Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 03:16
Static task
static1
Behavioral task
behavioral1
Sample
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe
Resource
win7-20240903-en
General
-
Target
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe
-
Size
1.8MB
-
MD5
60f886c3617266309ac54c0775b86a1e
-
SHA1
41f813ff0d3455bd4edc34770c6b96066a35ad8c
-
SHA256
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f
-
SHA512
658b6db64dc96a1212fec4bda02beaeb0a41a29c5fb89a854a15999ba0e632754a9fa5ab647084dec78b6d757318d6a7917c19e7e3ef1cc66789d02e6bf4e097
-
SSDEEP
49152:bqzY90Y24zHWuK0C7RmyKQ1LpxWST1EUtdIrXd4BjjI:OqCUC7Rv7sSWUnIrtmfI
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Processes:
7d78082205.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7d78082205.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7d78082205.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7d78082205.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7d78082205.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 7d78082205.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7d78082205.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
skotes.exe7d78082205.exeskotes.exeskotes.exeff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exe25e5cbb341.exef7666b316d.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7d78082205.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 25e5cbb341.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f7666b316d.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
25e5cbb341.exef7666b316d.exeskotes.exe7d78082205.exeskotes.exeff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exeskotes.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 25e5cbb341.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f7666b316d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7d78082205.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 25e5cbb341.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f7666b316d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7d78082205.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 8 IoCs
Processes:
skotes.exe25e5cbb341.exef7666b316d.exea2ef14a8b3.exeskotes.exe7d78082205.exeskotes.exeskotes.exepid process 3576 skotes.exe 4112 25e5cbb341.exe 2944 f7666b316d.exe 628 a2ef14a8b3.exe 5648 skotes.exe 5840 7d78082205.exe 872 skotes.exe 5940 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
skotes.exeskotes.exeff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exe25e5cbb341.exef7666b316d.exeskotes.exe7d78082205.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 25e5cbb341.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine f7666b316d.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 7d78082205.exe -
Processes:
7d78082205.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 7d78082205.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7d78082205.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d78082205.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008338001\\7d78082205.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25e5cbb341.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008335001\\25e5cbb341.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f7666b316d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008336001\\f7666b316d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a2ef14a8b3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008337001\\a2ef14a8b3.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1008337001\a2ef14a8b3.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exe25e5cbb341.exef7666b316d.exeskotes.exe7d78082205.exeskotes.exeskotes.exepid process 1476 ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe 3576 skotes.exe 4112 25e5cbb341.exe 2944 f7666b316d.exe 5648 skotes.exe 5840 7d78082205.exe 872 skotes.exe 5940 skotes.exe -
Drops file in Windows directory 1 IoCs
Processes:
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exedescription ioc process File created C:\Windows\Tasks\skotes.job ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
