Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 14:34
Static task
static1
General
-
Target
f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe
-
Size
4.0MB
-
MD5
4821bd4f04f2d9ca7249e79fd963725d
-
SHA1
92cd5261447dd865822da3620102db9fd84554b0
-
SHA256
f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193
-
SHA512
8f75a29af6cc1d9f9f1e96cfc1acae9779a726c37762c576492609fd52f404b16d6d7bbf927c5f29805d32d345e766ce69fc6fe0fee0bd37edc98e5b60c083ff
-
SSDEEP
98304:hamyLDIplFDBlFfp9LNnzABkP7Q4sPaD3EoSfIfccK0p76:IoDfFfp9hz4Woaz7hc
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 49b4578783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 49b4578783.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 49b4578783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 49b4578783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 49b4578783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 49b4578783.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1x94W8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2u2274.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b081d73a44.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 49b4578783.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2u2274.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b081d73a44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1x94W8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 49b4578783.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1x94W8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2u2274.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b081d73a44.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 49b4578783.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1x94W8.exe -
Executes dropped EXE 9 IoCs
pid Process 3356 m0W48.exe 1000 1x94W8.exe 2224 skotes.exe 1476 2u2274.exe 4832 3M82O.exe 2648 b081d73a44.exe 5496 49b4578783.exe 5580 skotes.exe 1512 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine b081d73a44.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 49b4578783.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 1x94W8.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 2u2274.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 49b4578783.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 49b4578783.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" m0W48.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b081d73a44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005758001\\b081d73a44.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49b4578783.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005760001\\49b4578783.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023bf9-41.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 1000 1x94W8.exe 2224 skotes.exe 1476 2u2274.exe 2648 b081d73a44.exe 5496 49b4578783.exe 5580 skotes.exe 1512 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1x94W8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3M82O.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49b4578783.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0W48.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1x94W8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2u2274.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b081d73a44.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1064 taskkill.exe 2876 taskkill.exe 4900 taskkill.exe 3880 taskkill.exe 1916 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1000 1x94W8.exe 1000 1x94W8.exe 2224 skotes.exe 2224 skotes.exe 1476 2u2274.exe 1476 2u2274.exe 4832 3M82O.exe 4832 3M82O.exe 2648 b081d73a44.exe 2648 b081d73a44.exe 4832 3M82O.exe 4832 3M82O.exe 5496 49b4578783.exe 5496 49b4578783.exe 5496 49b4578783.exe 5496 49b4578783.exe 5496 49b4578783.exe 5580 skotes.exe 5580 skotes.exe 1512 skotes.exe 1512 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2876 taskkill.exe Token: SeDebugPrivilege 4900 taskkill.exe Token: SeDebugPrivilege 3880 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 1064 taskkill.exe Token: SeDebugPrivilege 1688 firefox.exe Token: SeDebugPrivilege 1688 firefox.exe Token: SeDebugPrivilege 5496 49b4578783.exe Token: SeDebugPrivilege 1688 firefox.exe Token: SeDebugPrivilege 1688 firefox.exe Token: SeDebugPrivilege 1688 firefox.