Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 02:44
Static task
static1
Behavioral task
behavioral1
Sample
553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe
Resource
win7-20240903-en
General
-
Target
553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe
-
Size
1.8MB
-
MD5
a93b02d857db3b12c32bd765b83825ab
-
SHA1
137f12047a081e6581e1d1a83c939d98514c3ff3
-
SHA256
553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa
-
SHA512
aab2bfd4090c77b87784d0110f5ee2dd24554fada9bdf9c2e8e08ff01a9025f5d8a7dfa2d4b89bf35cb037c162292a04f1084b87727b1bd201a9b5ab1b367bcd
-
SSDEEP
49152:3jRwzOUOxqpHXV7ehRYo/cpkFt80BZ2QV7aGyC:3j+pOkJXV7Nqckm
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://dwell-exclaim.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://atten-supporse.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" d1c290569c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" d1c290569c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection d1c290569c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" d1c290569c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" d1c290569c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" d1c290569c.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1a87daef8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f1b7692d24.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d1c290569c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BY5BeYh.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1a87daef8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1b7692d24.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BY5BeYh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d1c290569c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1a87daef8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d1c290569c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BY5BeYh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f1b7692d24.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 9 IoCs
pid Process 2376 skotes.exe 3088 BY5BeYh.exe 4520 skotes.exe 5004 a1a87daef8.exe 5076 f1b7692d24.exe 4600 e5bf9c9261.exe 2028 d1c290569c.exe 2880 skotes.exe 5288 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine a1a87daef8.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine d1c290569c.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine BY5BeYh.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine f1b7692d24.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features d1c290569c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" d1c290569c.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e5bf9c9261.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012853001\\e5bf9c9261.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d1c290569c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012854001\\d1c290569c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1a87daef8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012851001\\a1a87daef8.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1b7692d24.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012852001\\f1b7692d24.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023cb5-88.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 4580 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 2376 skotes.exe 3088 BY5BeYh.exe 4520 skotes.exe 5004 a1a87daef8.exe 5076 f1b7692d24.exe 2028 d1c290569c.exe 2880 skotes.exe 5288 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 4044 3088 WerFault.exe 87 3848 3088 WerFault.exe 87 4912 5004 WerFault.exe 101 1376 5004 WerFault.exe 101 2780 5004 WerFault.exe 101 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage e5bf9c9261.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1c290569c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1a87daef8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1b7692d24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5bf9c9261.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BY5BeYh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language e5bf9c9261.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4808 taskkill.exe 2388 taskkill.exe 1872 taskkill.exe 836 taskkill.exe 1848 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4580 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 4580 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 2376 skotes.exe 2376 skotes.exe 3088 BY5BeYh.exe 3088 BY5BeYh.exe 4520 skotes.exe 4520 skotes.exe 5004 a1a87daef8.exe 5004 a1a87daef8.exe 5076 f1b7692d24.exe 5076 f1b7692d24.