Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 17:04
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
73897c497394d9f83b016e6377594c5d
-
SHA1
0243a0aa886487a7e9911aaf1ed5ddb28d983b71
-
SHA256
8ef6cd5928d602f0011ba38eaada3c2a5a8e26930c9064400f81e7e182bc7aaa
-
SHA512
e809ebb44765c671c703a61bb28e20f0383c8405a543b94ad88778e5c14682d57c5ffe866e690032b3b85cc500c4270be8452c5ac4a7b8ecca90440b9d4a736e
-
SSDEEP
24576:VdnKzvhEbF6tPhl1QLNquQR+hxt4Hpqv8EWFz47ev/1JVWcvtYOwbHKpOBJ9pQQr:v+yF65hl1Mx+q8EWh1J/WbEOLgQnun
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral2/memory/1652-508-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 3aaf90cc69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 3aaf90cc69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 3aaf90cc69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 3aaf90cc69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 3aaf90cc69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 3aaf90cc69.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e647cf16a5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3aaf90cc69.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f7613a941f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9029db019e.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1860 chrome.exe 4648 chrome.exe 3180 chrome.exe 4024 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f7613a941f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f7613a941f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9029db019e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e647cf16a5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3aaf90cc69.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3aaf90cc69.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e647cf16a5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9029db019e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation f7613a941f.exe -
Executes dropped EXE 10 IoCs
pid Process 5112 skotes.exe 1652 f7613a941f.exe 1976 9029db019e.exe 1752 e647cf16a5.exe 1184 3ed3c6ae8d.exe 5424 3aaf90cc69.exe 5432 skotes.exe 4176 service123.exe 6112 skotes.exe 4512 service123.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine f7613a941f.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 9029db019e.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine e647cf16a5.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 3aaf90cc69.exe -
Loads dropped DLL 2 IoCs
pid Process 4176 service123.exe 4512 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 3aaf90cc69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3aaf90cc69.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e647cf16a5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007456001\\e647cf16a5.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3ed3c6ae8d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007457001\\3ed3c6ae8d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3aaf90cc69.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007458001\\3aaf90cc69.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9029db019e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007455001\\9029db019e.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cb5-83.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2496 file.exe 5112 skotes.exe 1652 f7613a941f.exe 1976 9029db019e.exe 1752 e647cf16a5.exe 5424 3aaf90cc69.exe 5432 skotes.exe 6112 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5764 1652 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7613a941f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e647cf16a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3aaf90cc69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9029db019e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ed3c6ae8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f7613a941f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f7613a941f.