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1000 1x94W8.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 1688 firefox.exe 4832 3M82O.exe 4832 3M82O.exe 4832 3M82O.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1688 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 3356 2940 f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe 83 PID 2940 wrote to memory of 3356 2940 f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe 83 PID 2940 wrote to memory of 3356 2940 f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe 83 PID 3356 wrote to memory of 1000 3356 m0W48.exe 86 PID 3356 wrote to memory of 1000 3356 m0W48.exe 86 PID 3356 wrote to memory of 1000 3356 m0W48.exe 86 PID 1000 wrote to memory of 2224 1000 1x94W8.exe 88 PID 1000 wrote to memory of 2224 1000 1x94W8.exe 88 PID 1000 wrote to memory of 2224 1000 1x94W8.exe 88 PID 3356 wrote to memory of 1476 3356 m0W48.exe 89 PID 3356 wrote to memory of 1476 3356 m0W48.exe 89 PID 3356 wrote to memory of 1476 3356 m0W48.exe 89 PID 2940 wrote to memory of 4832 2940 f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe 90 PID 2940 wrote to memory of 4832 2940 f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe 90 PID 2940 wrote to memory of 4832 2940 f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe 90 PID 4832 wrote to memory of 2876 4832 3M82O.exe 91 PID 4832 wrote to memory of 2876 4832 3M82O.exe 91 PID 4832 wrote to memory of 2876 4832 3M82O.exe 91 PID 4832 wrote to memory of 4900 4832 3M82O.exe 97 PID 4832 wrote to memory of 4900 4832 3M82O.exe 97 PID 4832 wrote to memory of 4900 4832 3M82O.exe 97 PID 4832 wrote to memory of 3880 4832 3M82O.exe 99 PID 4832 wrote to memory of 3880 4832 3M82O.exe 99 PID 4832 wrote to memory of 3880 4832 3M82O.exe 99 PID 4832 wrote to memory of 1916 4832 3M82O.exe 101 PID 4832 wrote to memory of 1916 4832 3M82O.exe 101 PID 4832 wrote to memory of 1916 4832 3M82O.exe 101 PID 2224 wrote to memory of 2648 2224 skotes.exe 103 PID 2224 wrote to memory of 2648 2224 skotes.exe 103 PID 2224 wrote to memory of 2648 2224 skotes.exe 103 PID 4832 wrote to memory of 1064 4832 3M82O.exe 104 PID 4832 wrote to memory of 1064 4832 3M82O.exe 104 PID 4832 wrote to memory of 1064 4832 3M82O.exe 104 PID 4832 wrote to memory of 4040 4832 3M82O.exe 106 PID 4832 wrote to memory of 4040 4832 3M82O.exe 106 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 4040 wrote to memory of 1688 4040 firefox.exe 107 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 PID 1688 wrote to memory of 3052 1688 firefox.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe"C:\Users\Admin\AppData\Local\Temp\f39dac3f671d9fa00ce441585ecc355014a9f63ae15652efa454b8636198e193.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0W48.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1x94W8.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe"C:\Users\Admin\AppData\Local\Temp\1005758001\b081d73a44.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵PID:944
-
-
C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe"C:\Users\Admin\AppData\Local\Temp\1005760001\49b4578783.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5496
