Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe
Resource
win7-20240903-en
General
-
Target
b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe
-
Size
3.1MB
-
MD5
7bc3610d75c156640b9918f00a3fe50f
-
SHA1
44790160233bb2ca3233d7a8698c83740a794456
-
SHA256
b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d
-
SHA512
fac7229b4515f20bf89aa0a08ba476b38ebbe90271be38128fcdc1f9d1d86d0751a393bddd98c89baab2579df96c761259480d7f0aea4e4cb9bcd42db09ce0a1
-
SSDEEP
49152:nc9ThuYz3W8wAv1YnGE/iVxIT7ku7x2zO0GbyzyNbFfnOGrZdV:c9TRz3W8wAv1YnGLePYa0Ef5Zd
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 7249cea49f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7249cea49f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7249cea49f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7249cea49f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7249cea49f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7249cea49f.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7032f73762.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 59dd9c93cb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7249cea49f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7249cea49f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7249cea49f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 59dd9c93cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7032f73762.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7032f73762.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 59dd9c93cb.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 9 IoCs
pid Process 976 skotes.exe 3504 DLER214.exe 5116 skotes.exe 2488 7032f73762.exe 220 59dd9c93cb.exe 2920 dbaf6eb630.exe 396 7249cea49f.exe 1536 skotes.exe 2496 DLER214.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 7249cea49f.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 7032f73762.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 59dd9c93cb.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 7249cea49f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7249cea49f.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7249cea49f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004089001\\7249cea49f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7032f73762.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004086001\\7032f73762.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59dd9c93cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004087001\\59dd9c93cb.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbaf6eb630.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004088001\\dbaf6eb630.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x001f00000001db08-97.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4292 b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe 976 skotes.exe 5116 skotes.exe 2488 7032f73762.exe 220 59dd9c93cb.exe 396 7249cea49f.exe 1536 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 1696 3504 WerFault.exe 92 2284 2488 WerFault.exe 104 4056 2488 WerFault.exe 104 2216 2488 WerFault.exe 104 3068 2496 WerFault.exe 135 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DLER214.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7032f73762.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59dd9c93cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbaf6eb630.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DLER214.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7249cea49f.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 5100 taskkill.exe 2348 taskkill.exe 3428 taskkill.exe 2152 taskkill.exe 2964 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 4292 b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe 4292 b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe 976 skotes.exe 976 skotes.exe 5116 skotes.exe 5116 skotes.exe 2488 7032f73762.exe 2488 7032f73762.exe 220 59dd9c93cb.exe 220 59dd9c93cb.