Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 06:41
Static task
static1
General
-
Target
85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe
-
Size
3.7MB
-
MD5
36e2a5ae900dff67a64f81eb762a01de
-
SHA1
97227f9f6c939f6d02c3b3cb8efd2eb81d246b12
-
SHA256
85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10
-
SHA512
1e968dd2894d7e54435d48991e76ee554c6b667e45e205053ef9164e3e7870bc72904baea0e63478ebe07d17681f2355ef12179b56efff9ff4514605ca8fbd91
-
SSDEEP
98304:EXIRvWaQUUKJ1c1XQIVa/yGbCq+siY9Om:E3aQUBJ2ZQIVqy3psiY9F
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 38c472068a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 38c472068a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 38c472068a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 38c472068a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 38c472068a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 38c472068a.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1g67k4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2W0050.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 144dd9ccf0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 520fa8b959.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38c472068a.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 520fa8b959.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 38c472068a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 144dd9ccf0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 520fa8b959.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1g67k4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1g67k4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 144dd9ccf0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 38c472068a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2W0050.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2W0050.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 1g67k4.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 9 IoCs
pid Process 5000 1g67k4.exe 2268 skotes.exe 4556 2W0050.exe 4452 144dd9ccf0.exe 2708 520fa8b959.exe 2724 3d12610798.exe 2140 38c472068a.exe 5316 skotes.exe 5696 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 38c472068a.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 1g67k4.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 2W0050.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 144dd9ccf0.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 520fa8b959.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 38c472068a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 38c472068a.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\144dd9ccf0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012887001\\144dd9ccf0.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\520fa8b959.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012888001\\520fa8b959.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3d12610798.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012889001\\3d12610798.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38c472068a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012890001\\38c472068a.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023cc2-72.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 5000 1g67k4.exe 2268 skotes.exe 4556 2W0050.exe 4452 144dd9ccf0.exe 2708 520fa8b959.exe 2140 38c472068a.exe 5316 skotes.exe 5696 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1g67k4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 932 4556 WerFault.exe 85 512 4556 WerFault.exe 85 3544 4452 WerFault.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 520fa8b959.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 3d12610798.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38c472068a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2W0050.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d12610798.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1g67k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 144dd9ccf0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 3d12610798.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4664 taskkill.exe 4364 taskkill.exe 1852 taskkill.exe 2112 taskkill.exe 2984 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 5000 1g67k4.exe 5000 1g67k4.exe 2268 skotes.exe 2268 skotes.exe 4556 2W0050.exe 4556 2W0050.exe 4452 144dd9ccf0.exe 4452 144dd9ccf0.exe 2708 520fa8b959.exe 2708 520fa8b959.exe 2724 3d12610798.exe 2724 3d12610798.exe 2140 38c472068a.exe 2140 38c472068a.exe 2724 3d12610798.exe 2724 3d12610798.exe 5316 skotes.exe 5316 skotes.exe 2140 38c472068a.exe 2140 38c472068a.exe 2140 38c472068a.exe 5696 skotes.exe 5696 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2984 taskkill.exe Token: SeDebugPrivilege 4664 taskkill.exe Token: SeDebugPrivilege 4364 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 2552 firefox.exe Token: SeDebugPrivilege 2552 firefox.exe Token: SeDebugPrivilege 2140 38c472068a.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 5000 1g67k4.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2552 firefox.exe 2724 3d12610798.exe 2724 3d12610798.exe 2724 3d12610798.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2552 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5084 wrote to memory of 5000 5084 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe 83 PID 5084 wrote to memory of 5000 5084 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe 83 PID 5084 wrote to memory of 5000 5084 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe 83 PID 5000 wrote to memory of 2268 5000 1g67k4.exe 84 PID 5000 wrote to memory of 2268 5000 1g67k4.exe 84 PID 5000 wrote to memory of 2268 5000 1g67k4.exe 84 PID 5084 wrote to memory of 4556 5084 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe 85 PID 5084 wrote to memory of 4556 5084 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe 85 PID 5084 wrote to memory of 4556 5084 85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe 85 PID 2268 wrote to memory of 4452 2268 skotes.exe 99 PID 2268 wrote to memory of 4452 2268 skotes.exe 99 PID 2268 wrote to memory of 4452 2268 skotes.exe 99 PID 2268 wrote to memory of 2708 2268 skotes.exe 109 PID 2268 wrote to memory of 2708 2268 skotes.exe 109 PID 2268 wrote to memory of 2708 2268 skotes.exe 109 PID 2268 wrote to memory of 2724 2268 skotes.exe 110 PID 2268 wrote to memory of 2724 2268 skotes.exe 110 PID 2268 wrote to memory of 2724 2268 skotes.exe 110 PID 2724 wrote to memory of 2984 2724 3d12610798.exe 112 PID 