Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 04:27
Static task
static1
General
-
Target
db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe
-
Size
5.5MB
-
MD5
22855d02fcd9dd28c0c47defcd45baf6
-
SHA1
ee0ecf0cc237907e9f8cb835e423b710ccf98b7d
-
SHA256
db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb
-
SHA512
d44ec968b76db290b5e1ef574f53c2e45d68fb2122513322b874d1e8dada673994a5d6147cc55ab55e369087be2e2058c743befb307da951b5c72ccfc368aa59
-
SSDEEP
98304:oPtGpge0yv1hkGAcHEGmr2J3FCMNDPBnTVqHdqR83g2Fj0T2TfoINgjEKtr:YJe0Xl9GmdMNDPfidqy3/4C/kt
Malware Config
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 82b701b4e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 82b701b4e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 82b701b4e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 82b701b4e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 82b701b4e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 82b701b4e5.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2l7025.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3C12L.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6d0a051b2c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 82b701b4e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4e702J.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b785d404f0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2l7025.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3C12L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6d0a051b2c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 82b701b4e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3C12L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4e702J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4e702J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2l7025.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b785d404f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6d0a051b2c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 82b701b4e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b785d404f0.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 4e702J.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 12 IoCs
pid Process 4844 L2n14.exe 1392 2l7025.exe 4656 3C12L.exe 1468 4e702J.exe 4460 skotes.exe 1396 b785d404f0.exe 1792 skotes.exe 3972 6d0a051b2c.exe 2264 022ea90419.exe 5700 82b701b4e5.exe 7012 skotes.exe 6228 skotes.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 2l7025.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine b785d404f0.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 6d0a051b2c.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 3C12L.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 4e702J.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 82b701b4e5.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 82b701b4e5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 82b701b4e5.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" L2n14.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b785d404f0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004017001\\b785d404f0.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6d0a051b2c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004018001\\6d0a051b2c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\022ea90419.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004019001\\022ea90419.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\82b701b4e5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004020001\\82b701b4e5.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000d000000023b7b-87.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 1392 2l7025.exe 4656 3C12L.exe 1468 4e702J.exe 4460 skotes.exe 1396 b785d404f0.exe 1792 skotes.exe 3972 6d0a051b2c.exe 5700 82b701b4e5.exe 7012 skotes.exe 6228 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 4e702J.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4880 1392 WerFault.exe 85 2504 1392 WerFault.exe 85 2404 1396 WerFault.exe 106 1568 1396 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82b701b4e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C12L.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language L2n14.