Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 02:10
Static task
static1
Behavioral task
behavioral1
Sample
1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe
Resource
win7-20241010-en
General
-
Target
1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe
-
Size
1.8MB
-
MD5
fc60fac3b512854df25f9a62a8982b5f
-
SHA1
55bdf77f2f4e613f2aaf0a3cc22fc2e68678ac7e
-
SHA256
1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687
-
SHA512
0603ef0b95cd18343686abf01d0dd7fd7f55693bdcc308fd50d9a66de65f6c25c3401b21fc73aa91a7e50e3217fe127071faa836425eb0b650621422ce26389b
-
SSDEEP
24576:jSW/ofKP26CwSz/h3O2In5iOSCeRWwBuP/xD7LCSWSA2yJNjsu9yk5H0RhbB9XfB:jp/w6CjZO2U5iOSNRbBuhC7LqQHANlB
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral2/memory/2108-486-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 01b1010677.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 01b1010677.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 01b1010677.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 01b1010677.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 01b1010677.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 01b1010677.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 01b1010677.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3ae25ad609.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8b74dace5a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0b306267f9.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 5776 chrome.exe 4488 chrome.exe 2724 chrome.exe 5196 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3ae25ad609.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8b74dace5a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0b306267f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3ae25ad609.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 01b1010677.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 01b1010677.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8b74dace5a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0b306267f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 3ae25ad609.exe -
Executes dropped EXE 10 IoCs
pid Process 2040 skotes.exe 2108 3ae25ad609.exe 1124 8b74dace5a.exe 2584 0b306267f9.exe 4388 88356ae70e.exe 3392 skotes.exe 4332 01b1010677.exe 4656 service123.exe 5228 skotes.exe 5300 service123.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 8b74dace5a.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 0b306267f9.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 01b1010677.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 3ae25ad609.exe -
Loads dropped DLL 2 IoCs
pid Process 4656 service123.exe 5300 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 01b1010677.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 01b1010677.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b74dace5a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008082001\\8b74dace5a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0b306267f9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008083001\\0b306267f9.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88356ae70e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008084001\\88356ae70e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01b1010677.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008085001\\01b1010677.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023ceb-85.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4332 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe 2040 skotes.exe 2108 3ae25ad609.exe 1124 8b74dace5a.exe 2584 0b306267f9.exe 3392 skotes.exe 4332 01b1010677.exe 5228 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1696 2108 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b74dace5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b306267f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88356ae70e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ae25ad609.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01b1010677.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3ae25ad609.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3ae25ad609.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 2056 taskkill.exe 4308 taskkill.exe 1808 taskkill.exe 4908 taskkill.exe 1500 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4332 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe 4332 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe 2040 skotes.exe 2040 skotes.exe 2108 3ae25ad609.exe 2108 3ae25ad609.exe 1124 8b74dace5a.exe 1124 8b74dace5a.exe 2584 0b306267f9.exe 2584 0b306267f9.exe 3392 skotes.exe 3392 skotes.