Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 05:58
Static task
static1
General
-
Target
89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe
-
Size
5.5MB
-
MD5
e933f6667d848b7505a4e2e7851b30e0
-
SHA1
de0da9064be3279105b585f582194ec314b50939
-
SHA256
89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963
-
SHA512
759100f7d917999a6ffc7d5c8beb6775cd1acd9391c04f0117133b0a24de857880340f7f82a7c42f0ae9aad8c8263670db89e9b60faa0730264315094d5f42e4
-
SSDEEP
98304:tupAd24SBNNIHtB1SnXUhXyxbnegBJY9NGNqS2MV9zbx9T1AJ:8iSBNKH3AnXUJyJ9BJY9oQS2+xq
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c0c42555eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c0c42555eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c0c42555eb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c0c42555eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c0c42555eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c0c42555eb.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2W0050.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1g67k4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9fcb46f636.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3C35D.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7a18ef17d6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c0c42555eb.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2W0050.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9fcb46f636.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3C35D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c0c42555eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1g67k4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2W0050.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9fcb46f636.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c0c42555eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7a18ef17d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1g67k4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3C35D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7a18ef17d6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1g67k4.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 11 IoCs
pid Process 1068 U1a74.exe 4164 1g67k4.exe 3828 skotes.exe 2360 2W0050.exe 4192 9fcb46f636.exe 3344 3C35D.exe 5044 7a18ef17d6.exe 4964 52d8b9c7b7.exe 4788 c0c42555eb.exe 5372 skotes.exe 4364 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 7a18ef17d6.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 1g67k4.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 2W0050.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 9fcb46f636.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 3C35D.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine c0c42555eb.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c0c42555eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c0c42555eb.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" U1a74.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9fcb46f636.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012879001\\9fcb46f636.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7a18ef17d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012880001\\7a18ef17d6.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\52d8b9c7b7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012881001\\52d8b9c7b7.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c0c42555eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012882001\\c0c42555eb.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000c000000023b8a-85.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 4164 1g67k4.exe 3828 skotes.exe 2360 2W0050.exe 4192 9fcb46f636.exe 3344 3C35D.exe 5044 7a18ef17d6.exe 4788 c0c42555eb.exe 5372 skotes.exe 4364 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1g67k4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2100 2360 WerFault.exe 85 1684 4192 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3C35D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52d8b9c7b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language U1a74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1g67k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 52d8b9c7b7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 52d8b9c7b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2W0050.