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2l7025.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e702J.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b785d404f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d0a051b2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 022ea90419.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4660 taskkill.exe 3204 taskkill.exe 3624 taskkill.exe 4728 taskkill.exe 1932 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1392 2l7025.exe 1392 2l7025.exe 4656 3C12L.exe 4656 3C12L.exe 1468 4e702J.exe 1468 4e702J.exe 4460 skotes.exe 4460 skotes.exe 1396 b785d404f0.exe 1396 b785d404f0.exe 1792 skotes.exe 1792 skotes.exe 3972 6d0a051b2c.exe 3972 6d0a051b2c.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 5700 82b701b4e5.exe 5700 82b701b4e5.exe 5700 82b701b4e5.exe 5700 82b701b4e5.exe 5700 82b701b4e5.exe 7012 skotes.exe 7012 skotes.exe 6228 skotes.exe 6228 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 3624 taskkill.exe Token: SeDebugPrivilege 4728 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 4660 taskkill.exe Token: SeDebugPrivilege 3204 taskkill.exe Token: SeDebugPrivilege 1432 firefox.exe Token: SeDebugPrivilege 1432 firefox.exe Token: SeDebugPrivilege 5700 82b701b4e5.exe Token: SeDebugPrivilege 1432 firefox.exe Token: SeDebugPrivilege 1432 firefox.exe Token: SeDebugPrivilege 1432 firefox.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 1468 4e702J.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 1432 firefox.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe 2264 022ea90419.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1432 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4844 1360 db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe 84 PID 1360 wrote to memory of 4844 1360 db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe 84 PID 1360 wrote to memory of 4844 1360 db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe 84 PID 4844 wrote to memory of 1392 4844 L2n14.exe 85 PID 4844 wrote to memory of 1392 4844 L2n14.exe 85 PID 4844 wrote to memory of 1392 4844 L2n14.exe 85 PID 4844 wrote to memory of 4656 4844 L2n14.exe 98 PID 4844 wrote to memory of 4656 4844 L2n14.exe 98 PID 4844 wrote to memory of 4656 4844 L2n14.exe 98 PID 1360 wrote to memory of 1468 1360 db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe 101 PID 1360 wrote to memory of 1468 1360 db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe 101 PID 1360 wrote to memory of 1468 1360 db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe 101 PID 1468 wrote to memory of 4460 1468 4e702J.exe 102 PID 1468 wrote to memory of 4460 1468 4e702J.exe 102 PID 1468 wrote to memory of 4460 1468 4e702J.exe 102 PID 4460 wrote to memory of 1396 4460 skotes.exe 106 PID 4460 wrote to memory of 1396 4460 skotes.exe 106 PID 4460 wrote to memory of 1396 4460 skotes.exe 106 PID 4460 wrote to memory of 3972 4460 skotes.exe 113 PID 4460 wrote to memory of 3972 4460 skotes.exe 113 PID 4460 wrote to memory of 3972 4460 skotes.exe 113 PID 4460 wrote to memory of 2264 4460 skotes.exe 114 PID 4460 wrote to memory of 2264 4460 skotes.exe 114 PID 4460 wrote to memory of 2264 4460 skotes.exe 114 PID 2264 wrote to memory of 3624 2264 022ea90419.exe 115 PID 2264 wrote to memory of 3624 2264 022ea90419.exe 115 PID 2264 wrote to memory of 3624 2264 022ea90419.exe 115 PID 2264 wrote to memory of 4728 2264 022ea90419.exe 117 PID 2264 wrote to memory of 4728 2264 022ea90419.exe 117 PID 2264 wrote to memory of 4728 2264 022ea90419.exe 117 PID 2264 wrote to memory of 1932 2264 022ea90419.exe 119 PID 2264 wrote to memory of 1932 2264 022ea90419.exe 119 PID 2264 wrote to memory of 1932 2264 022ea90419.exe 119 PID 2264 wrote to memory of 4660 2264 022ea90419.exe 121 PID 2264 wrote to memory of 4660 2264 022ea90419.exe 121 PID 2264 wrote to memory of 4660 2264 022ea90419.exe 121 PID 2264 wrote to memory of 3204 2264 022ea90419.exe 123 PID 2264 wrote to memory of 3204 2264 022ea90419.exe 123 PID 2264 wrote to memory of 3204 2264 022ea90419.exe 123 PID 2264 wrote to memory of 2452 2264 022ea90419.exe 125 PID 2264 wrote to memory of 2452 2264 022ea90419.exe 125 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 2452 wrote to memory of 1432 2452 firefox.exe 126 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 PID 1432 wrote to memory of 1984 1432 firefox.