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4332 01b1010677.exe 4332 01b1010677.exe 4332 01b1010677.exe 4332 01b1010677.exe 4332 01b1010677.exe 5776 chrome.exe 5776 chrome.exe 5228 skotes.exe 5228 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4308 taskkill.exe Token: SeDebugPrivilege 1808 taskkill.exe Token: SeDebugPrivilege 4908 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 2056 taskkill.exe Token: SeDebugPrivilege 3180 firefox.exe Token: SeDebugPrivilege 3180 firefox.exe Token: SeDebugPrivilege 4332 01b1010677.exe Token: SeShutdownPrivilege 5776 chrome.exe Token: SeCreatePagefilePrivilege 5776 chrome.exe Token: SeShutdownPrivilege 5776 chrome.exe Token: SeCreatePagefilePrivilege 5776 chrome.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 4332 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 4388 88356ae70e.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe 5776 chrome.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 4388 88356ae70e.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 3180 firefox.exe 4388 88356ae70e.exe 4388 88356ae70e.exe 4388 88356ae70e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3180 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4332 wrote to memory of 2040 4332 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe 82 PID 4332 wrote to memory of 2040 4332 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe 82 PID 4332 wrote to memory of 2040 4332 1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe 82 PID 2040 wrote to memory of 2108 2040 skotes.exe 90 PID 2040 wrote to memory of 2108 2040 skotes.exe 90 PID 2040 wrote to memory of 2108 2040 skotes.exe 90 PID 2040 wrote to memory of 1124 2040 skotes.exe 91 PID 2040 wrote to memory of 1124 2040 skotes.exe 91 PID 2040 wrote to memory of 1124 2040 skotes.exe 91 PID 2040 wrote to memory of 2584 2040 skotes.exe 92 PID 2040 wrote to memory of 2584 2040 skotes.exe 92 PID 2040 wrote to memory of 2584 2040 skotes.exe 92 PID 2040 wrote to memory of 4388 2040 skotes.exe 94 PID 2040 wrote to memory of 4388 2040 skotes.exe 94 PID 2040 wrote to memory of 4388 2040 skotes.exe 94 PID 4388 wrote to memory of 4308 4388 88356ae70e.exe 96 PID 4388 wrote to memory of 4308 4388 88356ae70e.exe 96 PID 4388 wrote to memory of 4308 4388 88356ae70e.exe 96 PID 4388 wrote to memory of 1808 4388 88356ae70e.exe 99 PID 4388 wrote to memory of 1808 4388 88356ae70e.exe 99 PID 4388 wrote to memory of 1808 4388 88356ae70e.exe 99 PID 4388 wrote to memory of 4908 4388 88356ae70e.exe 101 PID 4388 wrote to memory of 4908 4388 88356ae70e.exe 101 PID 4388 wrote to memory of 4908 4388 88356ae70e.exe 101 PID 4388 wrote to memory of 1500 4388 88356ae70e.exe 103 PID 4388 wrote to memory of 1500 4388 88356ae70e.exe 103 PID 4388 wrote to memory of 1500 4388 88356ae70e.exe 103 PID 4388 wrote to memory of 2056 4388 88356ae70e.exe 105 PID 4388 wrote to memory of 2056 4388 88356ae70e.exe 105 PID 4388 wrote to memory of 2056 4388 88356ae70e.exe 105 PID 4388 wrote to memory of 1932 4388 88356ae70e.exe 107 PID 4388 wrote to memory of 1932 4388 88356ae70e.exe 107 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 1932 wrote to memory of 3180 1932 firefox.exe 108 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 PID 3180 wrote to memory of 1792 3180 firefox.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe"C:\Users\Admin\AppData\Local\Temp\1bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\1008081001\3ae25ad609.exe"C:\Users\Admin\AppData\Local\Temp\1008081001\3ae25ad609.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5776 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffc46f1cc40,0x7ffc46f1cc4c,0x7ffc46f1cc585⤵PID:5828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,2104282648251781628,15816891500615214663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1708 /prefetch:25⤵PID:3308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,2104282648251781628,15816891500615214663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:35⤵PID:1236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,2104282648251781628,15816891500615214663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:85⤵PID:4520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,2104282648251781628,15816891500615214663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,2104282648251781628,15816891500615214663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:15⤵
- Uses browser remote debugging
