Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2024, 04:33
Static task
static1
Behavioral task
behavioral1
Sample
fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe
Resource
win7-20241010-en
General
-
Target
fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe
-
Size
1.9MB
-
MD5
1d099b65adf02d90cd070609d81c4645
-
SHA1
09ca587448659c3c82d554c95566aabb08e9b7b7
-
SHA256
fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017
-
SHA512
8e7b3f363a211c3fe1458f1f06d7008657bd4f12075d84a0b2e6a951bbe975790882bf9076b7656eb9255d2cb1227166505e1aad0391e71d1bdf052307e5ffcd
-
SSDEEP
49152:WMvTxUiExrAt/Tn+8KWf5xu0zlxM8vcNPiIYR:LtUiEFA/TT1uOM8Utm
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 61d6d2dbbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 61d6d2dbbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 61d6d2dbbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 61d6d2dbbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 61d6d2dbbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 61d6d2dbbb.exe -
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 92a5b20d59.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dea35c4947.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c62d3d0c68.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rhnew.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6115dab31e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 61d6d2dbbb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 92a5b20d59.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6115dab31e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rhnew.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 61d6d2dbbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c62d3d0c68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 61d6d2dbbb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 92a5b20d59.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rhnew.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dea35c4947.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dea35c4947.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c62d3d0c68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6115dab31e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 92a5b20d59.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 11 IoCs
pid Process 4460 skotes.exe 4012 rhnew.exe 3992 dea35c4947.exe 1360 c62d3d0c68.exe 804 6115dab31e.exe 4420 8b0846ce95.exe 4384 skotes.exe 2996 61d6d2dbbb.exe 5800 92a5b20d59.exe 4652 skotes.exe 3880 skotes.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine rhnew.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine dea35c4947.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine c62d3d0c68.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 61d6d2dbbb.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 6115dab31e.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 92a5b20d59.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 61d6d2dbbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 61d6d2dbbb.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c62d3d0c68.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012248001\\c62d3d0c68.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6115dab31e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012249001\\6115dab31e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b0846ce95.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012250001\\8b0846ce95.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\61d6d2dbbb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012251001\\61d6d2dbbb.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cb3-114.