25e5cbb341.exetaskkill.exetaskkill.exetaskkill.exe7d78082205.exeff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exetaskkill.exetaskkill.exef7666b316d.exea2ef14a8b3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25e5cbb341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d78082205.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7666b316d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2ef14a8b3.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3836 taskkill.exe 4584 taskkill.exe 4244 taskkill.exe 3676 taskkill.exe 1476 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exe25e5cbb341.exef7666b316d.exea2ef14a8b3.exeskotes.exe7d78082205.exeskotes.exeskotes.exepid process 1476 ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe 1476 ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe 3576 skotes.exe 3576 skotes.exe 4112 25e5cbb341.exe 4112 25e5cbb341.exe 2944 f7666b316d.exe 2944 f7666b316d.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 5648 skotes.exe 5648 skotes.exe 5840 7d78082205.exe 5840 7d78082205.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 5840 7d78082205.exe 5840 7d78082205.exe 5840 7d78082205.exe 872 skotes.exe 872 skotes.exe 5940 skotes.exe 5940 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exe7d78082205.exedescription pid process Token: SeDebugPrivilege 3836 taskkill.exe Token: SeDebugPrivilege 4584 taskkill.exe Token: SeDebugPrivilege 4244 taskkill.exe Token: SeDebugPrivilege 3676 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 3940 firefox.exe Token: SeDebugPrivilege 3940 firefox.exe Token: SeDebugPrivilege 5840 7d78082205.exe Token: SeDebugPrivilege 3940 firefox.exe Token: SeDebugPrivilege 3940 firefox.exe Token: SeDebugPrivilege 3940 firefox.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
a2ef14a8b3.exefirefox.exepid process 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
a2ef14a8b3.exefirefox.exepid process 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 3940 firefox.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe 628 a2ef14a8b3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3940 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exeskotes.exea2ef14a8b3.exefirefox.exefirefox.exedescription pid process target process PID 1476 wrote to memory of 3576 1476 ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe skotes.exe PID 1476 wrote to memory of 3576 1476 ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe skotes.exe PID 1476 wrote to memory of 3576 1476 ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe skotes.exe PID 3576 wrote to memory of 4112 3576 skotes.exe 25e5cbb341.exe PID 3576 wrote to memory of 4112 3576 skotes.exe 25e5cbb341.exe PID 3576 wrote to memory of 4112 3576 skotes.exe 25e5cbb341.exe PID 3576 wrote to memory of 2944 3576 skotes.exe f7666b316d.exe PID 3576 wrote to memory of 2944 3576 skotes.exe f7666b316d.exe PID 3576 wrote to memory of 2944 3576 skotes.exe f7666b316d.exe PID 3576 wrote to memory of 628 3576 skotes.exe a2ef14a8b3.exe PID 3576 wrote to memory of 628 3576 skotes.exe a2ef14a8b3.exe PID 3576 wrote to memory of 628 3576 skotes.exe a2ef14a8b3.exe PID 628 wrote to memory of 3836 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 3836 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 3836 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 4584 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 4584 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 4584 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 4244 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 4244 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 4244 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 3676 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 3676 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 3676 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 1476 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 1476 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 1476 628 a2ef14a8b3.exe taskkill.exe PID 628 wrote to memory of 3268 628 a2ef14a8b3.exe firefox.exe PID 628 wrote to memory of 3268 628 a2ef14a8b3.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3268 wrote to memory of 3940 3268 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe PID 3940 wrote to memory of 2880 3940 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe"C:\Users\Admin\AppData\Local\Temp\ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\1008335001\25e5cbb341.exe"C:\Users\Admin\AppData\Local\Temp\1008335001\25e5cbb341.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