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe"C:\Users\Admin\AppData\Local\Temp\db5e1f211e4989246fb82f9eaf04a521be5a6322ae6e8b4d0430fc78139b79cb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\L2n14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\L2n14.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2l7025.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2l7025.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 15684⤵
- Program crash
PID:4880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 16084⤵
- Program crash
PID:2504
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3C12L.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3C12L.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e702J.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e702J.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\1004017001\b785d404f0.exe"C:\Users\Admin\AppData\Local\Temp\1004017001\b785d404f0.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 15925⤵
- Program crash
PID:2404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 15925⤵
- Program crash
PID:1568
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004018001\6d0a051b2c.exe"C:\Users\Admin\AppData\Local\Temp\1004018001\6d0a051b2c.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\1004019001\022ea90419.exe"C:\Users\Admin\AppData\Local\Temp\1004019001\022ea90419.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2076 -parentBuildID 20240401114208 -prefsHandle 2000 -prefMapHandle 1992 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25c5fa89-bf65-4f2f-93cd-966144506f4a} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" gpu7⤵PID:1984
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4a02c93-3e5f-4774-88a5-87cbb6a9e94f} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" socket7⤵PID:924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfffa9cf-86ef-4f30-a9db-8393bddab797} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab7⤵PID:408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e643ec3d-98cc-4c4a-8d52-36fd93dbbd93} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab7⤵PID:3988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4632 -prefMapHandle 3720 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fb1c474-8914-43bd-a662-878c0423a51f} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" utility7⤵
- Checks processor information in registry
PID:6784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5420 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7af3668c-78b2-4f8d-8e57-dafeae88fc97} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab7⤵PID:3016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8b19632-86bc-4db8-8e93-cce56ef3c5bb} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab7⤵PID:1192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5836 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5760 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {012bb782-4f98-43f9-a123-cdbea82c9943} 1432 "\\.\pipe\gecko-crash-server-pipe.1432" tab7⤵PID:5080
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004020001\82b701b4e5.exe"C:\Users\Admin\AppData\Local\Temp\1004020001\82b701b4e5.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5700
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1392 -ip 13921⤵PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1392 -ip 13921⤵PID:3948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1396 -ip 13961⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1396 -ip 13961⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7012
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6228
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD5f0ebfb7ffdce38eb0eb0fc4153ee175f
SHA1f196664142d21e622d6e37278b77c1b086c6ba3a
SHA2565c4d026ba87b222c4d34e3bc9dc5554947eab249bc8c0e95fa5ca069e5fa874d