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 3604 taskkill.exe 180 taskkill.exe 3420 taskkill.exe 3036 taskkill.exe 2412 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 972 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2496 file.exe 2496 file.exe 5112 skotes.exe 5112 skotes.exe 1652 f7613a941f.exe 1652 f7613a941f.exe 1976 9029db019e.exe 1976 9029db019e.exe 1752 e647cf16a5.exe 1752 e647cf16a5.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 5424 3aaf90cc69.exe 5424 3aaf90cc69.exe 5424 3aaf90cc69.exe 5424 3aaf90cc69.exe 5424 3aaf90cc69.exe 1860 chrome.exe 1860 chrome.exe 5432 skotes.exe 5432 skotes.exe 6112 skotes.exe 6112 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 3604 taskkill.exe Token: SeDebugPrivilege 180 taskkill.exe Token: SeDebugPrivilege 3420 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 2412 taskkill.exe Token: SeDebugPrivilege 3916 firefox.exe Token: SeDebugPrivilege 3916 firefox.exe Token: SeDebugPrivilege 5424 3aaf90cc69.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeCreatePagefilePrivilege 1860 chrome.exe Token: SeDebugPrivilege 3916 firefox.exe Token: SeDebugPrivilege 3916 firefox.exe Token: SeDebugPrivilege 3916 firefox.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 2496 file.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 3916 firefox.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe 1184 3ed3c6ae8d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3916 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 5112 2496 file.exe 86 PID 2496 wrote to memory of 5112 2496 file.exe 86 PID 2496 wrote to memory of 5112 2496 file.exe 86 PID 5112 wrote to memory of 1652 5112 skotes.exe 92 PID 5112 wrote to memory of 1652 5112 skotes.exe 92 PID 5112 wrote to memory of 1652 5112 skotes.exe 92 PID 5112 wrote to memory of 1976 5112 skotes.exe 95 PID 5112 wrote to memory of 1976 5112 skotes.exe 95 PID 5112 wrote to memory of 1976 5112 skotes.exe 95 PID 5112 wrote to memory of 1752 5112 skotes.exe 96 PID 5112 wrote to memory of 1752 5112 skotes.exe 96 PID 5112 wrote to memory of 1752 5112 skotes.exe 96 PID 5112 wrote to memory of 1184 5112 skotes.exe 97 PID 5112 wrote to memory of 1184 5112 skotes.exe 97 PID 5112 wrote to memory of 1184 5112 skotes.exe 97 PID 1184 wrote to memory of 3604 1184 3ed3c6ae8d.exe 98 PID 1184 wrote to memory of 3604 1184 3ed3c6ae8d.exe 98 PID 1184 wrote to memory of 3604 1184 3ed3c6ae8d.exe 98 PID 1184 wrote to memory of 180 1184 3ed3c6ae8d.exe 100 PID 1184 wrote to memory of 180 1184 3ed3c6ae8d.exe 100 PID 1184 wrote to memory of 180 1184 3ed3c6ae8d.exe 100 PID 1184 wrote to memory of 3420 1184 3ed3c6ae8d.exe 102 PID 1184 wrote to memory of 3420 1184 3ed3c6ae8d.exe 102 PID 1184 wrote to memory of 3420 1184 3ed3c6ae8d.exe 102 PID 1184 wrote to memory of 3036 1184 3ed3c6ae8d.exe 104 PID 1184 wrote to memory of 3036 1184 3ed3c6ae8d.exe 104 PID 1184 wrote to memory of 3036 1184 3ed3c6ae8d.exe 104 PID 1184 wrote to memory of 2412 1184 3ed3c6ae8d.exe 106 PID 1184 wrote to memory of 2412 1184 3ed3c6ae8d.exe 106 PID 1184 wrote to memory of 2412 1184 3ed3c6ae8d.exe 106 PID 1184 wrote to memory of 1928 1184 3ed3c6ae8d.exe 108 PID 1184 wrote to memory of 1928 1184 3ed3c6ae8d.exe 108 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 1928 wrote to memory of 3916 1928 firefox.exe 109 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 PID 3916 wrote to memory of 4144 3916 firefox.