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 396 7249cea49f.exe 396 7249cea49f.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 1536 skotes.exe 1536 skotes.exe 396 7249cea49f.exe 396 7249cea49f.exe 396 7249cea49f.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3504 DLER214.exe Token: SeDebugPrivilege 5100 taskkill.exe Token: SeDebugPrivilege 2348 taskkill.exe Token: SeDebugPrivilege 3428 taskkill.exe Token: SeDebugPrivilege 2152 taskkill.exe Token: SeDebugPrivilege 2964 taskkill.exe Token: SeDebugPrivilege 388 firefox.exe Token: SeDebugPrivilege 388 firefox.exe Token: SeDebugPrivilege 2496 DLER214.exe Token: SeDebugPrivilege 396 7249cea49f.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 2920 dbaf6eb630.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 2920 dbaf6eb630.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 388 firefox.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe 2920 dbaf6eb630.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 388 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4292 wrote to memory of 976 4292 b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe 87 PID 4292 wrote to memory of 976 4292 b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe 87 PID 4292 wrote to memory of 976 4292 b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe 87 PID 976 wrote to memory of 3504 976 skotes.exe 92 PID 976 wrote to memory of 3504 976 skotes.exe 92 PID 976 wrote to memory of 3504 976 skotes.exe 92 PID 976 wrote to memory of 2488 976 skotes.exe 104 PID 976 wrote to memory of 2488 976 skotes.exe 104 PID 976 wrote to memory of 2488 976 skotes.exe 104 PID 976 wrote to memory of 220 976 skotes.exe 109 PID 976 wrote to memory of 220 976 skotes.exe 109 PID 976 wrote to memory of 220 976 skotes.exe 109 PID 976 wrote to memory of 2920 976 skotes.exe 112 PID 976 wrote to memory of 2920 976 skotes.exe 112 PID 976 wrote to memory of 2920 976 skotes.exe 112 PID 2920 wrote to memory of 5100 2920 dbaf6eb630.exe 113 PID 2920 wrote to memory of 5100 2920 dbaf6eb630.exe 113 PID 2920 wrote to memory of 5100 2920 dbaf6eb630.exe 113 PID 2920 wrote to memory of 2348 2920 dbaf6eb630.exe 115 PID 2920 wrote to memory of 2348 2920 dbaf6eb630.exe 115 PID 2920 wrote to memory of 2348 2920 dbaf6eb630.exe 115 PID 2920 wrote to memory of 3428 2920 dbaf6eb630.exe 117 PID 2920 wrote to memory of 3428 2920 dbaf6eb630.exe 117 PID 2920 wrote to memory of 3428 2920 dbaf6eb630.exe 117 PID 2920 wrote to memory of 2152 2920 dbaf6eb630.exe 119 PID 2920 wrote to memory of 2152 2920 dbaf6eb630.exe 119 PID 2920 wrote to memory of 2152 2920 dbaf6eb630.exe 119 PID 2920 wrote to memory of 2964 2920 dbaf6eb630.exe 121 PID 2920 wrote to memory of 2964 2920 dbaf6eb630.exe 121 PID 2920 wrote to memory of 2964 2920 dbaf6eb630.exe 121 PID 2920 wrote to memory of 4512 2920 dbaf6eb630.exe 123 PID 2920 wrote to memory of 4512 2920 dbaf6eb630.exe 123 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 4512 wrote to memory of 388 4512 firefox.exe 124 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 PID 388 wrote to memory of 2772 388 firefox.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe"C:\Users\Admin\AppData\Local\Temp\b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe"C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 16724⤵
- Program crash
PID:1696
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004086001\7032f73762.exe"C:\Users\Admin\AppData\Local\Temp\1004086001\7032f73762.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 14844⤵