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 2156 fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe 4460 skotes.exe 4012 rhnew.exe 3992 dea35c4947.exe 1360 c62d3d0c68.exe 804 6115dab31e.exe 4384 skotes.exe 2996 61d6d2dbbb.exe 5800 92a5b20d59.exe 4652 skotes.exe 3880 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4892 1360 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c62d3d0c68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6115dab31e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b0846ce95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 8b0846ce95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dea35c4947.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 8b0846ce95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61d6d2dbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92a5b20d59.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4184 taskkill.exe 3016 taskkill.exe 3724 taskkill.exe 3700 taskkill.exe 4156 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2156 fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe 2156 fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe 4460 skotes.exe 4460 skotes.exe 4012 rhnew.exe 4012 rhnew.exe 3992 dea35c4947.exe 3992 dea35c4947.exe 1360 c62d3d0c68.exe 1360 c62d3d0c68.exe 804 6115dab31e.exe 804 6115dab31e.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4384 skotes.exe 4384 skotes.exe 2996 61d6d2dbbb.exe 2996 61d6d2dbbb.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 2996 61d6d2dbbb.exe 2996 61d6d2dbbb.exe 2996 61d6d2dbbb.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 5800 92a5b20d59.exe 4652 skotes.exe 4652 skotes.exe 3880 skotes.exe 3880 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 4184 taskkill.exe Token: SeDebugPrivilege 3016 taskkill.exe Token: SeDebugPrivilege 3724 taskkill.exe Token: SeDebugPrivilege 3700 taskkill.exe Token: SeDebugPrivilege 4736 firefox.exe Token: SeDebugPrivilege 4736 firefox.exe Token: SeDebugPrivilege 2996 61d6d2dbbb.exe Token: SeDebugPrivilege 4736 firefox.exe Token: SeDebugPrivilege 4736 firefox.exe Token: SeDebugPrivilege 4736 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2156 fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4736 firefox.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe 4420 8b0846ce95.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4736 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 4460 2156 fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe 82 PID 2156 wrote to memory of 4460 2156 fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe 82 PID 2156 wrote to memory of 4460 2156 fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe 82 PID 4460 wrote to memory of 4012 4460 skotes.exe 84 PID 4460 wrote to memory of 4012 4460 skotes.exe 84 PID 4460 wrote to memory of 4012 4460 skotes.exe 84 PID 4460 wrote to memory of 3992 4460 skotes.exe 86 PID 4460 wrote to memory of 3992 4460 skotes.exe 86 PID 4460 wrote to memory of 3992 4460 skotes.exe 86 PID 4460 wrote to memory of 1360 4460 skotes.exe 93 PID 4460 wrote to memory of 1360 4460 skotes.exe 93 PID 4460 wrote to memory of 1360 4460 skotes.exe 93 PID 4460 wrote to memory of 804 4460 skotes.exe 100 PID 4460 wrote to memory of 804 4460 skotes.exe 100 PID 4460 wrote to memory of 804 4460 skotes.exe 100 PID 4460 wrote to memory of 4420 4460 skotes.exe 107 PID 4460 wrote to memory of 4420 4460 skotes.exe 107 PID 4460 wrote to memory of 4420 4460 skotes.exe 107 PID 4420 wrote to memory of 4156 4420 8b0846ce95.exe 109 PID 4420 wrote to memory of 4156 4420 8b0846ce95.exe 109 PID 4420 wrote to memory of 4156 4420 8b0846ce95.exe 109 PID 4420 wrote to memory of 4184 4420 8b0846ce95.exe 111 PID 4420 wrote to memory of 4184 4420 8b0846ce95.exe 111 PID 4420 wrote to memory of 4184 4420 8b0846ce95.exe 111 PID 4420 wrote to memory of 3016 4420 8b0846ce95.exe 114 PID 4420 wrote to memory of 3016 4420 8b0846ce95.exe 114 PID 4420 wrote to