C:\Users\Admin\AppData\Local\Temp\1008336001\f7666b316d.exe"C:\Users\Admin\AppData\Local\Temp\1008336001\f7666b316d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\1008337001\a2ef14a8b3.exe"C:\Users\Admin\AppData\Local\Temp\1008337001\a2ef14a8b3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8482859b-336b-4211-a12c-9f6641f538e8} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" gpu6⤵PID:2880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5782bf52-b5ea-4972-a85c-832a2108c534} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" socket6⤵PID:3428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 2684 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d413ced0-0b69-4799-92cf-3ae09b7f9250} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab6⤵PID:4320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3872 -childID 2 -isForBrowser -prefsHandle 3816 -prefMapHandle 3904 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9b1fba3-1491-452f-b1e9-f091b005b533} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab6⤵PID:3244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2852 -prefMapHandle 4612 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9274bc0-44f6-4efe-8926-2ae1346501d8} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" utility6⤵
- Checks processor information in registry
PID:1956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8ade21-a61a-4559-8f3d-895b61d1c80c} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab6⤵PID:5864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {914bd90a-f802-4f27-a238-e0d14fa66585} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab6⤵PID:5876
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3accee1d-e4be-425e-83fe-e6817ddc4d2d} 3940 "\\.\pipe\gecko-crash-server-pipe.3940" tab6⤵PID:5912
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008338001\7d78082205.exe"C:\Users\Admin\AppData\Local\Temp\1008338001\7d78082205.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5840
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5648
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:872
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD5cb4a4af6c1da7e962dc338f0b73a8f3b
SHA1ee2ce480248cedbf25a69172ee3d5a553ae871e8
SHA2562f9d7267a52b89279106d95f2bac86db96fbf9bc5d9c6c7232665a2fdaa1297a
SHA512228d0a3913d1f6055b335bf35f652ebd7a7bc9a13b0ad7e3853085d951f840903a4f905606ac133043913a272e4890d00d1744f93ec653b6d33a6122ff9e8a8e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD538fce9c34ae1dc081df2dbdf3516a053
SHA1cac6cfb8dff8db3a239f6ad2f6d2c7a5f85b3f7e
SHA256b634c905b6f56a0b8515da80be68058d644d281652cb076e8736b2c0dc34dfba
SHA512bddd027f4d640ca87c89a472a9c999330d2f77bea2d6cf5a0140da6e9074e323e9da7abf9cde2f906eba318d08b002df52972266848b3a403790d9c9ddf674bd
-
Filesize
1.8MB
MD53fd8fbf9d0d8926b7accf16c4926e8d5
SHA1ee55c5ca14d44195cc01a8096a34d7a65f99e48f
SHA2562b479995dd51e8fe91a803ad304efe336588ca5ef5cd43f87cecb04af9bd7358
SHA512da0ecc60bb83d69bf71b7cb2fb3844369fecbcb21ef7eee98aea37f6dfe68899782c98eff90fab85338240c2b1c0ea6aacadb22c732bc5fe20a9589f600284d4
-
Filesize
1.7MB
MD5dfb6af33800aab569fd4dd7a73da61b5
SHA18d3e452a836ea93963fa01e4c74a4be70709cf2a
SHA25620144301e57eefe989e898adb603a138cd92badd5c238236d21028f99ee99780
SHA5129774a70182d8133e5241984aee29a55f673c447ad71507f8915c3e7b63fb2a2ee7fe47c2289e51501a2aaf17fa84a4e973c01e2a94701a725163b90cd43c1440
-
Filesize
900KB
MD58eb4ec0df45ae7c7fba0f660615f7bf5
SHA1d4442af8c569012800bbfdf22b9885cb1073c496
SHA256e5fca9f7d4e548dcefb305cca3a69ead145c2917e56e2016099eeaba2117ff32
SHA512ba9d7444295c9277c628447b8ac5d05c1993f12ada11af1c5583ef5ba7d6231048a2a984a6c74597010db61dc520065be6831df3bbf56622de90c4df9dbb860e
-
Filesize
2.7MB
MD5f415a54b4baeea41fbfcd1bc42be393a
SHA1fb3a6737319bba6bad65963f37b2ddaaae91c7ae
SHA2567174a7e1e24698f51fb1d56c57f187d2e3fd659eae980a8b335090db8c6f5683
SHA51268172bc005ca512aad5868cea5659ecffcd2992d1185e7d5811ed95315a33d5fb12b87d203bd95fda7457e577dc1933d2b425a925f051d6e26fba9752f41c609
-
Filesize
1.8MB
MD560f886c3617266309ac54c0775b86a1e
SHA141f813ff0d3455bd4edc34770c6b96066a35ad8c
SHA256ff7b32c4800fb94bfd1cd6b2380b85009a9655a4f7018d117e3285f9d5b2986f
