2fa
SHA256d42846ac158ea49c2efd90ef76a56c0bceac96158a215415187d4164f4a2161a
SHA512024de5d18f13e68f273bab3e350dd035c6398ea4888ca7bb249b681400dcb4d20604fdaaddfc2b45ef111335adcc5abe630d97b7654cddd2131902390496a19c
-
Filesize
3.1MB
MD50867434e979c37b735b811da7cb62901
SHA1bc5d01c6528c3c3ee74771e26d7c042132c6fd23
SHA2567120008be37cef6748a1db1b9b4975c6944ff14c720e7d7dfabba1ad494b807b
SHA512c81bce33527a5bddb8f3739197287b07f3d6899b35c12848e47a8ccbfa886243dde93b62c1b012b2bb36ce869a6173dbcb87e7684d8dbe9f3fe1e6bdfd9b4df5
-
Filesize
3.8MB
MD530b4549afa767832cd8c3c081be8e250
SHA1ef73adb86b92133a77d15349e8726f075f2ec130
SHA2560af39c14edc100fd28dbaa0412d434ede86487e2fed5e60642a7db84c98701ad
SHA512d5e44b5fa310052a03108151d294964109403865977d561951befcdfab6a5fc31236b756f195d28e4460931c66e63b40a6e5c43b6d879ee0a554ee3c7ad6dc6d
-
Filesize
2.9MB
MD589010d351f8ec0506117c21b1bbeabd1
SHA173930a64e2998bb138a11e09ce1fa1d024ba8f19
SHA2562410bdfbeabe94203871303089e582b8d97da224004164017e950a585b5a36bc
SHA5124f7222f7dcecd8474ce8bbc3762db6da64bfed5c977403f268e04d24b6d6636f854cd19809122a851a396271084a44357141bcc560210e1930e3027cd12fe49b
-
Filesize
2.1MB
MD5664cbe9037889eee1ee4b216d6b2b39a
SHA1e252080cb9145574970ad617d75cf3d524a365b0
SHA256c7cb553bd63823408f7f8150e5ab4c7d964d638d2238828c7dc78a6debc1800c
SHA5122279f139525e947b269807bce517d9d22301e83f15719afec0219cc7e68ea1db3f9ce985e540fc06fdfe76d9b9e60dda53946f20d03b1b63ca3237d9486dfdf2
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize7KB
MD5b8a2347906b27118399c43d2b9ee6612
SHA1b4236254cd6ea0178a776279436abe046f24e5ce
SHA25630c5f40384c6400fb7f8e3e821b740f10b33d7f2b66e56a8e42a5c9207a940e5
SHA5127a4f33c885c542b6bfde70dd3a93e251fd4d2e044e17248fd9e94b6a0fd98aa9b81ca6f33a08623f6297a83f304278e09d8c3c850194f25b13818ce39a3bfa5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize10KB
MD5c2a28f82c7641995e71dbd70a74fe03d
SHA18bd470c1f73b0df7ca822b4b35967b46b33109da
SHA2567659d3b7a2a8d599a8ee86537304bead8a9e26dff209aeecd9b352dadfeceb61
SHA512354104435dcb542150d68d454632c3c00d9f886a373eb9f7a1adb6b0e317007b6dbbfb24f5000e23326632ae28e1f7546e547165be8a1d439a5c65217ab7a336
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD53c4ba567aea5fdca4197367043c58aed
SHA131df83669fcead28fd48aabd0d23629f09c904b3
SHA256164993a5f278aa5cd3a67c5dd1505da4ff6ae9d280628deab1f87ccfd0757143
SHA512894e11f97b289de0a6d8cea0bc9d204a385c86625cefadad688b695b332b98cde5428697075a6ebc2518f8eb497eb4794137f75991203e93751a538c2edd390c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize22KB
MD56adcb604587d481b0b5e5bd3ddf49d56
SHA1662ae5f3a608897b95140b243cd06dff02c77bf5
SHA2565f244ba7719d9c2f986cd36fdb68510a26012c3b3a6397f61d2e5c4d1d5cf027
SHA5127c97958d02b8b5126e09c684cdea611a9c4671bd945436128d4ef5050d3c6b900768e7cf769e2551be85418c778838ba2e876dd28d6b8746485dc4f749b35c1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD5e094631d8419c39578654c3e2cc3baa6
SHA173c449f35bfbd0cd04e3ba915b60d672a63f6e67
SHA2568538bce8edc7e101913746acf64e2314e16221585dc3cef30605dc39e4af2158
SHA5126f2c258db6a4ad9ebe26e28e656439f912995da83d5e782306f27d97ab9336fd90b8dd3d3d18089445e0ca4b6287946fdccd5953659f6077c07b63af5420eb94
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD5b562ddaff20a907efb18c39f6e3d6bd8
SHA1e09d102a584f71d414fc7a9b8fb482329fecb337
SHA2566dc970db87cce40bbe1cf7b55bf8aa0bd57207a62db0173e3622ec6c8ce88171
SHA5122a6d5bda56f232dc073186c25656364901293fd714b060406e6f5ce926d66fbcfd4b1c632d31a5081dad7060d03a0b47278ea438c459782112f15f509a12698d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5a4ea18eb17e455ae5b9b5f77050b6959
SHA14213aa0f833213a4fab6deb1c9af3565b78da742
SHA25692d306280daa72a36a84851ab6a7b11452eab9145ed74852bfb80b7bbd993925