memory of 3016 4420 8b0846ce95.exe 114 PID 4420 wrote to memory of 3724 4420 8b0846ce95.exe 116 PID 4420 wrote to memory of 3724 4420 8b0846ce95.exe 116 PID 4420 wrote to memory of 3724 4420 8b0846ce95.exe 116 PID 4420 wrote to memory of 3700 4420 8b0846ce95.exe 118 PID 4420 wrote to memory of 3700 4420 8b0846ce95.exe 118 PID 4420 wrote to memory of 3700 4420 8b0846ce95.exe 118 PID 4420 wrote to memory of 3880 4420 8b0846ce95.exe 120 PID 4420 wrote to memory of 3880 4420 8b0846ce95.exe 120 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 3880 wrote to memory of 4736 3880 firefox.exe 121 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 PID 4736 wrote to memory of 4288 4736 firefox.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe"C:\Users\Admin\AppData\Local\Temp\fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\1012246001\rhnew.exe"C:\Users\Admin\AppData\Local\Temp\1012246001\rhnew.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\1012247001\dea35c4947.exe"C:\Users\Admin\AppData\Local\Temp\1012247001\dea35c4947.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\1012248001\c62d3d0c68.exe"C:\Users\Admin\AppData\Local\Temp\1012248001\c62d3d0c68.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 14884⤵
- Program crash
PID:4892
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012249001\6115dab31e.exe"C:\Users\Admin\AppData\Local\Temp\1012249001\6115dab31e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\1012250001\8b0846ce95.exe"C:\Users\Admin\AppData\Local\Temp\1012250001\8b0846ce95.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {daa4412c-3432-409e-88ab-97fa591def40} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" gpu6⤵PID:4288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6762ef37-05e8-4c4a-af7d-716ae29c4323} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" socket6⤵PID:4852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3340 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a208ae91-c0b9-4f2f-9916-2923f2ba0c3c} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" tab6⤵PID:4324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4004 -childID 2 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90512521-b1d4-4e35-aa5b-2faea0265a7b} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" tab6⤵PID:4592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4608 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4596 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dffe8983-1573-4690-a40e-910e246b0bf5} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" utility6⤵
- Checks processor information in registry
PID:5488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5340 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14738883-db87-4711-af4f-12bf78d1a50a} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" tab6⤵PID:2408
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a48323-ed24-4828-a92b-5401d1396064} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" tab6⤵PID:4672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 5 -isForBrowser -prefsHandle 5796 -prefMapHandle 5792 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ee4596-ab56-4e87-866c-28e5dcbbaa6f} 4736 "\\.\pipe\gecko-crash-server-pipe.4736" tab6⤵PID:60
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012251001\61d6d2dbbb.exe"C:\Users\Admin\AppData\Local\Temp\1012251001\61d6d2dbbb.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\1012252001\92a5b20d59.exe"C:\Users\Admin\AppData\Local\Temp\1012252001\92a5b20d59.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5800
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1360 -ip 13601⤵PID:5032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1360 -ip 13601⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4384