PID:4488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,2104282648251781628,15816891500615214663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:15⤵
- Uses browser remote debugging
PID:5196
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4656
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 18644⤵
- Program crash
PID:1696
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008082001\8b74dace5a.exe"C:\Users\Admin\AppData\Local\Temp\1008082001\8b74dace5a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
-
C:\Users\Admin\AppData\Local\Temp\1008083001\0b306267f9.exe"C:\Users\Admin\AppData\Local\Temp\1008083001\0b306267f9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\1008084001\88356ae70e.exe"C:\Users\Admin\AppData\Local\Temp\1008084001\88356ae70e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc8a86b7-390b-4896-87f7-e0105d62ad03} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" gpu6⤵PID:1792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d851d2b-b866-44c7-a03d-1c28338d0eb4} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" socket6⤵PID:4556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 1356 -prefMapHandle 2684 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1415f954-038e-4caa-ac5f-8e935ab67c3b} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab6⤵PID:4504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 4000 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f54bc27-d2bf-426b-b31e-a1dcc8cb1c82} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab6⤵PID:4664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4716 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4724 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {148c0e55-7175-45b7-85a8-656baf70db14} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" utility6⤵
- Checks processor information in registry
PID:5132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5028 -prefMapHandle 5476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b3ee983-367d-4ba8-bfcd-85cda1847459} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab6⤵PID:6088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82517d6b-a73c-486a-90d8-fdf17de7a1b5} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab6⤵PID:6100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 5 -isForBrowser -prefsHandle 5904 -prefMapHandle 5912 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3002fb6-c482-4957-b09d-9eb80e130cd0} 3180 "\\.\pipe\gecko-crash-server-pipe.3180" tab6⤵PID:6112
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008085001\01b1010677.exe"C:\Users\Admin\AppData\Local\Temp\1008085001\01b1010677.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3392
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2108 -ip 21081⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5228
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5300
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5e49eb109cce7a5543c37cc7a3b325beb
SHA178634ad8a4915a532aa72af0a75d1ebd8d7fb27c
SHA2560d5eae28c1a54b13bf8e8b11deaacb07044c3fba891b8da49495a1a9687b9636
SHA5125b5e067fff7f6f10e9d5db6ad37fa617d97d6b90479671fd393ecd6ef3abe4237168e375bb94d9a21b389cd13d81832ecfe76bb6d83804b749ae43d2377285b4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD552b0382623d2b446e96c899a5c8b7639
SHA1873c39d664739b97116e27445879c45d187b5917
SHA2561aea7c294d2a41f4071b943e4d7c1f9ace5e9016bd8c0fc46fa2d7f1e4398b24
SHA512dc38c844e6b9551dce15b5c33c3ebb58ad4bf028ced4678893067ea0bff95202b537e629b26565b1c6aafb50ae44ef54370a239791eab7a780e7424fafe60178
-
Filesize
4.2MB
MD5402af0c244e89244c6e899931f5a23b9
SHA14413e4e963830f4631a64830b8dc8bf3e427d53a
SHA256e4f2dd198edb21635f20639dc65bcae2b2cf6a66b9f8a37b7253dd7b353c3ef9
SHA512fdcce9f496704336b45ec255095f7dd76fa0af26cf8ab784a283d55d5b05bd94ef3d3e61bee5b9f7e20251dfaaef9834373e6ff39e21fc689551a4ae5a27f1da
-
Filesize
1.8MB
MD5c29c30bfb75bf498848c908638625e45
SHA19879e768d895a6f4fa69bbff4c4d7193321dcc9f
SHA25606a34982b9154716e14297712ecb8efb2bc9bcce381e6e4305cf2e1579bfdcd4
SHA512ada1d2345e2a0bbb3aef2916cc001094524638a38f431817eb80207215c9eb935e2f7dfee50870b90dc43af4d39a72b4640d12aaaa51c839da0c7ef076167205
-
Filesize
1.8MB
MD5e5a48f23e7b32f452f9bf2e6bf42094c
SHA14f95895d7a641793c3e603847c06ffd51fb29940
SHA25690a76e28f761c3a0580ec1b56eb241b57001091cac3d63378dec4368279103dd
SHA5123ad71818ffa0544e8c7e302c49a51b7e58b42543a0640a588e448d4d1ebb9e4b880e1869a634b7e66a2d11849eb2c68672b575f7b6386393bc02ff052293ded4
-
Filesize
901KB
MD56e6af329feb47e6d6dec9389429cfd07
SHA1dfd44cfcabd9d5ae746ad4221e55302b89002b0a
SHA256f6dc47d57da7bec7190d32e4140b861714fefc6ceac91faf1ae3d65eae141d5d