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\1007450001\f7613a941f.exe"C:\Users\Admin\AppData\Local\Temp\1007450001\f7613a941f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde2d7cc40,0x7ffde2d7cc4c,0x7ffde2d7cc585⤵PID:1408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2400,i,16360620498622983404,1865698123195435170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2396 /prefetch:25⤵PID:5984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,16360620498622983404,1865698123195435170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:35⤵PID:6024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1996,i,16360620498622983404,1865698123195435170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2536 /prefetch:85⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,16360620498622983404,1865698123195435170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,16360620498622983404,1865698123195435170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:15⤵
- Uses browser remote debugging
PID:3180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4396,i,16360620498622983404,1865698123195435170,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:15⤵
- Uses browser remote debugging
PID:4024
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4176
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 17924⤵
- Program crash
PID:5764
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007455001\9029db019e.exe"C:\Users\Admin\AppData\Local\Temp\1007455001\9029db019e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\1007456001\e647cf16a5.exe"C:\Users\Admin\AppData\Local\Temp\1007456001\e647cf16a5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\1007457001\3ed3c6ae8d.exe"C:\Users\Admin\AppData\Local\Temp\1007457001\3ed3c6ae8d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25dee3a2-28a2-4086-8d2f-2f3417deeb63} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" gpu6⤵PID:4144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f6686a4-e5d5-46d6-8096-c450ad36493f} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" socket6⤵PID:3840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2888 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3df45514-e199-4474-9c91-1f34bcbf2e7e} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab6⤵PID:2708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3892 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3880 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32c0035b-34b1-460b-939f-56cc62885107} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab6⤵PID:2664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d077e09-5bde-48fe-bb40-7005a92bea0e} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" utility6⤵
- Checks processor information in registry
PID:5496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5376 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b30e121-d11b-4164-b570-7c99ad083608} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab6⤵PID:2280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e76e2ae-acd3-4b45-b3d4-b2f70456d93e} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab6⤵PID:3836
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5808 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d057743-d9db-40cd-9208-74239ac1176c} 3916 "\\.\pipe\gecko-crash-server-pipe.3916" tab6⤵PID:4424
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007458001\3aaf90cc69.exe"C:\Users\Admin\AppData\Local\Temp\1007458001\3aaf90cc69.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1652 -ip 16521⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6112
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD599b91509ca17d6f8b7a8093adda2db31
SHA1f37e29d99387606b07ef88940e2550c717035a97
SHA2567f50606c04309037c229839eb9bec48d74cb0f79c6ac7ffbf6186ad8573e8c17