SHA512f1d8f1d87f8de3f7aa5744a1b2247619362a90df8f8a077e3ae1e0691cc765e5d09adcea7b6085d35d3a218918d28c7f3ef0997edfd22730cee180ce83e7247a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5cc0ec78fed8b6f7cedc71de264a8de03
SHA13b3120984afc6b1cbce62654e0117119c32ff0a9
SHA2561c7da4694fc1f9de52f64d3369cc15b771e0a8cd56295e4ddb7e347638ff5178
SHA51234fcc65af573f685e7239cd454ded8c82d94722ddf163e7a8a9315d1e822aa0658bb2c4ab20ea35be7dd584c4751d77e576776685b44602ef61d4a9958435c0b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD557780bbba691204b17c6ed1da3f531d0
SHA116fbf2702157c5ab17dce893af69a9a59f5aae05
SHA256e375c81d605dadcc7b6eb958999686e6fe189731a6c1e199cdf1dbc8a93306b3
SHA51294b04928719a05b84d92141fa850cc19b3df8e8dd949975200954b371def28cd00019b8a4323f04b5c3b628f5b5d766d6e9b67ca8c703e9abe323b4261021a33
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5391b4946b7088f73b2954e234b325dba
SHA19211a447b13c49888511e86ac12a4ca116ab3b69
SHA2561102389368265f255d46c178fa1ee7041cb4aa5d42212568fa5a91d900d709c2
SHA5126c847bf77e6254e65080ea52fca12d15638aaf9cea0dc99e135dff53445c6638b4ff954c460bef5cc2e221243bc57178a44b6b59f93d1694bc89c3c7ba93c5a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD578c4aac21ddfe695eee8a55f916af23d
SHA17cef471374d2d95521d0dfb796454d7c86918c27
SHA256b2699ddaf3e2bcae61daa5118c3698a65290ef72a4766bcdf80b34544217006a
SHA5123643a70916bf91b4b5305c0a74cebbf46101aeff02c2672e5f5a270c1393db9f1438b9630050f0aa1e7d15443d04554e37e7b3f925870dc4103777db01eeadf6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\42329b89-5608-4b57-ae8d-70916cb50619
Filesize982B
MD5a28795115735ec79708b6a0c71417158
SHA180807b84e1bc5e88f468bd430d9d5249ebfe6e8e
SHA256bf1d83e2eadc17ab596f2862b07abe33614ef80f67639e7d8175e82eb2e6c12c
SHA5127b46d55bb87f77d3fa06aa479cae88c2f36a30aebc0bb8e164ea296e3e06afbd3c21a14b7422822c5ccfb52f27e77efbb628351259533fdf816be1d23ef48c1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\979dc17e-2f00-442b-b9a3-28d635318700
Filesize659B
MD562e4adfa217ab03cd0668ceb5eae2b3f
SHA12f74fd1d3025fdc9e7bacf8def05c722c369beef
SHA25694ff7c797fe4ad04f0f2881d51a0963697b1197ebe5c865856579d062c53c51a
SHA512f81a11221f0d5429e136eb9217ac39e6fa9b3ff5a79c41f66b364fa49cd1c51f274fb9f31c89d364ca392a8438f2a7ef17580cb97132c2f228e7f99eaa22dc74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5ce7832aabaa2fd1f6e7779b9794c0d3b
SHA14ff9f6e485688e4237affdc6a27e49a055188e9e
SHA256899f0423a60cf1f566e42779d80f245ada3d8a13a68852da0a3d7b63c323184c
SHA5123b3f9480c15045a622876ceb56ad6519b2fbfcf2853efcfe45128aab2bfd8356cb2333f3c6788347ee06cc1362d417f92e840bcaaceb1fd4006d9a2d48a5b9fb
-
Filesize
11KB
MD57563a725b66657421084df5ce93e8115
SHA18196c397c6b8172047f979ae7eaa985cb1158023
SHA2569a7676e1d69f8f618095c21b014636ca7694da30eb178e57773fbd3a0b9f7092
SHA5120d8a35dfd60401ccfb0bafa2eb7f8d9c6af17b1259f1d0ae3814149723dac8089e6e8af37c2f174edf931b62a648c9688a2bf63125d19e248159d4e00980049f
-
Filesize
15KB
MD5c5b6d4bf560591b15fe2cd81d1c2db92
SHA1cdf8e0f2010bbc45e63caa442885e2bc34115006
SHA2560510a4c7876fd8ff19f0d18aaa08c315762ff4e6ff22b7be61ab3ede654c49f9
SHA51290885b1efff75120acce1ad904657dbc6d07bf081ef1705785ffcbd2aa8c45a1474b93c986c85cac036a3912bba87ccdd933bb4976a8c6c5dae7204ca2245624
-
Filesize
11KB
MD5925dbf0f8a2b07f8cfaa4bffadc26a6d
SHA11b295b6f7784b0c581a7be76694cacab7004504b
SHA256175dda38f41fdaceb6ac9a0a33dd971723b5d6a3cef152607d0836c7ba28010d
SHA51259306925577de3fb1c9ca33e427d72e552306fd62f33cac2c10cedbbc47e0d2b5a7b07e3c93290ca713dc7ed840e04ffd87d4dc45d70027b2fbf63e99654ecdd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD5370d47911a900ddb51636b9c54a31497
SHA103e50d433fcf2283cdb60484e948d6353f6282d5
SHA25617434a99abe09edc769b00ff9adb97cce319754556187550b2570af7ec16ec58
SHA512feecddbb3e9efbfbdd092729f6714b3dcc44031076575336ecd8d457c8b113361b788b780263098634f1c50680e27199874e3c14e8b043c9d189f761045a2bd2