- Program crash
PID:2284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 14644⤵
- Program crash
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 15084⤵
- Program crash
PID:2216
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004087001\59dd9c93cb.exe"C:\Users\Admin\AppData\Local\Temp\1004087001\59dd9c93cb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\1004088001\dbaf6eb630.exe"C:\Users\Admin\AppData\Local\Temp\1004088001\dbaf6eb630.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f24f19-7753-41dd-aa6d-9560b9dc4422} 388 "\\.\pipe\gecko-crash-server-pipe.388" gpu6⤵PID:2772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85dc93bb-330e-42e1-93b8-e9c520a38b64} 388 "\\.\pipe\gecko-crash-server-pipe.388" socket6⤵PID:2104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2852 -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 3192 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dc3eff3-c048-4f08-8bf3-dc82b7bfb777} 388 "\\.\pipe\gecko-crash-server-pipe.388" tab6⤵PID:2764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -childID 2 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e916d06e-26a6-49ec-9ac3-619bfc3fb1b0} 388 "\\.\pipe\gecko-crash-server-pipe.388" tab6⤵PID:4248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4856 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4716 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac38c5e-86e9-40b4-8e54-f0c68ddf1592} 388 "\\.\pipe\gecko-crash-server-pipe.388" utility6⤵
- Checks processor information in registry
PID:4480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -childID 3 -isForBrowser -prefsHandle 4172 -prefMapHandle 4424 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {770026b6-729d-42d6-9b8e-7e27ad32ec89} 388 "\\.\pipe\gecko-crash-server-pipe.388" tab6⤵PID:5084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5348 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {026750bf-7a60-49d2-b708-8625241c6d5d} 388 "\\.\pipe\gecko-crash-server-pipe.388" tab6⤵PID:1184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5764 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2b25898-f7bf-4b54-b660-b03a2c056777} 388 "\\.\pipe\gecko-crash-server-pipe.388" tab6⤵PID:612
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004089001\7249cea49f.exe"C:\Users\Admin\AppData\Local\Temp\1004089001\7249cea49f.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\1004090001\DLER214.exe"C:\Users\Admin\AppData\Local\Temp\1004090001\DLER214.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 16604⤵
- Program crash
PID:3068
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3504 -ip 35041⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2488 -ip 24881⤵PID:3144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2488 -ip 24881⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2488 -ip 24881⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2496 -ip 24961⤵PID:3272
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD57fb378efebd4851b2deea45358957049
SHA1b50ff129778413c3fbed8889e54f3621bf36d472
SHA25678327748fb8faf3c8998e47bb3f96aede9326869c60536f3854231f6edb3d784
SHA512564647e9abda2d93a90c47764b7bd6a7ab4a5405ce92a554689268f4bb3243a36073e69ab5e8fd444030b86a8993fc4d240f78853d21d3b50b7c5dcbbaf82c44
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD53a563c2868b5ecfa4891bb4438d82f48
SHA1f509e3285a4fbf1d9557086f1e69c4a4d864f1a7
SHA2560c47dd8f34dfd273903c66e84d5ac123b21bb3d011af7e7776ba167d91616fce
SHA512b08a70d4878a3b51b0729f5081734e94b8207edd9c25045e98aac8192d5d787841867fc6b140998cb9ec3cdc78565f642ddc41f85006f83519473d4420192093
-
Filesize
16KB
MD554ec587044fdff4bfd0029946041a109