SHA5123bd211bff150964e0bd43bdd59a16a834647354809d38e9db2b9918888168b037f0117e924c3adac209e78732a7d36ddd55b974af7ce4e4de66c257863307e7e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD51ae89beddef8ef5136380bd2df849e4a
SHA160648c6bf5f4381f6de9cda433d40b256b08156a
SHA2564dd82b5c5d0b7d8a9f4e5e75e8069e55654b2c82f2de2febb65f48a206945634
SHA5127400276a50a19ded05d6c5c22f4da81a02872bf865b090b6fa7888e5d5b5135f1116cdbc32ead3aa0866ef9f696936612b910d287c3e0dcf2d3b68560ed4e145
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5a1e4bd2dbd128c6a48d3d0da95f8eb15
SHA19d33c2ff461d786a1e4275094c5f67de97888e71
SHA2566bf49b61cffd3f6e2e499f626058245523e346f20ce6021d468bbcd1cd05f51a
SHA51273960303163dd8c0c133ba0e7fd2cb2bf7c1aad50f820a1dcff07de2b8fe90069c202ab9cc14dbd766d41fc87b1293866832ea4159ad1c220321ba1ec8b5ae27
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD56de6d3aebb4a8a7f090f6bbbef7bc76a
SHA14d9867d3daef1ce23ae4707422ba08b89324db12
SHA2563d9846377382a81fc6dddc3149873149b672f567c810036c42031b15954adc11
SHA512b6b696145fda754bff206a35cf9eeed51c3fd0854be9f681754aa801da8147b4fd33b2368af2db4354607f9e93c24b778d472805061419d08ef4bf8218b51251
-
Filesize
4.2MB
MD5380a232d2a56b308ffda46696d44ca41
SHA1413ab9351c25403325fbaec6a549abbe41734417
SHA2562ead0592bdecc1b63818adb622ef0edc22a39f6855566f40d1aa7d2b1d00cc7f
SHA5121bbf6b4b546bf094b55707528b5a73783a1e1e50e7948d70cd1c251454cc1c7dd82d0981d030137f78ba14985784d8761eb702687dcf49d17a677ff19fbbd561
-
Filesize
1.8MB
MD5f6df237f8dc7d584d8836042966a0943
SHA18749f7bd027e624de82cfff581962b2eeb6a7dfb
SHA256e0ba78bf9b945f75349fd5a76290b9b8ff746abd24f15896a277676261499f55
SHA512a01d4fe202be936549f6a1d465234164a0e315c4725efa85569ce957782ccc904e833db3b2015b173288bfa353b155d649dcff1f2e371e8d010fc197d138f629
-
Filesize
1.7MB
MD58427e384ea4951ee4a5f0b425fa5ad02
SHA108f6dd97b593d0bc86339e1a1b7dd405f7798d4e
SHA2561498a63ecb4dab164c1b8287ea274408379e317874d7d05f41bc6209060326ba
SHA512b62cea071d32ce26c8542fd718ccba61995a7807d73281c7ec066858052d3f7d3539baabafa5e2b0df42c1976f61fece4a7259c92282a3494f7a406c727eaf52
-
Filesize
901KB
MD5ced448790328e3105c0cfc739ce1c049
SHA14e5d7352b4272867394b9a2c8878c108d833662d
SHA256b5aa55ab7b1267b5e806ab6a306816d8198655a7dd68c2af43e11d06e695fb62
SHA51274a181ce8cdef058a0637231822446ce0c7261f7bc9f0a52db90c357ba9d0046676308370501b925d4a039b0ab7540b21c6b08e963de80f1ec2494add6deee4e
-
Filesize
2.6MB
MD5233f648404abf3a913b830957f8bd1d5
SHA17dd39c8b950694bb87303aae1fc9e778b525a7e4
SHA256e6524526950e9fca8f5a7d001a678ca62cca94ff03491e8d45d58df263d6381a
SHA512dc9170603b2f4190496883ec7769c5dc6f1520ebe7be6b2f9b790047a6c92589a71d914887e7f2101807ab7ed1d3fb021ffe339f0e6ec38542df88c22d25b7b5
-
Filesize
1.8MB
MD573897c497394d9f83b016e6377594c5d
SHA10243a0aa886487a7e9911aaf1ed5ddb28d983b71
SHA2568ef6cd5928d602f0011ba38eaada3c2a5a8e26930c9064400f81e7e182bc7aaa
SHA512e809ebb44765c671c703a61bb28e20f0383c8405a543b94ad88778e5c14682d57c5ffe866e690032b3b85cc500c4270be8452c5ac4a7b8ecca90440b9d4a736e
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize18KB
MD5a9f35e4e7d66e10e7d1bdfa1db22ec03
SHA1f03fb46794e72b3b6278b461f95c281a56574aa4
SHA256d617cd627fcb79e549e35109746bcf539a5b9861040110ae1bc72b84e455b322
SHA5125ad894d497cc36222cd9ab620504dab56848f7e02f18b7997c876f83527a5cfa6fdbefb55c667e380c85b27c98c93401e9dcca6b0e4a07c1204c507368398cc8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize8KB
MD583d28d097f6007039923dc1fa113a2d7
SHA170d29b3c2b672b310a6288c97aea0b83427d6cb6
SHA256ab3f6e392c2b532f2e9f030a0ce4d7a3961e6f6b0607ada9469f8198346beede
SHA5125cae10ae665592b0fdd8be5fb63cbc92e6fade23faf40b1f25e25fc639081021a09e5d2ad6f70a3f0cdab1471a228439109b8abb2cccac7c6a4d728abd444a0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5a2516ff77790302f1f25241ecaac893b