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a18ef17d6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0c42555eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fcb46f636.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4928 taskkill.exe 5040 taskkill.exe 324 taskkill.exe 2536 taskkill.exe 2016 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4164 1g67k4.exe 4164 1g67k4.exe 3828 skotes.exe 3828 skotes.exe 2360 2W0050.exe 2360 2W0050.exe 4192 9fcb46f636.exe 4192 9fcb46f636.exe 3344 3C35D.exe 3344 3C35D.exe 5044 7a18ef17d6.exe 5044 7a18ef17d6.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4788 c0c42555eb.exe 4788 c0c42555eb.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4788 c0c42555eb.exe 4788 c0c42555eb.exe 4788 c0c42555eb.exe 5372 skotes.exe 5372 skotes.exe 4364 skotes.exe 4364 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 324 taskkill.exe Token: SeDebugPrivilege 2536 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 4928 taskkill.exe Token: SeDebugPrivilege 5040 taskkill.exe Token: SeDebugPrivilege 3528 firefox.exe Token: SeDebugPrivilege 3528 firefox.exe Token: SeDebugPrivilege 4788 c0c42555eb.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4164 1g67k4.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 3528 firefox.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe 4964 52d8b9c7b7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3528 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3748 wrote to memory of 1068 3748 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe 82 PID 3748 wrote to memory of 1068 3748 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe 82 PID 3748 wrote to memory of 1068 3748 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe 82 PID 1068 wrote to memory of 4164 1068 U1a74.exe 83 PID 1068 wrote to memory of 4164 1068 U1a74.exe 83 PID 1068 wrote to memory of 4164 1068 U1a74.exe 83 PID 4164 wrote to memory of 3828 4164 1g67k4.exe 84 PID 4164 wrote to memory of 3828 4164 1g67k4.exe 84 PID 4164 wrote to memory of 3828 4164 1g67k4.exe 84 PID 1068 wrote to memory of 2360 1068 U1a74.exe 85 PID 1068 wrote to memory of 2360 1068 U1a74.exe 85 PID 1068 wrote to memory of 2360 1068 U1a74.exe 85 PID 3828 wrote to memory of 4192 3828 skotes.exe 86 PID 3828 wrote to memory of 4192 3828 skotes.exe 86 PID 3828 wrote to memory of 4192 3828 skotes.exe 86 PID 3748 wrote to memory of 3344 3748 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe 94 PID 3748 wrote to memory of 3344 3748 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe 94 PID 3748 wrote to memory of 3344 3748 89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe 94 PID 3828 wrote to memory of 5044 3828 skotes.exe 96 PID 3828 wrote to memory of 5044 3828 skotes.exe 96 PID 3828 wrote to memory of 5044 3828 skotes.exe 96 PID 3828 wrote to memory of 4964 3828 skotes.exe 99 PID 3828 wrote to memory of 4964 3828 skotes.exe 99 PID 3828 wrote to memory of 4964 3828 skotes.exe 99 PID 4964 wrote to memory of 324 4964 52d8b9c7b7.exe 102 PID 4964 wrote to memory of 324 4964 52d8b9c7b7.exe 102 PID 4964 wrote to memory of 324 4964 52d8b9c7b7.exe 102 PID 4964 wrote to memory of 2536 4964 52d8b9c7b7.exe 104 PID 4964 wrote to memory of 2536 4964 52d8b9c7b7.exe 104 PID 4964 wrote to memory of 2536 4964 52d8b9c7b7.exe 104 PID 4964 wrote to memory of 2016 4964 52d8b9c7b7.exe 106 PID 4964 wrote to memory of 2016 4964 52d8b9c7b7.exe 106 PID 4964 wrote to memory of 2016 4964 52d8b9c7b7.exe 106 PID 4964 wrote to memory of 4928 4964 52d8b9c7b7.exe 108 PID 4964 wrote to memory of 4928 4964 52d8b9c7b7.exe 108 PID 4964 wrote to memory of 4928 4964 52d8b9c7b7.exe 108 PID 4964 wrote to memory of 5040 4964 52d8b9c7b7.exe 110 PID 4964 wrote to memory of 5040 4964 52d8b9c7b7.exe 110 PID 4964 wrote to memory of 5040 4964 52d8b9c7b7.exe 110 PID 4964 wrote to memory of 4408 4964 52d8b9c7b7.exe 112 PID 4964 wrote to memory of 4408 4964 52d8b9c7b7.exe 112 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 4408 wrote to memory of 3528 4408 firefox.exe 113 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 PID 3528 wrote to memory of 2996 3528 firefox.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe"C:\Users\Admin\AppData\Local\Temp\89be48dfc1e2ba3a19229fe26cd6e67a75e6343200d60dfae6929bde0ddfb963N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U1a74.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U1a74.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1g67k4.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1g67k4.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\1012879001\9fcb46f636.exe"C:\Users\Admin\AppData\Local\Temp\1012879001\9fcb46f636.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 16086⤵