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD531710bf2f341f131f3bec254951c4bed
SHA112758431c617fde4c5dbbfa4d439be2d3f5b2b26
SHA2560bdb3be0e49dd86c110c1cf59a3af964194964134a5eb903621193c317f38f1c
SHA5127dbed2fdd0793f29b56f729aff5679d11a4f35a5dceb7cd70486ac2150e705ec3e42aa0c610f7d88da9883028973c871ad8d663de6590ebed6568ee8d7d0d9b7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD5f7286fef9317fe91e24cda721ec0be81
SHA10e0197c0f87200f7c1ebb4bba314f7bb875a638c
SHA2564dcf1cc20990dace1f3e7c5a4b94ea7b823f90eb6de639b2b1b6494838f1cc62
SHA512314b3f5cf1a0c15db568d33647b97887b37e987ba253ee9f5ded045446328307ebd04acd832fbdf66ad29be9510bd0c378e2fcb889509dca84df9b9106602c6e
-
Filesize
1.9MB
MD5d1381747e84a8da71142388f0dc803c7
SHA1f60380e4addeb9500e85a52b905f940fc2294d74
SHA25621dc740db5d2a51343530deaf4859d811ef3dbecbb7bb8394a5fb6355e7a852c
SHA5123c25a6cd672e1418fb892c884d54390d590624d71fe9fa2d984f1c9bc490d8c0a87a8fe3c1dbc80ca69d6f580892a48e280c870acede4faefb8e6a0fbf30d643
-
Filesize
1.8MB
MD5bed364cb0937fcdbb874627bde6ad8dd
SHA1281dd9624caf2c87e41637884150391707d73693
SHA256ea832cab882dda2cc9aec976e771bec32d0e15f487ead5ea5e21d195f86c1da7
SHA51273f7c79a111933dc8ff9553afea2a6f55b5d58bd3aa2cd21af4fcfcc82f129e6a1b295ffc41ce5e856c4a2ccb4df9606a620ed11dbe4ff0b03a2b45dd00cb2f4
-
Filesize
1.8MB
MD55ccd46f6a473f56b92cff77201317095
SHA1ca3b4a252afb80921489868d7b65abf1cc8dfcb7
SHA2564d1f539ad816513c6a400b03c0ff5ce8b17747d206d0bae230d6713fa7e862f9
SHA512a20f3c29053b95f7245fb9065d40f279ae9c79b9d1f97b1a36fdb65e104ec413fe759b4d166b43eb984b4f7658bd45a49dcd090fbc1a93adfbdb162e585ef01e
-
Filesize
947KB
MD58b5839d153dfb91a33c1e7628c401b0c
SHA14dc6570f39257bfd25c70d0ddbbb6800d68fc13b
SHA256d3b0643473beddad447891ff741057fc9e14cbc51288c6c7641823889ca1024b
SHA51237a898576c5bd53f7666f0bc6682ada18d53bcb38095246e394bdd3a2d060507ea77f8d7c58533ec76e6d1f09267be8a6ee6dbcf5ec58cf28d916c07f0016092
-
Filesize
2.6MB
MD5d2bdd1734aa401a426d5fa082a01ac1b
SHA1f13a039297dd0836579cad81e22c6884027a089b
SHA256d8cb209bc2aeb8c397c067af18b2c67f551be2f7f86e502a443b8734366eaa34
SHA5124d79348e196b2ba356230d1fb144d7ad28dba8197f83b0401ea18db9dea2c21717bdeaaa2e8c0d2ed882379463d69f58be734a49c55139830bf2c4ed05c8a10e
-
Filesize
4.2MB
MD5e93c5f56c3eb85ea13429c5f631abbcb
SHA1a2e3646cf1d680184765e257882457c63ff848e2
SHA25680b77c9eb6dcf6dc2a80196125fd25ed50438cdba14056a6651a394c3ca39b9c
SHA51267e17aada73f4114b81aa46841915e800a89ab34ba748280bcb68196c11aa90a4924432ec758f9c8f9c0150478e5390a7d661977b94f0b8f1911fa910fb9c5bd
-
Filesize
1.9MB
MD51d099b65adf02d90cd070609d81c4645
SHA109ca587448659c3c82d554c95566aabb08e9b7b7
SHA256fd67199fb1699925fba2c7d4d7e1c434946175d5b462dbb947bd81ecec95b017
SHA5128e7b3f363a211c3fe1458f1f06d7008657bd4f12075d84a0b2e6a951bbe975790882bf9076b7656eb9255d2cb1227166505e1aad0391e71d1bdf052307e5ffcd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize6KB
MD554b3db1bcfd2ee858f93d50b19226678
SHA1aa276d5fe1da2f81db5f103b115a1e8a68aea1d2
SHA25627c3dbec1eaa42eb99b6de5093a41bfaa02022de193929c9ab43b297fa531276
SHA512dde52519ee3ad2fb4aa4d63e8535e08b575669512b15c7b95b7b9374b410bd9fd34b198ecdbce7a6662f723f1e95747a08f0b340d1ee1070991b7d60c1fb6cf0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize7KB
MD5237479e15b88ee6cc3b8c7be569b2726
SHA1a01532fa7ef3b03baad503ab686fbda6e0efb846
SHA2569b9e0b4f60584a67fb5862a019c89d623f1e6fb65b0e0faa6c9ea2155574a3a0
SHA512f935a68d9b07e14004307570dfc9a91318c9f71051fb0edb6442468e580606d0b1e0c8c324cd8a3eb391ccd6e2a2c7ce19db5788653a26c27d4ba955785f5c09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize10KB
MD5f83feaadcfa4b31422cda8922dfddfc9
SHA189178895c0e1f96de9472c164551ee607d81f3fe
SHA25647e012f8a07c00f59727c9bffd6bf21f71017c90d7a42071e0ffd728f0af1384
SHA5129abb79daafb9796172d790b94694b0724d4997bcda96a3cba8f8211d30aaead7a0c4aac17d3f727cdca3702e7dcea3a77bc9db6dcbcbb990dc83b3abae496a97