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 2028 d1c290569c.exe 2028 d1c290569c.exe 2028 d1c290569c.exe 2028 d1c290569c.exe 2028 d1c290569c.exe 2880 skotes.exe 2880 skotes.exe 5288 skotes.exe 5288 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4808 taskkill.exe Token: SeDebugPrivilege 2388 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 836 taskkill.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 692 firefox.exe Token: SeDebugPrivilege 692 firefox.exe Token: SeDebugPrivilege 2028 d1c290569c.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4580 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 4600 e5bf9c9261.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 4600 e5bf9c9261.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 692 firefox.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe 4600 e5bf9c9261.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 692 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4580 wrote to memory of 2376 4580 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 83 PID 4580 wrote to memory of 2376 4580 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 83 PID 4580 wrote to memory of 2376 4580 553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe 83 PID 2376 wrote to memory of 3088 2376 skotes.exe 87 PID 2376 wrote to memory of 3088 2376 skotes.exe 87 PID 2376 wrote to memory of 3088 2376 skotes.exe 87 PID 2376 wrote to memory of 5004 2376 skotes.exe 101 PID 2376 wrote to memory of 5004 2376 skotes.exe 101 PID 2376 wrote to memory of 5004 2376 skotes.exe 101 PID 2376 wrote to memory of 5076 2376 skotes.exe 113 PID 2376 wrote to memory of 5076 2376 skotes.exe 113 PID 2376 wrote to memory of 5076 2376 skotes.exe 113 PID 2376 wrote to memory of 4600 2376 skotes.exe 114 PID 2376 wrote to memory of 4600 2376 skotes.exe 114 PID 2376 wrote to memory of 4600 2376 skotes.exe 114 PID 4600 wrote to memory of 4808 4600 e5bf9c9261.exe 116 PID 4600 wrote to memory of 4808 4600 e5bf9c9261.exe 116 PID 4600 wrote to memory of 4808 4600 e5bf9c9261.exe 116 PID 4600 wrote to memory of 2388 4600 e5bf9c9261.exe 119 PID 4600 wrote to memory of 2388 4600 e5bf9c9261.exe 119 PID 4600 wrote to memory of 2388 4600 e5bf9c9261.exe 119 PID 4600 wrote to memory of 1872 4600 e5bf9c9261.exe 121 PID 4600 wrote to memory of 1872 4600 e5bf9c9261.exe 121 PID 4600 wrote to memory of 1872 4600 e5bf9c9261.exe 121 PID 4600 wrote to memory of 836 4600 e5bf9c9261.exe 123 PID 4600 wrote to memory of 836 4600 e5bf9c9261.exe 123 PID 4600 wrote to memory of 836 4600 e5bf9c9261.exe 123 PID 4600 wrote to memory of 1848 4600 e5bf9c9261.exe 125 PID 4600 wrote to memory of 1848 4600 e5bf9c9261.exe 125 PID 4600 wrote to memory of 1848 4600 e5bf9c9261.exe 125 PID 4600 wrote to memory of 3936 4600 e5bf9c9261.exe 127 PID 4600 wrote to memory of 3936 4600 e5bf9c9261.exe 127 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 3936 wrote to memory of 692 3936 firefox.exe 128 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 PID 692 wrote to memory of 3900 692 firefox.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe"C:\Users\Admin\AppData\Local\Temp\553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"C:\Users\Admin\AppData\Local\Temp\1012713001\BY5BeYh.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 14964⤵
- Program crash
PID:4044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 15124⤵
- Program crash
PID:3848
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012851001\a1a87daef8.exe"C:\Users\Admin\AppData\Local\Temp\1012851001\a1a87daef8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 14884⤵
- Program crash
PID:4912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 15084⤵
- Program crash
PID:1376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 15084⤵
- Program crash
PID:2780