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2u2274.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3M82O.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking3⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1968 -prefMapHandle 1960 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {728e019d-3ce6-4daf-9d7c-612b7c04283c} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" gpu5⤵PID:3052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2476 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8528049-8b96-4dde-b4e3-30161a127e86} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" socket5⤵PID:4572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3228 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {220c2c4a-6a8e-4973-937c-264ed73e7aa9} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab5⤵PID:2344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -childID 2 -isForBrowser -prefsHandle 4048 -prefMapHandle 4044 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbcf7e77-1b05-4dd0-9e5d-cec1c27a634a} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab5⤵PID:4540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b4faa9-536e-4564-8da1-301b4a0645d7} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" utility5⤵
- Checks processor information in registry
PID:6440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 3492 -prefMapHandle 5296 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe62adfd-d7f0-4eac-bae3-1448e453f4ce} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab5⤵PID:3648
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7faedfa-6cff-4458-874f-ef378c3c3311} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab5⤵PID:4800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f302c2-22ff-4860-9dbe-77a5ff281062} 1688 "\\.\pipe\gecko-crash-server-pipe.1688" tab5⤵PID:404
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5580
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD511eec9e95d88dc1e91c023326d58f8ad
SHA1ead233d57470c758df156c1ce527eedac1a1a6bf
SHA2562366f289ed2cf90c69dad36a13ecbef1666c5033f335f2ab87f5386df67d2c56
SHA51297f98f477251efd73508bb68145a306c6b4fcd0e0d8eba91d756a06600ab5afbfa270628c31f4273884e589330dad7ebd7ee0a51de317a6864720bc2e857c4bc
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5cd41ffb45298018b6c94ec4979974d59
SHA19da014917df2b5e70a82fbac59b4f61168504230
SHA25639a953b07ca00228da16705db7d1f42a2fd7585f00a7cc8c624ee428221031cf
SHA51258188378ad6f20e2600409d3eec9b9e1ae868972bbd726a24b5de55f18fba27a8b8bb35955e15dbb794b2207d06970af605aa5d23928d3d5d61427f9aa242d72
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD54b08f14956a6ca8779ce6c64097a62f2
SHA1958ea002442b83e48856f4bd279dd0c0957da437
SHA256d13a45949d21b0d4306049154a0c1e52191f0e35d4c9741c8599b01c9913eb46
SHA512186db935df40cff7ce01ffc45936851974deb6de4f86bf4e7dca4d3284d81700bccb133e13aa303ffb259fedcc55953c6d9044bb28f54f281462e3184386941b
-
Filesize
1.7MB
MD5bc37773bb9ab9c72ded7535b8cac8b6f
SHA17a0dc5b4ff0be8a6b3b6c013a910a929ab7c85a6
SHA2567cd61a43406df841be2ebd093e192ad43eee6dbe9b4fb1cbe5197f3e0adda7a6
SHA512aed6c32a6ef47b623baeb6809b620ed278411c6bb86eb2679f964bf2ec2705349f10e115cfc499b8ef68f14e424daceb85fa38ef4502dce0ba802b5f821c0131
-
Filesize
2.6MB
MD53e79282c154c08fdf6ec285b44608428
SHA11c846aaaa19f9fc4405a5da3a2d1f2082e81d752
SHA256cb81001d25b1066fb0b56e74f3ddb9ffe435f4d024252f4297c8ba9a362e04ff
SHA5123a08239ae4810090aa17121647619486a77a7382aa2a3e6425873b36829aa4d62f497cd311b7a26710d914de157719d5bec270bbbf33a75028f4b959d2bf747b
-
Filesize
898KB
MD5756a672ac6ca84b30e9f92b33c11465b
SHA1a4b8718de1b78b5fcb24710c39381336b8b6f096
SHA25653db5ebd1efa5fd8df45c1b208c5ba176e38a3c2f039621d305b446e7a296b57
SHA512fe77a7458729a360d810d6dfe0f51f70395649800e02d879cd5f3f175be29c2242ee034b37cf010a5d2c8af6c9c987d2238551ea9b88343b997341a68a989f16
-
Filesize
3.5MB
MD576d9fc062de907c3d29dc14f567e4df2
SHA1d3ad3d3058741e1e05b4b5674f2bbc085167f1a4
SHA256ec5a0c54044b3ef1dbf521199d8a07895e247292eb8772c8b8473a86e84e4e6e
SHA512297fb67add259ed1aa51dea76e3805628979f3eeb2937c0f51cb1974d7031273e9fa185d3aff4bbbb5f787d7c33045e7ae60178980f71c979dbe6969acaa4cef