- Program crash
PID:1684
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012880001\7a18ef17d6.exe"C:\Users\Admin\AppData\Local\Temp\1012880001\7a18ef17d6.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\1012881001\52d8b9c7b7.exe"C:\Users\Admin\AppData\Local\Temp\1012881001\52d8b9c7b7.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2064 -parentBuildID 20240401114208 -prefsHandle 1988 -prefMapHandle 1980 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {573d72af-fd66-4258-9606-f1728354e7cb} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" gpu8⤵PID:2996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2488 -prefMapHandle 2484 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc5c44ef-fe24-43cb-8983-5efb9e38447f} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" socket8⤵PID:1044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3324 -prefMapHandle 3320 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f81c94d2-c414-46f2-8b5d-91d5650b1180} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" tab8⤵PID:556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1320 -childID 2 -isForBrowser -prefsHandle 912 -prefMapHandle 2648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f818d7b4-d0c6-4628-bf11-3ecbe46532bc} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" tab8⤵PID:3820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 4628 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8dc4e98-6062-4e8b-a7ca-a9463aa915df} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" utility8⤵
- Checks processor information in registry
PID:6508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5116 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fda3b36-843b-4067-9dfa-662d92eacc99} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" tab8⤵PID:2324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5680 -prefMapHandle 5676 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9d4d3c-4be9-47f5-ba3b-d087647727fb} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" tab8⤵PID:3144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5e8f7d-13cf-46f4-b19d-193938d5a7e1} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" tab8⤵PID:4892
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012882001\c0c42555eb.exe"C:\Users\Admin\AppData\Local\Temp\1012882001\c0c42555eb.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2W0050.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2W0050.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 16244⤵
- Program crash
PID:2100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3C35D.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3C35D.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2360 -ip 23601⤵PID:2588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4192 -ip 41921⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5372
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4364
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5ad193999e8cfc19caf64d92281e3d1af
SHA1aa87ccbab2437499b59922f5e5f23f80275ccb68
SHA25634d68560c53d5b95a12c1cc491b35880f94f0578844bc136e558f25ba3d4fb75
SHA512974f80516faaf13564ef7fc9ab5a77a1f08a2f413339d67318e1fcb248cfbdaad7ef6418d4cacdc0200f209ae50354a0e9caea576bf3b8eaab956919c831963a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5190074eee857d8ca2f49960afa2cc327
SHA1d3cb5a5cff9728c0a6d87788d7193d98f871c934
SHA256e58b30d8a16c661da5c06a153d9f932e61a670858ea9340d196cbe1d6e95b894
SHA512c6e6664029ae7025f8c0200d6abe11895b79b44eb4072425757ac505e8094fd4563ce26c9bd96140dc662fa5b996beeb035c4e5ab04d4ba4d56502383ccccd59
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD570310518b7c2ac63bda66a9d62bfd0fa