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012852001\f1b7692d24.exe"C:\Users\Admin\AppData\Local\Temp\1012852001\f1b7692d24.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\1012853001\e5bf9c9261.exe"C:\Users\Admin\AppData\Local\Temp\1012853001\e5bf9c9261.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae20a059-3b10-4919-80c3-1ad0ac5a263b} 692 "\\.\pipe\gecko-crash-server-pipe.692" gpu6⤵PID:3900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e1acb88-2bf2-4aa4-a178-3dd91f099b00} 692 "\\.\pipe\gecko-crash-server-pipe.692" socket6⤵PID:4264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e76aabf-ee00-4744-a44d-a99f2661dc12} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab6⤵PID:2852
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3900 -childID 2 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37498fea-0fa6-442b-b968-140e9ccc921f} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab6⤵PID:4396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4664 -prefMapHandle 4692 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6986d246-77bb-4330-9e7b-f73eb0b287e5} 692 "\\.\pipe\gecko-crash-server-pipe.692" utility6⤵
- Checks processor information in registry
PID:5208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3892 -childID 3 -isForBrowser -prefsHandle 3880 -prefMapHandle 4776 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb6e39c0-136f-4fd8-a43f-c48d03108c72} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab6⤵PID:5692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5484 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0368a0d1-c790-4ef9-8432-87ae7e1c6b2a} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab6⤵PID:5704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5272 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c65fb703-f27b-4690-b974-ba7f8ffd9c76} 692 "\\.\pipe\gecko-crash-server-pipe.692" tab6⤵PID:5716
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012854001\d1c290569c.exe"C:\Users\Admin\AppData\Local\Temp\1012854001\d1c290569c.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3088 -ip 30881⤵PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3088 -ip 30881⤵PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 50041⤵PID:4476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5004 -ip 50041⤵PID:1672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5004 -ip 50041⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json.tmp
Filesize28KB
MD5c549342002c531141e51e244fb65c457
SHA13103c0a7c0ddee3e9ed39fc36fc8cef7bdfc6b5f
SHA2561793073a11b9964189f4a27f24082efb4e8e70f1c0736003e79a6eed70ecb3af
SHA51215e793e808b57127fc13821d7ea166b9401f926d41ea80cd5276ee70c9d6c42c75545e0b479eb1abf7df39f51274c790ceca5bc231b451ded55bcfece94eee06
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5e478db6949834618e655d92e91c37926
SHA14084868f20beb217d731eb18b0eaa8cdda4ef465
SHA256e938e74e58fc79d69760d35da3c9e81129898b2ddf88dc52fb4105b33a252a6b
SHA51275d152caad5357687da1600607e09e412bc02d1f5e3a90a29bbf4c362ca677a855e897376d10ceeb29979da2951232b92572a63e2154e72023277fdb819daf41
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD59678100fea9ae7ae60ed363828cfcf1d
SHA1a220ae15cf35dba7a9f4ad52584d481e1a805663
SHA2560b348850f149033d8ab331fedd48e1848e62c8ff7b0ea7909f18b65b44ede386
SHA5123f5e0b5c19047ebf97776f79eb33460447d8c2c3c73f1f79e3568c8a38194722cef78e3cf0fecc41bcbc8b886197447e2318ccb749ac65c07178973dc3d3c8ea
-
Filesize
1.7MB
MD5c7901bd93db80072751e0bbc88cf2bc3
SHA1611830be770290b0058f71a14ac81de635d2cc10
SHA2561dbe8bcb5469c4810154570f2feaafb1a887bdc1aa97c6cdddb68f1d9499d6f7
SHA5127e37023e41d5bf0e4e83ef84c131c996a174c120223afaee16b8be671d4fbdf6f3e7e7f660f3b6e73a78597ca9f3af31ecc1cd48bff08632a1167630bb5b2e49
-
Filesize
4.9MB
MD5789b79d122173221ba3b85c7b08002e4
SHA153e2ff13b7a76fc6090e5247b49e6e9828c419a1
SHA256d3192eae45cef7e5ac18e9c5bfdc88ea27815a27b9b5619fb75853e20361e576
SHA512b72de5178fc6a1e90c8b7de12023b1e1b7bdeeabaf8875d0543f976c86653d088f3b13712fae8bbe2024c46b0853b6d7670bc0205ca9b3a5d5cffe143f0aab0c
-
Filesize
948KB
MD5454eb5ad9da9d9a48dde6b5aaee0796f
SHA104791cb58b53f1cab386858acd545583f3233b7c
SHA2565195df1106599d81f62e9a30ad995725c4d90403541601aeadee75e47cbf45cf
SHA512bea2e0f222427f80fbca8967ec40599f0bfd7f2f304349cba255f69f7ad2742021f36c66c70203a3309b66af89a86292393cdbb7e0c9232468c7bd8c534ededa
-
Filesize
2.6MB
MD55c31c87a24fa448bb5c97a88f3442510
SHA16927671950c0ec1d33e1d94c5d8ee3d8ef906c7b
SHA25669767c62c9e48334a6ddffffb0fc21dac94466f34006a08caa11440e0e54682d
SHA5127c0139fcfd036df1b8f2b62cb1479baad2671759621c276e87fd50e37c5bb53de18a3b1e64dac4539c6d0aa9feff01cc2cfef05d166008a6c337400be7ea9f0d
-
Filesize
1.8MB
MD5a93b02d857db3b12c32bd765b83825ab