SHA512658b6db64dc96a1212fec4bda02beaeb0a41a29c5fb89a854a15999ba0e632754a9fa5ab647084dec78b6d757318d6a7917c19e7e3ef1cc66789d02e6bf4e097
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize8KB
MD5d3d7b28ba029d01bed02a3a168fdf115
SHA180e5bfbab0e605b1240df96a0c0effca17db9d08
SHA25632949007371e188419cffdd43fe3c267a4586f31780b2ebbd478f813acf0078b
SHA5124509bb28a30f2327b84c465af38f0f98dddd7950f637334525dc91642bf27ec38d3669faa39468769221133a70c262cef6f30ccc644db07637d2ba33cd9373d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize12KB
MD535269fb754f012649f0caa242d7ad311
SHA1ae640bf227dc62488ff2b2e8333b9db38306e753
SHA256c7a2414800c8a15240eea95fedfdfca3a82c74b0a3a861743df14cd6231c8895
SHA51231d7bdac9df368c51afe88ddbf7f9bd3d11b836a59df3594dc4eb6ef4d5b12743851c0d577770b4a138553dade22e8a59036a632b48a0a965bfc36bc78bc9b21
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize6KB
MD5f358a6c9e712a371db9c91e08eedbe1e
SHA17ba4e09604532d829480da3acd604df439a4e873
SHA2565a87934be2413f54e1892f3884d5b9567b08229a3e2215ff64571d5ee244c169
SHA512b6dfedaac97c5e4a212e22a8d547db5a36b8cb52fa45833f72496cccfa4c18477c23254cdbb2041ae969323d274b1e463814fe53fe8b2c339a9bbed554f25d86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5dedbe3c38972ed4c6f3c3c6c9e705645
SHA1ba4bfb457da2736faf6dd2fef8111a46ca154bbc
SHA25618996ffe00666efb5ae944ce2678f610206b500fd6549105feff56cd2c1914b7
SHA512abb0a2fd7f4b0affe96ef282e0e293f48ce55ac3e64f57b1dec5ca614cb13752397f9d1321ac9902d990d755aa155bdb26e2dac3d902e586da201e4e15a7e22d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5677324ae24b3955dd24ca9ee025579e3
SHA161cbc5f411f7c409a86811a6299e8093ff3b499e
SHA256c60527424f5d7fa422db037a7a2f8b4c090cb5b7284475d3fcb1aa4b1d6d5871
SHA512bac83c3c0f0e1f4d2a46ef5cb8b0ada274b2f0afb4a4b8f9f56cd4963a9e9b5494bd372f4bcd4cc262da916acffbd8486ac6b91da053f8b3af5ec804f07e6608
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5a478ef76afc41f567f75d2a1a4e49ca5
SHA1e5a2a321ce85ef62ade27830874560eaac168858
SHA25666a9885ca14620a42df673a70a11b6eec73a174fe45c9d784c848ca1e07cf09e
SHA512241947fb3bae7ed28000c720609e73b67968dcee3e8d93d39ccd4cc1fff13b5bbb631c1fcc4c61768cd984c42655eb76ffc7496855ec9b348810a1246c25f926
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD58052ab79daf533217ec7cedabbabbe20
SHA161576496cab85e8d93672235c03bfb0b19b4c6ca
SHA2568849822510b356888f2ca082a4a6a4708166a9bb74324f1e1e88ff9949202472
SHA512790aca67ed1d3c661a29dfb11f6b1c282284a16c954a2562370973ab0742504a766671f4e0aa9a86eaeb480967814a3592b77481deeba7853d5772a9087dbc52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\3948a2d9-486c-4b12-9d79-49f92347ba30
Filesize982B
MD581882388d865960c5ad2a8dea9c5fec7
SHA14e248fb2ad0446f32e3db100e9b76126070275fd
SHA25671f385090c9869f95fc6403271a6f89daadf46fa1a4b93893df06a7e9a3fc1d8
SHA5121a19dbd7bc6e625ef6e4e4d9c7a221540b6b6bdd9bf129093ac3efb98fdc72553b946c926a07a032b2805bc9199edb9a90c57212ddc54b945917549c9e8e1d13
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\d0db97e5-3eb2-4a30-92fb-aee1d7718de3
Filesize659B
MD5d37e1d181abb6b0b007d812cd43b4f8c
SHA16cbb24f477fff033c8ebd874bb3c1fea6ff6933a
SHA25698369298e6995c3154bfe9c5b856bd13d486dc700e661ffabf9326fd64f0cf42
SHA512c09c550693a5e927f036baa3f65dfe1e92e3ee85d7295e59b96d21e55950cc8e239f3d0cb9dd5dc273181776a3e9a150edf225270d7a848da862e67e87602c29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD547167cbd5e64cd16f60c2a33b7200fd8
SHA1b4bb1172961c3285ecff1522fccb26a6b1801321
SHA2563658db7937056205a4f9a810a82daf5bdb05741db5aa55cae404b2731c71c472
SHA512bb7c1dfd2d4f3badcbfc37bc2a1a06c63051b649a46210e7c877c96d07b02b563eead40f6cbc9c464c402688de6ef5b79cc3419090b7c8c140061f5d5548b90f
-
Filesize
15KB
MD598bbc39cab6ae460193ede8feae1c65d
SHA105ca4856f9e8fffa6c26f99abb18ab15c0fc866c
SHA256a226bfc2aba5d2d45d33c62eeae09b5c1a77b2a7caf37c6ec9ab7e6b1cda493e
SHA5120b7c35896cb1d5749317221cacb6658a508527fdcf50a70e9156494e4dfbd9538e67796a32fbf5ebf76de444173a96ffbb5f774afb5935d7726612ecea05ac2d
-
Filesize
10KB
MD5d365e57eadca42cee0c9facc88783bc6
SHA15927a61de79c2b95436042b34b9bfcf043ecfe91
SHA256e6c4ba1311d5636aaf35eb4be5483c6432ec3bb650d43246552cf0e66db86f63
SHA5128252c5964619e664e6639a08e7bd4d0b1f163dbdeadac1d5be9e7edb3a6af166e492d160a677d70517914bbe3e26fb40694b72699f5a88444aa5c9172d2534d5