-
Filesize
3.1MB
MD55d92c01d9d2a15e0f55433b1cf43cdd0
SHA14e97c35531f8008db3acdccc81cdc1421cc6a278
SHA2567877786569d0683af4f6e8e95dd58d92e36cb0e8c164c11dbd7c9ca652380978
SHA5124c02ad5befea2d11ca07750f8bb91e2cd32783a7ebea8c61f81de6abb9b72af74b2aa42ca3f5681f0b7d8ba7b6ae97aaa91009ca88573d79b3178da472129c70
-
Filesize
1.7MB
MD525b574f2239f60ad04f625eee5216745
SHA12cdb1245e4149fc829e1b4250ff8331daa61179f
SHA256535e247657b398488aa8f94d3505189260ad2ab0013c955a233b2fb8da9d4972
SHA51213747612c66fd9e143d47d8af89c4ad54d04b2188333823a93bd2ee5bdac575dc3105b2250daf713435ed39b48989e7adfdd54d84ca8f1e312a9fd3fd7b10c82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize18KB
MD59555adc9d06d014e57dc0b3925333c7d
SHA1a737c61c9965e8514c07be66a42bcd5b81967b3a
SHA2565125ae698017ddab5841a1bf507d3a161f743446753fb5ca3bdc020dcb707b6d
SHA5129d140026c9d578574b77d50bd31ec1f38a3905d7ef0d5f7ee1d1b43fc14b65391461ca6ccf146e98945a3a42737c0fd6b6da0dba075d5e2e98b67380b2289252
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize8KB
MD53200fe5954ebf66b6514415645e09039
SHA19ba751da87cd6dd990842c245127a9ad4bc9bff9
SHA256c98c8ca09375a55efb2158d4cd925e80ea1449f9cc3e8ed3fa88d4360cbd5ede
SHA5128484a78347644b8b934a9d620bbc563ef0901f53d4301894d0543160017c44d57797d3fad3c575d31b0d7df5db9640bbbca758c412f637074f0118abcba3c56f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD56671b71d8256aef644f6ce193f2be7f7
SHA15a538e7c8755f6ac7908a3142766bbf593e578ad
SHA2566f1e37983cf4a911c0ddff8ccefec39d27bdc1e62a2661ed7bf27c76724ad8c5
SHA512559cea3f842f6e82228eca1314eb30b1278037ee901db0642d0c3fbd25f6aeff462b7956f6c03daf2b29e35d6704441a8fbb46aeb5e34e9eed61539c0951fa90
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD51ff910eeee8f7f18aa39f24b250f7e9d
SHA1fb2177e25e68617bd3e96b230413b0cff5a4557f
SHA25609cf98120107944a9a1ed92e7ff98314f25850ad3634328d920417856f9cc140
SHA51287ca6d63995d4fde0e1537005cd2e036f26feba7184298541d24ca18b37c61961d77abf1b9ef2db08c149605f2258c302b46979448f33b3889d612320e5d3d22
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD5a3917dc2d446dab031f626494439e7d1
SHA1bdd9d62824d9047d879c51c6d04015059f0c6bae
SHA256b1607b0187d1038003e5f8d5fe31d5c0ed884ae6e35501dd277e66a57df912f9
SHA51207f58c0735ae99c17f180ca443317d2fdea9957fc7e620ae7f75399d11488e25dd523423c5e8d96c35077873230ade2366faa50a46afc12f8f5b1083bf73bd53
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5d14ef3993d61f10304729f4660a6b3fc
SHA18b5899255b1c5517cdb01c59b1a644aa658a1847
SHA256c31c3c121b2ce9eda30cbe0737df6830e9ef027c154350f2f57660eeb495197c
SHA512844cf034f526437f153a215f6d1f9fdf23c950bc2420b3800ccd3cd671497e12da908e5b58aee89ef250c8dfc6976e764743baf47e4d0d0c2e3b9fb88bf8afcb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5f2e21355cfa43fc41572de16614be9f4
SHA1ebe7cc81d7d40bf9f98bf5f3d7e7f0d6427ec675
SHA2565a6bb4f7b2869a76672d993b87c688027b2ae38da2f62b1e8c00e6bb67cb14ab
SHA51262a8133b4341d52bbd27080d7b180913affe11835100f043d3a603880159dc7e186e9cfffb54a3dec4ee9da7cd4e78f6075a13a1046dca94cc49c2532374e911
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD564220f07978e54d5eb72873129af0743
SHA1ddcc26ace4768263fd8feea99d35731de3ce793e
SHA25648375c944fbfe1c711b87935111bc62d12ec0d2b2c596fea6b80b7b9d02c0dda
SHA512b64cde48010bf928ed574396889124b2261b94e2d79e7397813fb7b041a353dad2a8190b74e80cb4588d9db212c1c04b5953c18ad9d080d3bd8fd3fa73f1eaaa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f1624ce7d878a0dd73b6d69819fd013e
SHA17b1cb0073a2629977328665e3d1fc2f231adca55
SHA25611ebe6aeaba447e829244a90455729967d76006d10dad2d232b1bb0164de965a
SHA51294e212846c9ebdc86714c166e2b262010c6b9d6cbb8bbeece7df2ba27aabb24c64831cbbf5efb55e48c9dd4bd95a040f12af75d865faa7faedd4d2a497ba646c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5489ce8b40cb8eac9dd53e3b037d7d697
SHA1a705cc5729419191f365bbd46602327126431687