SHA17c1370eb91277a2c562d08d8f8c88b083181d868
SHA2564a8e9cefcaba96dbb9bcbda0d9011658407e682a0dfd1d08bfa1d2df7eff2645
SHA512ca6fe98210d558ec0744a3680acecaa307ef943322f82b3a4ace69d94cc248292520f0b2b8ffd1542d636e8613650c16b859df37800c0a9f140912c98921f805
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD59c7ac0472f73f0ebb4731e325cc4cd54
SHA1a67ca78993e8c469c14434b9917a0b37b735c4de
SHA25635233ae20e61eda85cd2f8b5dacc39c777356b6b2d69caad6cb30baf6a193bdc
SHA51206ea879866aed4ed71c034cdb6eb8fdb23cc602ed42f4bbfe34fc0c996eaa16ddd2d81812510170188995e1972ab1aeb735039d7f515ef1b01c27f6867de523a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD56d99aa3fdfb026533534e29d8b771cef
SHA12f59f7279933603c4469d8fabae8975eeb9cd8b6
SHA256a06e62d53ae38391429a184fda7959140e8bec8d13c62b6a0675b5ec2acc917d
SHA512787062bbfd012f21cc3a3d2294dff778c25b3ff652e96c9e8c2362af0b0645f50f4575211a9d6ae7971d68097171eb05c96decda6c32ff4545a69c2c26656b81
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5a343233dad17a7d66784c7998f99eb52
SHA1951ffb9b6c7a82504fa7c4890613448d9b5c3c9c
SHA256c911d3fcd9d49ea504c5c4cdd4e27fe79977f798195343ac2d5f4a0ffebb26b6
SHA512bc402392e86b4917e4e34554f41571a30945c28a06dd46ae30e7222fe5e75b63b383bba21f2b6b386f6e3d365158ff4ff1420c7d1d0f918a7b8f86e20c78dbc3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\6cdebc6c-4df5-478d-b796-1dba15f9df7d
Filesize26KB
MD50146ebcde316968593147b762982b6ff
SHA1da007014d0a3b1e44abd7ccfd132d811d16f42df
SHA256d577ec614386d4bb5337a5d368d9d93bb9cdfc54bf70ce87ab5690a14a4bc90a
SHA512aa079a8bc68f0ff002a2f983bf9bd09de406c3abfcf8546c220fcb341c7bda170112be0661436f0ddb470f18d16833e3713de2b5e9e988a717164a77e0e10912
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\a66b3e11-46a3-4af9-a50f-65a412e78083
Filesize982B
MD5e2c83cfd2da347db739340f83726345a
SHA18f30b773013c992b5f6bf53c8a2b1d7e1d86c8ed
SHA256e4944c3dce18b44f1fff716b587d42c81f7860d86d10773329cee0d63bc183ac
SHA512a18838bd2f7e1917c7f84fc0f09de020edde762a4e959e8896687f7f288ba8b7384c62915e7e84b5d8cef75712cad09f642ae39d12ea40e1e0db8dcd53bb44f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\c0f7bbea-0cfa-46f5-8ace-c98abb9e6f89
Filesize671B
MD5208dc1136d8f99407668d8e31a14122a
SHA106c2df09c6b722d47cec2c7cc691ce91d66496c0
SHA256194cb372543ce884f6e51143f16df046dc27ee351775c4217857590267003b43
SHA5127a4cd89c9cb9e4f8374a145507f43518f5c49352de82f1303b015bc7644a61d8b7151feec6ff625a9fa4f3185c67f4c80be673aed9ef2b8c52dcb9bfe85f77e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5c2faaf388b368bdb05e9f43b3e9490a2
SHA14871bef7696c911934fd0d04d92d64d7275aecb2
SHA256814f388f662e31617f374743abb23e8263a5dd99ca15b392383aa93ad66ab4b1
SHA51219ccf913c882e820bed0977c5249cb0fb06a119558d265556941117ba34b415f2862de6053a4e52ab5a28bbb5d7c1170dd20d71965adcb72aca4b83c46312e11
-
Filesize
15KB
MD504d5afdb3eaff9bb1141861560df180e
SHA1b9a401d8bc2525376bfc913ee97b2d54344b61d5
SHA2565d31d4c5a4ee6bcf8759b44d8ab9107a4dec71123d7521d2fb067d7e6164afd4
SHA5124803bfd2900cde8cadf0a78b48445edcba25602b9ebe147fc11d6d50c2ef415fc4f69d9c67ec89f5aacbcf667183001b8e03475c4d82cea3cc0abd82d1a58b96
-
Filesize
10KB
MD5330fca5f2d97eec33be4b81d5d76ba68
SHA1a1f9f113c4bc9cc9db01aa8c80600fd913dcc3f1
SHA256092576629a8c4a14720886da4019e0956d644099e6c3de6c79dad1c09b94805c
SHA5122676a354fbeb1cc3980e9a686d6f354d92174fbc2991d6190592a60e34a83818d96f595b86945c0e54ea877a5340f1f9fb43500ec9c31b9b204852f7c7621525
-
Filesize
12KB
MD5df3eef8999337b6add2719663aeb70b1
SHA1709271a980756d8460bb776bdd3f9b1fd9149739
SHA256ae7e8edfcd017e169d481f88c9f83831f73d6d68134366db24a46005b79f7152
SHA51213ddda2d4134470795dd4f3264ae2b56a33011e8f5dfbe0c7060ef65a28e3b29517c480ab6cd849419a32e6873b1e4e5278701605a3a173cf65c18e7dcaed8da