SHA512da9e894874433ae748912ad95dc0e92a9e9cb44f95755d2ba929355abd9de631fa9b4fddebd1647d655ca8c62cc7284c97a1d4de174ce47b3cd6ec5c51a5e157
-
Filesize
2.6MB
MD5737f95c4ab6db790a94058de0ae65785
SHA127e0429b7426a619bfdfe0c71e4f5c995eb82dad
SHA256b15c5a342a7300a91373426ca437580d1dc969403e9a855cf89c4876aaa3f3eb
SHA512cc57f79bc6ed4884d174ff37cc5dd64b71946c0114b5fdb1df8aac9248db9425afcd93444bfa1a925801d82caac18eec91ad6ce6eb0d2aacc5c3f77ca693d1f7
-
Filesize
1.8MB
MD5fc60fac3b512854df25f9a62a8982b5f
SHA155bdf77f2f4e613f2aaf0a3cc22fc2e68678ac7e
SHA2561bf9d23d442e10a752d5ff0bac0fc06a679fe36f8c289ea9243f5c6d94bed687
SHA5120603ef0b95cd18343686abf01d0dd7fd7f55693bdcc308fd50d9a66de65f6c25c3401b21fc73aa91a7e50e3217fe127071faa836425eb0b650621422ce26389b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD55c036c88dd3cfa5c5125092566d1be14
SHA1bef910e269618442bbd606c873427a813d878933
SHA2564a43dbc4bd1650eebc09ef0a360a780cdca07efdb3cb2d4622f52277c502afc1
SHA512cb9266e7e9c0d5e630266e9874c964b8a7531c601654d041e9ee0934405c08235dfc8671e65a76371567ca5fbc101373b121a19da67c18ccfec6d26c614dbdc2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize10KB
MD54073524bbb21f8af3294e35274235691
SHA196541cb5f6bd73189d272647381e599a01e44a03
SHA2560631aaee3f65cb61e81540e3983c5b13af94c5773be82ca07085ff68a3f969dd
SHA5125377db148cdbba0706ad5ac99d3c253f1215a0e0771e4b44680c062da9f76e9fb8fa9d332969bf3ae173fb47e8af146a599f1139e22c8731c8005e3986ea9b45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5f234599cddfd92a528204f0487475687
SHA1a3d7172109985be5ac07eef39cf555a4bbbc0ac5
SHA256525bd9fa44b1a85b50f058cdeec1c0bb0fdfd411297d2b332861d5ade233b37c
SHA512b74b66331d69dc16092227cd1a5938cdfb2229f60fe016fbecd85b6608ad74dc3997314752afb22c6091a43fdd1f3fd72b100d788390a0d6ad0c64548959b98c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD54b2ed3d49da2057471872f53ead86212
SHA12928562262d799386a4dc8db58fa0b3396706980
SHA2565b989dbbb2c150ad7c8f1c7f9e46049e3f197f2519fb97da76df597b7efff451
SHA5123947de75c493cf0521b94d4f3aaf86376dc1ffc04172f4bf1f64e907eb667624df98178920a591280d6f1aec4d077fd222548659c55f4f96e83ed16b85a96fd7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD51a2f92f0b8d5030b6fde8b095a799ec9
SHA16fd5bb533f5f0e8408eb4aeeb6056efa03458ae8
SHA2566aaa57d77828fca70e7d186018ea92cedc241caf35a399ca33327ea830292a18
SHA51221f43e4687b8adb14e956a3b9d43958f8cdbd69fae914f644595308e69a609ce97f753306761930047fa42c1a983ed2d44a774765a3b4256a2e005110726f0bc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD521eccf80b06a43fb852e191ebadd1d39
SHA1ebc62c0cb4e84a014e81689fa4d466c2f559eb30
SHA256013690bc3d5d654834dbd08dab230022dda206f3f4f2ebfe38f6bde78d76fd6f
SHA5121ea4d80b44d58242a8fbbfc74b9b027b71895534d5a0f113d157dd570751ae88f648dd7009e80471dad828956c4f4716a9580aee38bd61d7f970c1dad00c6c02
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5c7f384d4c46a78f3e47221aca2ce27e7
SHA1475eb6bba323405d5ba1b93844af2d1fd12a05df
SHA256f3eec3a0ef02d7b5bc179b5bac291c31929f7eeadb7582337d61a8c6c38a8cd2
SHA512bce4586c0ffbba09a9a41a62d5a75d5152a19a5078d314ec05c9f8ef74e21eb17985ae693e4ea7aa98f0cf61b0d6e00fe69e57a7b341bccd35b10226a0663091
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\1b4f01eb-e9de-45b5-b507-dde7fc9936e7
Filesize659B
MD59b5c75c3fc0feb5a6f7a15fc8a4aefee
SHA1f32d57373a876b47255094f9eae82ca7678c326f
SHA256627cb9185985463ded8030b4c20b1ddb67574f502df296b43ceef96213e93724
SHA5126b4c41ec03caeace963d8b06b1c140011ae64e8948219dab61a83d93c61a55b0ab95d535520861f2d52c1f9a20099c7fb4a8d94b0246c33ef36ea2d09e21af39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\ae202376-35f0-4c9e-9b9b-4c1abb38b584
Filesize982B
MD53487596107bba3e2b99476269b1cf3f7
SHA16c1fc84cfed0d6f5d2771ab1f27f678f43a8113b
SHA256e3a693b36bd6ef6d5095ccce05a183fa158df706d8a83d487541bd52ef172908
SHA5125cfda0ca8dacb283835b136e4eaa67420c668d596db7ed0f8d9849c7c6e2e8de02301031873fbf235979c24b1b57c3cf3e3c950a540841e60c5809e36b9b1d31
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5b385e09425b899a10587f86c2a0c4df0
SHA1a68605bb7363cb8c3c520e9b55866347937425de
SHA2560f78a4cf185d5616c17d8af6e6b28cb7c413da53f8d2796240908765925f38f4
SHA51291301cbe95b7311d15bbaefe77755554f0af5e4d0bde0885128c50e3fcc945215368b7d6340ba1d0b72e57e09fa2410c48843c4e306c98c304172b71d7bd72b5
-
Filesize
15KB
MD5aba3cc1636d44d428ddbd8ed8adc880e
SHA140837b76cbfb4b036e8bc69e3c157f8b636447f4
SHA256e2f2b007088554e3cb3a9478ee1149d52ec2e591cbb4279c64bb524e5c1cbe50
SHA512b710e592afa55992c1440cf11931dd5707cbe61febd56a165f28a24171799f269bdb5d96e6e3887c774eeedf7dd6fdb3b2ad343bcf7a7418ff63420dba1de328