SHA11f18611c082e3f9558060bbea13660d819e6bebf
SHA256ce1bab22cf006f0d77dee1a9d501e2faceb2ffc002f01df957957b508d3097a0
SHA5120163821f691ee1499bc8c1947d28d7eda45d811a38ea02d53d795dffa2c1ae2570eaf553ecf3ad21073f7928f946e71db3c2115092d819452d052f3ceaf285c8
-
Filesize
4.9MB
MD595dbcc07cb46e9fabd1d6e214730ddeb
SHA158c9638fb444939ad2c44d01884e4382fd77971c
SHA2561f32272c0add9df4251ae859d2074dec802b3539e018b221db84c19ccfde9f75
SHA512d5acbf33e358880e64077b2eaad870b9c9e52ff513509cace32f0222523af7e3726deb38f14f4b4953973bbf7017bf0f5b73a9fc1f4161383fca3d5782bc1f6b
-
Filesize
946KB
MD5a60442cd1eca2074d45cd42ad5b9942c
SHA1251429cebbdb61d5583e23cff0dcc2d139f52c36
SHA2567b5c2a31018643981fdbd303a4d06db54a1cf8bc7dcc0b40f955c92a2d5c2457
SHA5122b08d882c43f0b6c71716b3d447b2944bad0424990bba9045e289271a342809e88ea2c2e2b92c3520e45233439e932e5a2c724397e2ff55ce1db86ef5d3b9d5b
-
Filesize
2.7MB
MD5e2bf2a85a8bbd48ff5accf5c70d95d6c
SHA1faa2cbb9bf6d8ef253c2136aa08da64804efc1bf
SHA256309c4ce96eec016ba9e48cc22775fc648fd7c016927882d9e12a179e8a9fd181
SHA5127cb6e549f3076e6c51e73a1204362ad9d08d352222e65c3f0ee898ad0407aa3be0255c4119b2fcfe5c8ddd9aca013209885bd5afb8862b3ec2547f9c9543f3e2
-
Filesize
1.7MB
MD5033e51d4f55438302216ac21d4763c85
SHA1a383509c659b7a95fb780f03895d84fec041da4a
SHA2566014ff5135aa63053f17fd00de37c08f1f193e713f93772b0c84aa44754c1131
SHA512e32707d739e88967badbbb1beab2131ef13a488e9099933e581463b0d4c387fa939986c5c33bda6b97e9c2eb1b5e1e74bfd4e7c54fb22f1a5bec0dde3bbc757c
-
Filesize
3.7MB
MD57ac271033ff0648be1cb86d8b1d08ca0
SHA148799a2ba53a0f75f13c34432653db084e181295
SHA256033e509bd6505978b562dc6c0c9c87a8d2ce3fe3b9f9ad75f544cda40c7a5075
SHA512843eaca89664b009a4798fae1d8b1a83c5914c87fade55ed3e129104bae1df81a8ea950919d22632385446f03a0abdda39df6623162c762fd044e6fa3315ec50
-
Filesize
1.8MB
MD5f25ddb78a2cc3b6442c52a3c4a2aa843
SHA152ba6df84b158bf917044fee22625d2a12202382
SHA256ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4
SHA51274c7900f42e3d9b5d490e4848c7d12832f14b245065e04baa96604f2ca91ea5e46318ea71e081ee266fc770a94413edc298516abf23ed9f6c7cd6e7a70b72f14
-
Filesize
1.8MB
MD5a996397cd4d1502f1eed95cd693d5752
SHA1e66aed1fe77966fe2d9eebc5ba8e44f873485589
SHA25681a3a8a0412d519ebc63f7020adff204ea2ea0c117fd0ad8d7828615895ea648
SHA512160d03ee92fcc883ba168824d54404ea579b4e4ddebc8fb2ada4e9c0330658f3962b9cdbf894ea31453c27eff3ef04adbd2218eaa1330a8578464049a925d9ce
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD52575ceafdf207b22d92b5a14c98b2232
SHA11d15782d802f585d1560a9b09d0ec5db69313f54
SHA2569cfaf103fb8b1a4b87edda3434b364a47c5784c5fd22ec58944c202175c41cf8
SHA512aaa4cfae8d5b9ed2a1e152d802f7cfadb5b158ea9c2718b426cb6a4c4221b5402036ce1b3654a8bf430d62fca7a841467db42ec45d45f15520b0f46604ef14aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize7KB
MD5bac8978cc6a9eed4ae44634fb695c4a3
SHA17c8bcae4defa3908db780367b7f9e13219cdbcb4
SHA25604b537436ba0d6ed993461a72878c32ca51803488fc68ea0c0641b966e680cb8
SHA512d914384b9dc541b10ceabc0ff996d6b28ad6ee56db56d11763b9b089d224be2551914ee9f2f40dd6af1564816908c1d062d64ea164f55bc2bf33c0cbe8164cf1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD58a70c151f3aecd99f76b6dabe298608d
SHA1a2a8f1ad89837f1cca8dc39575c50464742f1ce1
SHA2560c9bdb0860ffe78d193acadd8675ab0bccf7a66ef47d791acdffb395db4a6655
SHA512fd8a7c272b21a65d97f3c51408f7c0428f2d239f9ce62dc880794368166e290c36cea202a2165b3685c74e0d9fea95b671be46441e0e79e3ab3a3b011e99860c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD540db7cdd5519d104bbd1e2d396a90cda
SHA1754a85cfef0fe43134d673e113345d9016053a6a
SHA2565f0a83490d97bbd4b9604f547b9e8dc23d8e3d9f17a9cefe4787be9f1ffdef49
SHA5126c808504968ab41115d86fd093f432c158a32690fa63f29141435729caae181a699a03dd101014b3885c36b62638fe2766403c260f9e8b46e71ed06710dd5477
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD54c8e79f76e8c3b75a6d714962f8b85a2
SHA1d869c1c0842b8ab99c27b8be1710dbd1760c11c6
SHA256a3c2f804ecf8a2c46065e23456251bed6d1d97cf4cba3fe8b265977dfd425035
SHA5126891ca98b47b5eef00c24399993926c11b2f85a21da8ab3ae33c5a55cdc6e56f4de4b546bc182da0a3973611b594d8c3bc03183ec61bf525f560f3096946b3fe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize14KB
MD586f8caddcc053de657e618717ccbfdcf
SHA1870c849be5e92252711e0ab244da028ba909af96
SHA2563c6a8e57eed133c338d79a377829eb6c75144c58d8199b3a5bb0f4533e12a9c4