SHA512502a8aed8a71990353eff60e96c57b991e1a509f3bb533eb0a0f0b3cae190645dc9b942864c96e8c03b9e1525c15f69541480406fefd25a699dd1d3c95d0ad6a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5491a6616053ba1152ea63731607c92a1
SHA1685b8966ccee6f7a955555f0604e5285a5e6fee0
SHA25639bd96f7a325e292d881a3526b7a085854b62de5e15602aba5fa6b326eb6941c
SHA51219ab07577b04d85416e393c09eae7f2ba4d38112089c7a02368f4fb0cc116a2abc29507b755bcccb7a67ee40715c353207e987587e83c141c803cbf06b7523a2
-
Filesize
2.8MB
MD5e9fd4becfd9b49f223d2fd97cfb1902b
SHA1b6006e0040d47973523a9a927ad2af727cde5a19
SHA256e76dd541c5cbe86ae033519a325658848102f7f2a0b2b1866ec80bd9f0e8bac4
SHA512a7cd2166d5163c36ecff421677d547781117cd3859367ce167632e5491b17b0b84575e6d0edadfccaa51030e433688586d4370f4418fe4c9432d3b5dda4d6536
-
Filesize
2.0MB
MD530fd70fd67c054a1a3bbc544b26df0a2
SHA1882e7f6365f7534b36ce892c951471d7a3f73428
SHA2567478d306c43b50a870384c1eba574ac0c3085ba665c0c49de832eab2326e3140
SHA512a1c559d4ca7acef19d24664b534e9e2e1c88702eff1788a8d7ac2b53bad9c0ba8788cd9f466f9816f292e42f03f5861357baefcb0c455484dd66f87b695b81f4
-
Filesize
898KB
MD50937102fd4f729a9548d24fa4313688c
SHA1f77b18a5d73b935293bcb4abd3f88eb94fbc1bb2
SHA256d3e269d312f797e945433eba6edaff9535d3209a7bfa7584cd12a9f6743982dd
SHA512deafc836c4c8ae9617b43bfa3a82de15299aee54ae0323b0d3f41df3699634b93945a16c117f8fc53f4ab9ae25e9f69f9e7add6cdb90e269488e5bf292d8a105
-
Filesize
2.7MB
MD51a56350db26efdd933b9eaacd0e1f3a3
SHA104813208701c33b82e730fcc761aa4d3cfb9e1a5
SHA2569a3d39a338ae278accc5505e18200cba7dd5195161b303a949e593ed3abc969f
SHA512584091489e13f0044b55ede6cd66bfe6d30d47c61bfdd5cbb8ece738fe2a2af7ae06edfd5d63f31dabb5fe393a895f4826df03badf7bc2e57d8a110b6ec5a016
-
Filesize
3.1MB
MD59d1aa74dafd0feee66682c1d23c0c038
SHA10f7bfc226517597f945e0bacd9eed21d9e50346f
SHA256646a778b6a1be550a37a9a2ac948e5db5cd4a9ff4a2e4956040513efefe2d349
SHA512957fcbe95763c8f54822b6a86de489e0ed05c26175b29b12ca0bd83331687b3a6916bc2d0317897cb35fe866ea54de73285f506c306c438751daefee7399596a
-
Filesize
3.8MB
MD59c6484ee43b103f6d28c96cc9dbbe612
SHA187bd37f8b7d394be51fc24e2c1371c88a3152d53
SHA256c676483c04388a44c33648542699cda4a54048af8e0fd186e00d76de5c5e84d3
SHA5124d543e782221a255f0f8be41b840e8dfaf16a862920941a50578b24f86b9da75108268f52d6c62677b21225f6bcd91bc0b16bdd3f6c1b1301ea02a0a56709a53
-
Filesize
2.9MB
MD594f7fd12c529bc5d28be7319b857e96b
SHA180406621106c9f98a1991449ca11c1318edcf1df
SHA2562367242ede5c10e68fdb4a893d23a8257bbe5e78347e6e24676cbe36139e25ee
SHA5120e79e876bca1dc042cb35d6d5233b7b683e7c9bee1a933740e41c75a89bd91e0f4ff2093cef82d6771a332ec03bc64833cb6169abac23ef047dc753ec0c1582f
-
Filesize
2.1MB
MD55c4e5d818a24cb9d69fc18ce0dbbd9be
SHA1618a41b2cd9fcd1307a120f3cd78b86862b25d4c
SHA256c2295f41e3e74394823ebc9f99265d4021de67f36e3c257600d610781e2f4ffb
SHA51293dcc942a9adc63d7457106277e65d0c665c9215d47e266e3fa061ad3247e763747ae5fbe15e255995b674322a65635479eb0b6afd81e5db9f6fc997e96619a8
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize18KB
MD509229c01e52b601eb54e581087e59a26
SHA11622c9f03b33ab3d9a3bc14d3ebba47eef959cbb
SHA2562aa58ea744ed72df667a6e907c4a3f45732e2b49c5a0384c26a53cf988bf67e3
SHA5127c1fe8b0737fb4d8b557cdfd8f8d7ed3c6cf95887b280a213a4a075ab0539b87de6ff914748e101cb2b86d4a2873599eb4c18f7708880ddf999e52339154314b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize7KB
MD5d1adaf308cf7e6581fd744a3f2ed4445
SHA1138d5fe8dccc32cb376f96dd59d9c1b0b5a5383d
SHA2564730fe938d847d378bafa6d3ad57faf84a4903dfbf3cf9e27f7dbbfd9e73a2fb
SHA51246bf8dfaccf3662034adebd98dcaf007013b2e69a33eb2dcbe1bfef34ad7942acaf4fef67b7c37d740e3e5462d281f96e6a825c4ffc64ad40bb2bdad878dc604
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize13KB
MD54f12d19af416a6fb5f500395b6dedf6a
SHA12d306e724e4a1b5a3b120cd43d6c46b4220963dc
SHA25664dabe772cf85d8a14de2e13f1226c1e0d3113725e5e40aced2693a1716ea0a8
SHA512e825c73b1ae0c80961ce10dab86b0efa20b1255efa817d27b44847d9c84e4e03fd9d8d2b4df2d2684f8c301921183cd3a80c7cbe1c8eadf653919009cf58bd6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD53730fdf70abfc04cc32f7bf8586e7765
SHA1b6eba7b73e9da30410e2a130e75685192949ac74
SHA256bce5af27ecb91c74b973c55b913b1fc3bd7decbbfe14dc5a2b43c8f67b2b3482
SHA512f5594aa9ea83ed2c21d217682be8772768a8f93e63a8de84643bc8b574fe6d5559b347b14d613212b4f75498a3ce418129bab079cecab9c0d3079d686d1cd490