SHA1242cc5fdd5c75a02776f1f5e526cc42cf138b313
SHA256e666b2644c35f564041ad18c5125f1677255f05421ad18785aed42bfb3ac5adf
SHA5126e2c9f3b3850c021b0db78af02f37e6fe1b32bd046ba5767b0499f2c4af11586e167c80235258b5536bcfece567a18f2e2eca6a107e60d5efb62a65175049046
-
Filesize
3.0MB
MD5c4aece08b50819dbb642d0e4478c0921
SHA1a79e8c4f6c1c880e0d8bf95d3e4618e5e1b9bc2d
SHA2566163126132b59b1178d2a9eb5dd0228694cb573bf6f96f54c2f04168f467d62f
SHA51277b6a94f4fe388a38ae4ae3ab67520a15ab4640328ffa80c22246708c7d0e08b784be7fc93112d21a77721b7f3761d948b2f32102a050fc39280d87be59c0f8c
-
Filesize
2.0MB
MD5633f9512e18ffeee9daf308fc33c080c
SHA12b18defa7720c46b847a3e81c67296fe5b4e3efd
SHA25663d5dae30a2008d6a858e421ed4716c83b4aa8677c56d804e1ef96086ecff920
SHA512247e92acf56bcd8dfdaa6816cdb565efaf9e02d2a5b71cfeae700168390fd6bad0fb27dde7371a6baf51bb4398222941f1c9e75c2bad2b9d115fd301919aa5a4
-
Filesize
898KB
MD56e818c89174827e4a5c36de1216f081e
SHA1bfac04adc78b44a8efc1619baa46d5cc36d485f1
SHA2568238429796bbdab49f921d92fd1b071c62700bec068ed440cc1b9ab2348a0897
SHA5127b19b16c2a9e88d26bc76fda789515774cb84a57117f58f0c325414a2e5245aa7f517c2424314bfbcd3d83725b0ea963309d48000d3f43a59d9ea0e5e14485b1
-
Filesize
2.7MB
MD550567a2990018c5890d1abb622c5051f
SHA12507d8b3fa3b09134162ca262d08d31c2a9a453c
SHA256f3069d8eba64f1512f1e560a09a3274aec35ccb0af74b55500c255322fa4c7d1
SHA51242475c1f1aa64999fe4ba8c293c48196dc0705066f7f009f0efcc41cb488dd6a9034366efedc01e48620ef9e3fa934c06b9d0100cd549d63a3d22f0f15a2604d
-
Filesize
3.1MB
MD57bc3610d75c156640b9918f00a3fe50f
SHA144790160233bb2ca3233d7a8698c83740a794456
SHA256b27cead89f5b755e257992d0dae512bd499a94043125d3da9d1261f76bad9f4d
SHA512fac7229b4515f20bf89aa0a08ba476b38ebbe90271be38128fcdc1f9d1d86d0751a393bddd98c89baab2579df96c761259480d7f0aea4e4cb9bcd42db09ce0a1
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize7KB
MD52290847cbf1344d8fd81947f03db6343
SHA1d16f714375a2f40f02d08a3f38260e9be6a2a4ae
SHA25652ff9e34ddc4b4fef93e69fec476a9465c728ff9cb124cc0e2dbce76190f740e
SHA51230d0ac738557abb4603bcbe7ea9dc502f6e96907bcd6a80358037b56534fd7f98498224e6c8835b0a0199120fdaf739eeb0f477f38af93d48d88b5bebecd232b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize12KB
MD55e5215785ec1eba87c525861ec96ec8d
SHA1c45ff7036eb62069b25bc181cee9646bd96f398e
SHA2568b6dceddc724c62c49158481e623b0570b838e4cccd777e1c610185fb10725f5
SHA512d5be9802c9b205d738e5934310e62e81c82e8ea022b7b08b76e3f6cdb647384915a5d696ae4e09cb6bce528c32e03f43261928e33868b68117480168e2ae29de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize17KB
MD5b2463ed8f37391160b0f7e3d76411999
SHA19c2647d427631e55d5f45cb27e63099f83af7d66
SHA256097a9924d1ed907b9284d6b1de9eec4f0c2a1d662998441705b7b41142b0e9cf
SHA5126c24fef3dc1d9d0b600718c83fe58348def5953a5dc77a3a94204d85c431e1443d00bd1d72d49746067fbb3f606754deba975712967f878161187d732dc9b09b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD56120fc04e81a3dc2e0281c7ed50d4e99
SHA12a7c8820a46043e3a6b8a4743425c52baef5d01d
SHA2564dec7c51fe04ffbb9d6a9cdd4de9ff1b5d2833952a16317971cf1f9673e6e898
SHA512854c0c32ddf309c4a06dfcea42788faf76596c52fde4969a263d50e1177fd07b39924db8b846df9d537d6cd7cd63b20da2e4277a76a86a2c3bca7fc0637629ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize27KB
MD5c826228a0eaa636f1434f27bea75c5c8
SHA16ce5eeaa7168bb69f8a2728643b0ef88619f164e
SHA2569f61c51522f2e0e4e1ae7b90730d494a14afe1e68c296e0530fbe9a17f8ec51e
SHA5120a96f8dc509d1d16c0d4b10abe9badf8d12c2d49447b71a4bee91d1b50de4e8d029a7b044a28ee3efadb1823004c5ec34487b5c774266622a8a26e165c541bcc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5bc4db877d591a78dfc8b4bcbe9afa585
SHA13a772b6e37a8151c7424bdbb5c0312706c2a092e
SHA256aaddf6602365d00f520fdb3bff281f43757470fca16f4ccdd2b53543edf119cf