SHA512f70b4f9ef9661663856d37aab9ee762ec4ca23037fbfbd84066915b141a815689ca96ef57b97125086e71fec7051db21f79974abd57f01a7f0bb265ccb97f8ee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD55bb56dc345d6def76ee23d284144740f
SHA1f2a78b185c879aac312950ebbb6c5d8b41db06f4
SHA25692e2bf513185b7f3c33114ed1bfd6456ad47fe82d6543b0522298160717562ca
SHA512d9eb298f05c45692c940eaebb5b1904c7821bbd711aa1b7d0948f614ef7df1b73d153aa23732edf39230f6ca1baa68307bc65455cab2e1305e782cf0758ecbdb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD529c0980cc66331a7064871609e812518
SHA1c4286408ae06ea9ca408abda418d0b7ffe6ce549
SHA256877879db750296f490ab3e04c9411720b7b1988b93b2251dd97a6911e33967e6
SHA5125aad1201c3b7331eba03b0bb052a2bd81bb5cbed5c7160b68cd450cfc3b48a13951585eb8789c7b74286c5149e3c40b7f48cef1131bb090379314d2d73a73b9b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD57c1a5e4173cd7d6ff3d0bafc1a99cef8
SHA1a5a5fc33dec37a4f8a288ba9393d2e9ab993230a
SHA25609896995ed3c496ffe6856c3a2e275fff090b9978b765c9bc40d4162eae74d75
SHA512c3e15d2813563b864b230bafdbaf59e8862a1f504910d388f84a683979ed062ce5bc1852d9a5263759c1f287b70d0ea44836e5b38d1b5fde4b3c85e9971238bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a6cf9daf5d5905e03449af1c9b78e4d3
SHA19cbdd07d5a22acfb64a13ed094944fd563b8c6a6
SHA256288287afab97ea035915b274349102eb9b9ba9d1578852e7eac6369c0b399c5c
SHA512f51f6d080f6e0deeb3743cff048d91df8bf178c6e1008430db74a47e5734d64583d4528fd0dd9a8095c0e73fbb40784d5a117e3186b9ca9a0abe9c92b546f0e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5ede4b5a1055c6aea4e6c6a89ffcd9b30
SHA198b34639537cd2b2b6b3c453a33b48eb765284f7
SHA256e8b64854ac9fa4885f010ce913a366c0e218a0c3cf0902db06121e6696fe4dbe
SHA5120cd0c286feb61c80ad4b98e1b5abad679f0b4ed6fe3fa16e864cead3262282b1a5cee25e18a2e37c84ee3710f5ac9c545e116c0fe3ccb69163122bf160bb4a05
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\46dd2dce-fa01-425d-9c9b-9576149cf8de
Filesize671B
MD59fd3cd80fe5373788066298e60ee9096
SHA15069a2871bf4b0dfb213b603fe8870d00897ac09
SHA256b045dc48359ae7a8556cae65d66d9ce713996dee6fa13709a8fb685844eac609
SHA512f0ad86227fc2dcfaf585a012b3b2419423a1d0bab2b5cfd64b12dc9f35b619f40f9e2d8629739bbebb6de3ab0f56dfd983ebbd55723487c9ad8ee314d6e39fc5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\79a89ef7-1cc4-460f-8c64-3845650a08d5
Filesize25KB
MD59074d39a00ecdcab76836f12c22e350f
SHA1bfac839e9b51343b5ce49ae4040ef8a05370b11b
SHA256fc3ec70c590a7a4f13ee2038aafa499b34b5496636c6c1045cf79b858f8d6e35
SHA512acfd8e714229936fc8cbdce903140773585776fc3cbfdea2b2777c9b6a8d55c7347c888d158e572b8df056f9d0ccfe83f0e814728c5fbf49f4aa1ebbfbf50701
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\a104dd48-3a11-40d3-a0cd-cce2a0cca40e
Filesize982B
MD57043ceb29c23e8324c591a682162acab
SHA1c8b83b86435c068285dcece0fe1a3fc41bb3501e
SHA2562d9b01826f24186c6f4a43c62109d84df3e996e5f0ece78a879fca0b4923df46
SHA5120bfab0302744e668e1419736baf408465f1580500dd6cc41f3c9084373982cb486e9657f9f76a6c8f61788ccdf93d73eba36c57936c695cb36018c21bece2776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5d39bff2465eea0be404a7d99a055b7bd
SHA1df842da99edfc983fb0a10a3cb1521f57ff875ec
SHA256ba662d2a3fdadc59bf2b2d87d5b1ef71b8843f7f7848e86d5f081905b3b1c0c5
SHA51244dffc5471953e74dc43c023e37c3211f9f770af02bcf01e1677249a9df0b7b4ace8b69ede36f23d43073805cc58a03c006fc690fe722dbc2a808b4906b8125e
-
Filesize
11KB
MD5727d455489912fe583181cac389e9399
SHA1cfef5f29c34a286e7f197b4e4ea54a0549385813
SHA256614f270afbbb45e8677aac1c8eb3d76cdfd39fd9decac67986c6e3bb2c47c6af
SHA512dd19b6eeddd27bf4559091c9091a04beec30702963eef20d7bf61bde7a876729ad461663bd84ae44cff0b6c0e31997fa43cb3bb3147aab079c7278c7f798fcd6
-
Filesize
15KB
MD512f1bf1064d4703876310e191911fe0e
SHA12f0ddb2bd235f184217559ae9365851139607188
SHA25645ce3bba701c543a0a0a234f968620c0d225d4feb25bf5ca7758f4672a1f00ae
SHA5125ec81c92f8100d7eebfc8df739bff50539f5ac23db9f945ad294527d1a531eb078ba9cdb51d4ac5fe9bfe6fffab67d88f9d2ae5680b5612bbb7fbffd01251106
-
Filesize
10KB
MD5c872a8fe916849212ada4a989f07d618
SHA1ae0c03b822d6cbfb62d08e57d2bb217d907436fc
SHA256a4df474a95bb284f88a9bd51cd55d930d8a6e18501b95bda4d371e785c5857d5
SHA512d9a3624ec609b3ccaf36c34bf25a7aeef7783f8633510a93dacdaf8949b380193c64a292d9a1d53f6b74a6363e94b190e6b541bee205a055269cdca50bf3955c