SHA1137f12047a081e6581e1d1a83c939d98514c3ff3
SHA256553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa
SHA512aab2bfd4090c77b87784d0110f5ee2dd24554fada9bdf9c2e8e08ff01a9025f5d8a7dfa2d4b89bf35cb037c162292a04f1084b87727b1bd201a9b5ab1b367bcd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize6KB
MD5f358a6c9e712a371db9c91e08eedbe1e
SHA17ba4e09604532d829480da3acd604df439a4e873
SHA2565a87934be2413f54e1892f3884d5b9567b08229a3e2215ff64571d5ee244c169
SHA512b6dfedaac97c5e4a212e22a8d547db5a36b8cb52fa45833f72496cccfa4c18477c23254cdbb2041ae969323d274b1e463814fe53fe8b2c339a9bbed554f25d86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize8KB
MD5910f13b52c650d5f52419b36583c2d40
SHA171768103d9280aed64fe803c3b1490829c29fa78
SHA256285982a93efef29602b64cfc8f15226ddc0dbed9a65dd8bb5754175be29d3cfd
SHA51219fb0ba4519dca06311bb2b3aa4c439b1460f403f6c6f73418113268c986b0294cbaebee516671cb6c5039d7ad67c6cad4ec591d098ac46cab28154fa526b9d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize10KB
MD549c138e090e29cbc716b79c6a642e239
SHA13a524796173530b6592e401567bfc01e5ae7e56b
SHA25606b1fcefbe06bf8a6713e48e512a8a64769c5b0880fa8325f05073b1ef984324
SHA512e06809e06e30e8095443753aec7f8afb7ca8f10752f18b46f2eaeef4ed730a073d25e8af125ffb34694b76ae3e2a2e923b47cb54d15e784025afe2a6bade6e85
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD587629eb28eb26e57bd67a317e43887a7
SHA173a46f15b8a14a3414cd78045bbe9e42f24cf69a
SHA256d9ab7d6c829dcebf3a09f354ce2db4771c163d60f239e4d3fa042d0a5d8dbf96
SHA512de726d1b7f7da81471023a728553639efb4ff51dcc5ec39fe1d04f399bb41f284e2787dcaed2a336ee05111850903d29597b8156c530964a181622fd66ebd946
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD50ebe9883c95b810622eaf4a519455033
SHA15e7848393e1ff5fe2a057b48ce8d688f3b3d0dae
SHA256f82d2a32cfcb0c8e9f06b71077d337a0c668bce4f4dabeff04f18db23397cf45
SHA512f15b93c409849ad698fb91fa9e6db6b4f4911dcedfea07230134d07e9eaacf9c2b3504066dcd0954eb7d29284f2d927a46c322e5e227f59803ec0f30c47bf46a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5820aec4a8d4a20971d5fc780fa719eda
SHA172ec4def6c1ad7cb7af061d6bf26437abf25f8de
SHA2562c562600007b24eace6f590628247887bdb576df815f91edc40ad16d527d5f38
SHA51284568eb37cd66ca30d1ee26040aaffeb04f19e5c6d673c1c31cf50ee6b5128cc5e3240c788f4aac0f9693bf980708feb1f5d186105364daf5da11a90373cef63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD52603dc825b129d293326910dce4c4825
SHA1ef39d211f125c8ad15a9a04e8bc9a13a51fa4445
SHA256a0ed7bc53ed0b33d471e22c1b871f50ae76c9d6f536f60d97a1f4386a8f03feb
SHA512c22fa48a34c4411197ceb37ca2f1309f9e849c2d22b136b11e4a0715dc51f405b6fec54ee5519607af7c42ea2d0e2587672a6a9eddaa6e0d8e1224a7aecb3466
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\3e2876a9-6b32-4c5d-a0ca-9df71dc561a7
Filesize982B
MD58e00e01adaa88d47bd73cf6c1185bcdd
SHA1cc26c2a754cd67bf2fb6d04fb3f1225e8900a9e3
SHA2560c78f4fbc6370c700e250c2e3a5e4b4bcc40740a45d527e3a60fe8423099bc85
SHA512f67992f44379facf7f3428886d9f97a855eb8ebc357c5cacd04b84153ccec5bd5566962a5ccf02ab3fa91bd023c3daef497f97940abc962e352727d0a5ca986b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\9943bbe6-5046-4721-bbe8-ddedfebc86cd
Filesize659B
MD592af12e625af17c055484f6ae41cf368
SHA129ac0e9577f61a01c7f9f76333a4ef5107d2d4f1
SHA2562fe9942b0d10b1ed236ddeb29b14e1932a3f3772f27d9a22ed2c2dc06e5fcb8b
SHA512cf35fe8ccf40dbb99dac7edf0f3cc405bb210cfaa7caca24cb6e9f06ce58bf4682fb9a0bb2760b7b4a770773fd7ac3e3e82ba960cc67f3bb12e109ecddd20449
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD55c3fad822c6bab4c4d0200d10e61e78a
SHA1302f92fe31b6d19e8f1d634c2b2a1e88bb0e8a9e
SHA25667fe2684b88126f6ca12cc5057297d22fff0f56b1a5584de860015a039d60e96
SHA51297782ce87cb48e5f8435db18125a8b7f57d6fba7abed682d8694c18e372cf2a50c6510eb06c71141683e3cc09a293881272393ba9528017891d2078b391f4e11
-
Filesize
15KB
MD5731d60820d47302d6cd31868e78d3ec0
SHA1ffd49bab4c8c9885ebe99a59bf2908182eb6fcba
SHA2560cc75d66397dc652c0756409fa934d829aff7f31616bfffa98192d5b371977d3
SHA512d79aa524287025a695e74efd67bc88585c2e7e55cd24fabb5ebe3c81b4fe97f2c17babb36d5aa31d415adea726e998ad1c32e06fcf71398d55c212d5e9e40654
-
Filesize
10KB
MD5d365e57eadca42cee0c9facc88783bc6
SHA15927a61de79c2b95436042b34b9bfcf043ecfe91
SHA256e6c4ba1311d5636aaf35eb4be5483c6432ec3bb650d43246552cf0e66db86f63
SHA5128252c5964619e664e6639a08e7bd4d0b1f163dbdeadac1d5be9e7edb3a6af166e492d160a677d70517914bbe3e26fb40694b72699f5a88444aa5c9172d2534d5