SHA2566283a53566d15c48438ecbe41fec5e3b4b4d845b049910d3d610d286abbb8460
SHA51280c2b047b79bb5a4bcc26075b6bc218959fd49a02882d66195510ea480fb984ba75bd7f8f1a7fcf2940c4ee184e2a4bb70a23ab8b6184b5fe1bac02958961a29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD55917dc5f7c7c40f53f779680ffdb4458
SHA1cb0f6a41c0adb7d372c738adc6443e6f56bd4573
SHA256663d91a2c0600ac8fc756f036ed320d9415fe2cf832bf5c6dcc4f07d79fac2e3
SHA5129a06271e49dc365b129f737bf08446fdb762e8bcbdbe2be61f3057bff978e191040fbdd36fb0fd595180bbf1f3facf2a43953b0ed5dd293b819f04500bf2aeff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD53b7826ea4f807c16ce444b308e5876b0
SHA11c7dd0e207abe2b7d3fc23008ddbc817a9ec959c
SHA2561a264c26ff30f4f3a86faaabfa9b5256bbcffdd9ff4a6336a28f90b9d4b9c302
SHA512e1a791d7232cedc5ac38f635a14672d4b70cdcd5ba75330d837fd78701b579bece8264c8e5a88e859ca980ae847c910a2591921c9c0b100f0d07b4fda5ff0f3e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD505a0b47a5908457458b3e8e267529b05
SHA112eddac90c53f334c0cc4bf80517c14ccbc01fa3
SHA2560c7e24edbd09216899bbc038405e542aba21be9da6e1fe6e50a55cfa9933c0e2
SHA5126c1d2da821292db7689624d47229baa4d77371969aa4434bc258585211a52d2888c52794bb927f84d3e8bf646e0453a10d4c5d5a196c708c9099eb52edd77abf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\811ef9af-d0db-4df9-8316-2f7dbdfceb86
Filesize26KB
MD551a9732d2f8ef6f666f87a328245067a
SHA18233c928bb2880a9ef9376176b3668a10c0d57c5
SHA25614098f4b8d6b0ae32bb0c9c6f04333416913bdac59ed6f78b1d45860ac4a7792
SHA512f9b067761ab59df9b636c010d805c873038208c54b9a13c4826eb9909b890d0e61f6d562d21c7200b67005b84c24ace205a56b24d5b1cc986dcde2f6f9790b40
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\f1e51d6d-0365-41fb-b3eb-eee7839e9415
Filesize671B
MD5033dbe1b4da4988af656745de122319b
SHA1457748592672d82a5eb33af10d9859f2c664d39c
SHA2563da314d106064362020029deb19c259e6e38c49beb8e25711aa8a6b41b09b0e6
SHA5121ee1438c13ef40d56d5689ac538c61ddfea64f2fd70b3727b9b503a41254ba787f9542b427e90c31ffcdb832f884c4bbc649038ca9fb2f5b037e38c3a7305858
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD53be932db962d2e0993e126bfc8fdf22a
SHA13da820b363592327de69c24d9246fd630c68201c
SHA256ebee39618e16a89387a493405cadd3387ccc57541b115b95c8ef46a55bd2a6c1
SHA512ce2931f240e8962b8195ff74591760a6105ef9c0d592f2e5b9f752905cecf9c46449a08aba8b848ad64f2c800109d4f8723bef0fbfeebd630af110fca85e9309
-
Filesize
12KB
MD52c1edc0a54628b10609489d220da091b
SHA186d1cc435e64b9875306215912c4ba24e66209e2
SHA2560e61c09dfc4f4186918d4637ef120b75e477ca98bf776d827e08c0cd94a69226
SHA512bad2c185d0b6f9939ab3bfd1153123b6373fa4eb3b281b9e5f46ee9808f1ffe0cf1973d398826721b9f2206866293aa086d0a590831677540e6d7aeaf4b540b6
-
Filesize
15KB
MD598a88be5d4234145da59ad362d140603
SHA1e227c27c8abcf2bffefdf434cf7bd1f53ae31a86
SHA256999c7cdc4b40070b8822a71d7bfe6d32f0445cfa1ba755edf68a784374971b54
SHA5124227b36627335e7b036a61363f8074508a5064cfb8843c42b18bceb97edca800301b3c6c63860ec4aabee14bd56a3d74c4cb6ca8c81f2f04904651808e1f0173
-
Filesize
10KB
MD5bc1e9fdf51bf00d3f54198cee9c8bd94
SHA185a17ae7a7bc595fcadc695b9a6a020380718e53
SHA256dd0813722db703a2414521f000405d417c76d1af5b002bd3b2cd74055e1c198b
SHA512e0e037761f9210154a654799e81d646308fffee5094ba58b27a30947392d65f193d0bb9ad0e5380fe90e92f6c7349bda25d5d0e63e80edc10df1bebb19e4d07f
-
Filesize
10KB
MD5308444cc8a61c5fcb9da3749bcbbf733
SHA148ecffa75e375afd1f3699d9f03d1f571b876c59
SHA2562313885568895cbd736b7b6e8c416648a2d62afab3adb6e2f0d84433b919b167
SHA51239ffba94821539435a6e39c039aa73351e3dac0db69465c01470d7983c190159c82565c261613c85407df083e545d23881d60513aa3c3816c4e6d41476625c44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD58a9f09e61cc5596a7d83761e65f1404f
SHA10151ce73d673b6e6d4ddb415f896e0b0fd050a4a
SHA2561d71df305b85a1f6830128c7c9d6c8c31c2c2c8b1180df0b1b8b958abe66b673
SHA512e4538516bb5c7147bd221c32232d3fc4dad0a856247534d2e556839506d4343b204c908b8de7580debc195ed90a36a87660656edc153033bbc3200cf02d3dc67