SHA5127d066181a2b3cc95517060df0647f761aa95429b4e323bc6432b7abc544f6b3ecd1767880501abb8745b05a9d7d01fcc9192925eab2a59ac0c345f5da4936bfb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize27KB
MD5094c6ecb3d52a0ef88be2da984f05096
SHA1916bd1c5feedd3237ad4ce26790b03ab3aa51bd4
SHA256252cb3dd516208e7fc2209184c5ef407401f0cd10505fe9e89e05b1c120e27eb
SHA5129c73fc59a108e51d9ff4255be4a3dcaafd929da4f8e3781735059c3373cd320adc1c3ce7291e515ea9bad83d235019cee9ce971fe693656b1df78883a10018db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\3ad21666-9c81-4044-8012-a3387c36ecf2
Filesize982B
MD5ede07c69ce66ac27707c7c030ea3d450
SHA15745cfa977df3ff49b70e137202724afb7b1aad9
SHA2569d35042c5214b61a9d42cbe80b315d06bcc5e3885b000a1ea2b099901f933248
SHA512341926335a0befcf8f725dd685f859fba62479a2c7638ad007aec1668936ec22bcae8ce30fda452ab1f1f0dedf6504ce611b4fb41f97e7dab662b9dfeaaa3b05
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\72605c5c-851f-4a38-a336-341356f6c736
Filesize671B
MD502cc77fa06b4046b36a41c3937b21e2d
SHA185e57f620eec7aeb41a65c6f19b9bc397cd15175
SHA256f13da9155b6c3429e156688b2ccee33bf717500dbd88111bfbd6561f5d961707
SHA512993783da0276f1d0e6b6287a602d293cc790461bbaf651fa93111791c4bedda979a2d2192d2dd4cd9e1951cae725a8a34e72519526d2e8242a45174573b2aac3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\b4db7c69-8179-4e2f-8bd1-33fcc7f917ab
Filesize26KB
MD5d62634d5d7d65be566c2381615a3a20a
SHA1d49f9179f490e4e1c4532569bdc81637d61e74ab
SHA256139decd98e79e4b0fd21a904af1299122d02b706f87f33e55f712888554be1a8
SHA512a94e9fd3eb06be683fdb445c57425a4c87f91addb5cb683ca953c1fe79191eab62e1964f5a427c9d6fddd8c9f30ab40f98e04b1fc11ec67e88b9e08c6a5c0cbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD547443878ad79f8ab601447c12e16cbd6
SHA15845d321042c1b59da7a3b2ba808e5d2f07ec079
SHA256af1126611f89682d983f44c2c99b6ad3cc3243bb2c37d1220625e8a59fefcf0b
SHA512e6f449f4c383e16f6a5ac44b3de442b666ecf0669ad51a0633b4b11ec29a32121909e402d13f8d69e33fe9883d740642b41d58a6411527c319f8a634cab83b41
-
Filesize
11KB
MD5510cd22c32cd3b1afc0d3c7b98a70527
SHA12c8a40870688df63e8dfac7fabfd2ab33df21685
SHA256cf9ddf9e8b012d4bc8cb84d9b27337187ae569bab739d3f57beeda13be377c83
SHA5123178790d2eb3bfdaa2583ae3f0c44db71c9ae99a52c6aeca416289812e7caa0ef3e8a686dfdd4532fa80a770b97a83f233aa22ab9af663b2943475671cb92f36
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize576KB
MD5ffc004f3d1f5353b9ec4ca71104bf8d3
SHA1358dd48dd216dddfd0465df49e6ca43c3989b443
SHA256c0b9612784bfcb39499a1784cedfde0f335fadaeb72acab9c34437a973f28bcf
SHA512263340335e44fea961424e0ad20f538d46881b5b35d7626082691c3aebcf97488733493625b4878bf7a175457c6d5ac4991b1a651393d76cba0c1115e6ca6082
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.6MB
MD5c29166323e549de157b43151b2d9cff7
SHA1abe6fab4a68205762ee0ca9b4ebb8327fd0f9389
SHA256a62e35c37f74fbca2737aa72a6757cf69ac93eb8f14c1c7b640b54599d3e0e57
SHA5128455600ec6245b0f9c5bdcfa8e0faf8361f774ae4e065b4fbef152e1a6ff2af85a515767d7f2f63052a97be883fbc4693ad58062840b762b2431faa70480add8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD55dbd0c892039430a4851c075a16fd5c1
SHA19db90ab53298e3c93e5b5d55771e37c9285118cf
SHA256458e40fc457fe241efeb29eff0316cefe188b66c4f2b33c5e7f7db0d249afa76
SHA5120358ffd90b2524c2ec632fbbe0b8c446cc208fe779a89f9363b714a4a5879d2d28fac151820fffab505afc8c0b69a49cd8d713a19153eaea78932a66a061258e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.4MB
MD52bfda4bc680d839b61a6e37990cfe1ac
SHA1b1ef66aaab23d91eaa3faa6baa7c9eff48ab6a35
SHA256227a6e490318ee88aaf53efe3dfea05c9a57e52a629d327dac14e5180dc1b287
SHA5122e38ae6985b870cb0fdc0e5079d1578a367ef4067ddd0b4a9641133f966bcb96789c2e202333a576b77c266c2ce78855d9813130cc2131847c73da7d3c6581bb