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5f0adf2abfc4be1f4b45bb7fc3c827e60
SHA1a1d2ff328601a9b0c00821554ff57f0ccca251e2
SHA256f30f414536611e473511e95ec2140ae383e234f88a51842b04746572e2db8e09
SHA512181cdc4480c27318f88dcfe069ab2f343b219161512a9e5d819d279fa412d5b3dd27e61ddf912f58eca6cf849325cc165e17bd325d4bbb240e245d41f3cedf91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5456beb2b85f6f984400da06d7067bfaf
SHA12ffd8b752a2cfc1c17d451f6b9ba9213f2f93eec
SHA256b50dd96199c285da2b6dee638beb60c89601dc340fb0ba75ab32ea712b15f1ab
SHA5121866b16e64f5b5d519d1c5e4616eb4a651048ae5bf35bc4ba4ada9cfe9a23b572733e986e43074acc16adc6384d986ddf0553f7cb5ff3eee692bbebcd3f7fb80
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5b6d54157836d2809eb1aa67eb77ce2bd
SHA1b981e797fa51eab48b68f05a65a169bdd09fe496
SHA2563fc1b8daac8b87d7f434a2b58211641e5e18691d14e8337dbe5323dc8e5c2450
SHA512d6945b3ad17b56fe2a206979cd17077dfb74f236280c810e079a8bc9cf75b7c8898a249dd0fe9cb04819d6e89e5a7f11eef70096f8f008c59f6c4cbd3a4838c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD577737e0354392a3be8e72ef9e8c7b430
SHA13b62a70b8b15fe29d432c1d55ee6a1f30d619244
SHA2565b1de3cddc7669095d37177923e0773f97bc006d52e22b401918c2cb5a3efae1
SHA512cdfa24518282fc7e1b468b457559d22b189ccd49ffe86e1216580e991b5463eab37b1de2659433d0109f0f339b963a8d2af273dd9e0432e606f7c4331534da38
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5605e9c6fa573120ea848e396cd40ece3
SHA1a4584bd4284eb861676072379a92a48917bbb86d
SHA256ddf9c10b3d7fe82b8a3f447c4af77235d0e1527140e52bb1742f09b1c5da344e
SHA512d9b1a82e8e30f2fdad78f2ac45f0469c982d464a2fdc7e90e47a7dd6c587099cd608c67937e10557e76458d9b4580ac1e11efb81c310af09e86bc911522c6436
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\5bef2a07-e407-4dba-bbf5-fc6bad12fcf1
Filesize982B
MD512342b2699af0e446df42a3b0f36c7f6
SHA12321449b20fcf49417baa949699bbd1f966c9770
SHA256835094f0c3b6bb5464e619f841b7b01598e995afd17df637a45c2cb01b451f5d
SHA512f0264894fb39d1e366528647fb72327e8ed9cb107dcff9677d41e9459130acb0ac3fa025caa5ecd02c1887262a98655e0a90ef27890457f42b4110a232705a5f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\700cf2e1-7916-4a50-b624-2c5a9cd31535
Filesize671B
MD5eab4b10f3148878894d9790b6c30105c
SHA1e361e26c7045f4edff068dfe04240ce2d639de20
SHA256eac6e24219922badf66d33e0132a32013f7b120796db6b5e2b952d1110ee9a25
SHA512bb161cbe7b31d1b5b676b67d01a6a7070e021f5f539900de8a35030eea28545eb3f6361fed832a8d9ea96e56f4fcf638868d4d6dd41f8b03b9cee117a2de5f58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\e844440a-0e9b-4a20-bced-7de73a4836a4
Filesize26KB
MD50c7c42eea1c68d4326368a2bd81a0e63
SHA1407e235ce68a3656010738c20ce76b0b4bab89dd
SHA25678e2086809515d735256a3b76c18a2aa158157f69edc7d954e07409f9eb13e51
SHA51261dab6f88ac66d7208b4d02f45207545c4856c71cee971999992e184808c6f384cea5265b3f7c07036e26ecac6c83b2f5db076ad0c9fe9662d0b1f155dc03184
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5e1edffd3cca1bf5847ec408a16f064d0
SHA121eaab0e54035c9dd9a4d750cb7235f5908c0861
SHA256bb48e2ea8da5be0157c916de352a1f3cd3035d40035f611c749cd7e8a9b317a5
SHA512a3aa10e4fc8f9b5e8d8acf8fbd387e12ae805bfb7d71055bae1a1b066122803aab80e10ab65ec0f62f1e4435e2fef0fa8fe58ded88b085cd10eebed97cc3140f
-
Filesize
15KB
MD52ad7d8b015f9d2ef77e6720c2306f534
SHA134ea11067ef507a0cb8fd4f70c0f4178997d5893
SHA2569375283f8417faccb3bc1eb3033bfeb1a6379bb3679fe1726c1c6e68b44a13f1
SHA51268f4743529a7ca52296de6a593a95a3b024880aa0a5f5229242db1f7b016395ef473b5f93746dcde85b1b91d4081ed1d06a34ad0e4974cae7f1ed603030a9119
-
Filesize
10KB
MD58a5197c01a80b4f0f308fa197aa81882
SHA1c29d9678faf34e537ee6d26053564398d6c33c5e
SHA256ad952230075d76794736997731c538c77a8eeb36a6b8f6d93ed8cc60074d92bb
SHA5121e616968d9c9c2ddd8c5d559f4d55a24c86b5697c0937d1fb6a19183b6c90673ad8e327998e9a399743aef5770ffc5d53d3145e6ce47637603b0e6986d9cf704
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD58bc44d242362cfc74c6b83e90434cd8f
SHA1352c3ba43bf30dcb1116ec2d973aeb39d863b6af
SHA25689c29a55b7588d67e648df2217d12dac3085449f36e1c312d5be13a4d97ea0d4
SHA512620d7646b6e7e7c1bfb222690cc4ca735f5e43bda75e123dd1e4e604020c97de0482e671f9d6f8832480ca5d672754ea07ffb36a61e74e1a9cc07ede090697dd