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD525ae20891dcfe16636be8f452ccae405
SHA17955e482dbf8bd2177d7d03aa9b9b225345dad9e
SHA256068d6fc8e7a8ee0eab062dbeea7a1383faa90cf9731d6c74586a45c2aefb3433
SHA512d52b4bf6ed153e19bb574d0757783d5bf1dc08bb19ade3afb06b1ff7d91a604106523759b3afedcbdfed635148ad50ab26b6e6808d751ff09afdf79f483f52d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5fc91f1f5bec07bcf7088582f2bc0f629
SHA1f451a43334bb75847d7fe5af11495ba76e4a5a4c
SHA256c33a0a49c0208abcd1d4a283d51741e2748b0b2eb9de37f951b4db6b684bef84
SHA512fd7991f90a5ad892dbdc09f7220dedc7a36a7ea93d3e0f392933c851afd5dc6ca079a45ea878390d128c8b4f23b767fb72859d24a72959f9941187377eee0ee3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5fd2e8823fe1ed4d8983eca8bc79ab715
SHA14c4c07d59e30040f55b50285a988c8b5eaf721dc
SHA256b7e83ba14f805e085e1431683a7ff0c8f7a20fdc7ccbf7430de81bb2ad12afe3
SHA512517d9c805b901acf260d67bffa36c70c56fb74fd1d4245cb0149e90092416ce84fdbe6312c9515ff8aef9e217c097ab4bed75fdbffdf99a069e350eb4c814b08
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD595c6ef00f7848ba676b1d0c8da1c2faf
SHA1f0e06e65dff9492ad00e207e3373b23d7f81c6a8
SHA256ba9664a417afa80922ec74b96ea2a3943a63739f6ed6f8f744752563b45dfaab
SHA5122ccaba8bfa08a24ba0215c3f31f6915bcdec3a8038dd23ce28561957c8d421967a8e0bc2a8d106ca6fbf73c8c23c20823be4243864f63c1959b81298ee1a9ffd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\2428b26e-a609-4156-80f8-ca6d5f15cb85
Filesize671B
MD5f1b778222a60468f4e93aeca90e319c9
SHA173b69615e11a3d2281ef38103c79b9d5c618bc72
SHA2564b9fa82227fd8b6eac4e2a082d68389ef03d9b7c8f6902ed48bee50009351d04
SHA5123fcc6f387d44903902429d6f47c48731586800b8d0a3a39918d1a3ae42087d8a2e3ef87951a61bb62f11dcf601c8cc456bc6c7e8d4c60a8945ba53a04e01c06b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\4f020011-c2ba-4f9b-a5d9-dc1b8410c8d9
Filesize982B
MD5d72111c1ac986804fb0bb530e18e0bf6
SHA16d8c0daa78dd7eefb11c607cd55940e8deec3d8a
SHA25624482c6c282ae57371bacfcdcbe2f9bf0f714d93275118f9b39b940c062ceb40
SHA512aa09a484fd31d59f573484f93ad930ecc6a73c8f9f7c278f95baed7fbccfeff9df9f811e28a42c04ddfe7d6159523830119bdfa7de54a78c1fae8b3f7bb4bb53
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\7e71b437-7fe7-4c7e-a2b1-a26a391104bb
Filesize25KB
MD553a8d5a2f5c126de78bf07bc7f9ef93e
SHA14d16394f5ed005bb798123e853439fec1d7ea823
SHA2561e1951be19169b09d5cea0a84ffa50f960b04ba015c89b73acf3fd8d69f835cc
SHA512a2a0ef22977dd93d3ea088ea99202ac753196d4efad5d51d79f9ceb86dd7a90e7efce6bc627525b6e668fc2c41052b5984b3dc5434a12cab0e9d6aa8c0ea450f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD554e38de11cdb39a47476ee2da7c1ae65
SHA1557448b1fec78d27aa047d78add7724b18321578
SHA256eacad9aacf41a5bdccee1a9b8401a8a021f11793d90ba37ebceb67804b064403
SHA512f3c4e8e3a2de6a8e4997f235a2fc7c8d73c88baed0166bdbf89d603e19a1f3c07bed7ff32274e0776b763caac381272402be78a0ddc14639c6637a4886b684d9
-
Filesize
11KB
MD5451ef28a0aa57398aee19641f4a4661a
SHA18624b8e417cde8d19b9cab75a9a4f0f60018367b
SHA256b5200929660606761dc3137dc4dc98b78dee9b18e5151570c4639e5884a0d145
SHA51294d59f61b7e566e82a5a494f212b18b4ffb41f31eb3068922c4e969e0582aadc69418fcb94f6b7a1caa968eafa6f0fa4509474d4b3447735fe14e7e9288d6d4c
-
Filesize
15KB
MD560e7ea7a08d28964b8477c883dc7f107
SHA18cc2a49b86c6544a6a43fe57082ac2a6b84b9ef3
SHA256e2cb21dbf7692937b4a68f31eb2392785aae6facc2c968c478876185fc7debfb
SHA51208a442414492557d2d91933c350dad66b9043b6318757aed0e8de714b21ac25a26393e9ad3e1bb5da36167cb702cb5744f09f5fa9e33e564d326c92f473c5f1f
-
Filesize
11KB
MD5281e1b4cc0eee39fc6f593427e385831
SHA1fa5999b2071e72bbad0477c014765444591e85cb
SHA256cd4c259d6369e9b49d950f6a6a259722a3b7d0880257f9126c4a97409a1ec587
SHA51275e4b8123fb2902bfb2be96e8f2f8832c37c52106a67347dc797c48f46a6f64fbfd206aac699d7affb34548aa4db78c4b79e9b8353cbf5b4a45f432d8356095e