2724 wrote to memory of 2984 2724 3d12610798.exe 112 PID 2724 wrote to memory of 2984 2724 3d12610798.exe 112 PID 2724 wrote to memory of 4664 2724 3d12610798.exe 115 PID 2724 wrote to memory of 4664 2724 3d12610798.exe 115 PID 2724 wrote to memory of 4664 2724 3d12610798.exe 115 PID 2724 wrote to memory of 4364 2724 3d12610798.exe 117 PID 2724 wrote to memory of 4364 2724 3d12610798.exe 117 PID 2724 wrote to memory of 4364 2724 3d12610798.exe 117 PID 2724 wrote to memory of 1852 2724 3d12610798.exe 119 PID 2724 wrote to memory of 1852 2724 3d12610798.exe 119 PID 2724 wrote to memory of 1852 2724 3d12610798.exe 119 PID 2724 wrote to memory of 2112 2724 3d12610798.exe 121 PID 2724 wrote to memory of 2112 2724 3d12610798.exe 121 PID 2724 wrote to memory of 2112 2724 3d12610798.exe 121 PID 2724 wrote to memory of 1644 2724 3d12610798.exe 123 PID 2724 wrote to memory of 1644 2724 3d12610798.exe 123 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 1644 wrote to memory of 2552 1644 firefox.exe 124 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 PID 2552 wrote to memory of 4788 2552 firefox.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe"C:\Users\Admin\AppData\Local\Temp\85815a1cb7eee10f958a02d58018a11fa37e8d204523df696a10da2a63531e10.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1g67k4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1g67k4.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\1012887001\144dd9ccf0.exe"C:\Users\Admin\AppData\Local\Temp\1012887001\144dd9ccf0.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 15765⤵
- Program crash
PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012888001\520fa8b959.exe"C:\Users\Admin\AppData\Local\Temp\1012888001\520fa8b959.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\1012889001\3d12610798.exe"C:\Users\Admin\AppData\Local\Temp\1012889001\3d12610798.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 1992 -prefMapHandle 1984 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73579812-2db2-43bb-8d5f-7fb7f938ca60} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" gpu7⤵PID:4788
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2480 -prefMapHandle 2476 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aee60ec-5d37-4f80-a7dd-462db63fae64} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" socket7⤵PID:4484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 1 -isForBrowser -prefsHandle 3360 -prefMapHandle 2832 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd2715fb-8002-437b-9f7a-fb8b844475ac} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab7⤵PID:4616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 1116 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77346125-1bad-4024-bb9f-03d871ab435c} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab7⤵PID:1108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4668 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4616 -prefMapHandle 4644 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23b9266e-0119-4d0f-97bc-ba79e7dc666c} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" utility7⤵
- Checks processor information in registry
PID:5516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 5520 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7388c292-fb1a-4cf6-8e4c-206e6f3bd201} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab7⤵PID:684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5672 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4ae6e5a-246d-45d0-b706-ffa481ca9670} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab7⤵PID:1968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5488 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23ad196a-765a-461e-b33c-88dc57a217df} 2552 "\\.\pipe\gecko-crash-server-pipe.2552" tab7⤵PID:2180
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012890001\38c472068a.exe"C:\Users\Admin\AppData\Local\Temp\1012890001\38c472068a.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2W0050.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2W0050.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 15883⤵
- Program crash
PID:932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 16123⤵
- Program crash
PID:512
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4556 -ip 45561⤵PID:1896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4556 -ip 45561⤵PID:2316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4452 -ip 44521⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5316
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5b7a0476d98eee05ffbbec2367daadf32
SHA19a24e08354fc05484152767025ac1e185a50a9f7
SHA256c668735f31b7d658b791abea6ecd975403604e0d788fd6e0191e2e93df94cc4a
SHA51202503a1775d6e80f37f330d011d0e14c4261e3c42b0e1c1b1aec6ae1b9ac4f1118481c39f6c5b6e29d791f3d819672787bf54613189c0c7b07f8fe60f7c22b5d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5c625996c147058f9bb592dbbabe304b3
SHA1a79d2f1e9565d49261cf640314051b606a81f87f
SHA256e604a30037f6aa454d60dec937759f8c08c3902127c37d0de19fde46489fe264
SHA512308f60c2ff80a5b6c5bb6612254d9962a5f88e890ed9c0fdaf1c811b764161bc54fc2d1ae4cb8d88cdd2b7bc9530a201d5907b77ec26a871f9e455b7ebf2956e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD5ae8111f11c7a5611770e4c4b8510eb4b
SHA199974bcb92a9106045cd4391902d6fc9680c42fd
SHA256d84d3e12220e17275fcd6b90d7f2baa6e47bc91d06efa9d47e685d6353a8b2e0
SHA512c98c4bce8332f496865cb11ef63b842fffc53416745e4269da1306e4a5a549780eb8b426122d456db585ebc2f583c2928e3b0565081e623f24e26278c9afa667
-
Filesize
4.9MB
MD5a2728561b7680aab4204863cd307df3d
SHA1ed90cd719cd34e45cb5ba0147fe16a1241497dea
SHA2568a00b650affb26d6fd996043a56922c8f2caf4d3a73ad0400ff6958adbae265b
SHA51260f595125cd94f3664fe356868d644fdb39aa2513085c2f90fa878b5362bd610bd0879122a7b2345e3889ef46bea682cefbb1e1730413801655c5cb52197bb64
-
Filesize
947KB
MD56da1d1729f73ca6cc3aec6e26c0a5bfe
SHA1d07c102097d332249fcb0bacf485eeb307962ac4
SHA2566c9f50764263e318da51169a2f82bb5965977b5c71bae55b30f6d768e41a834c
SHA512ef163cb37bf8345dc3d030d76510b0d9f1c48af45dd1c030bd0ebe8be58b47651594747c5ccfe9468aa09f40a0f99410d2b45e5c8b3e77d1e41e739abbd35868
-
Filesize
2.7MB
MD5b556e5001a590d13c69c25a0e62c48fb
SHA1544c70f1595ab12f6d264a48887b9cefaa636882
SHA256b11e93125194bedd6d119310e02a7f1f2571d8be5e126d8a760b40e412d59be6
SHA512ccd13233b478a7c5aec7b64b1b0abd2f6dc537ab26728a516f91a52a3a3f596261581812a394ae51b62929f7b4cd2fbed24307d1ef8ce9c05bfa9063306e6cbd
-
Filesize
1.8MB
MD5f25ddb78a2cc3b6442c52a3c4a2aa843
SHA152ba6df84b158bf917044fee22625d2a12202382
SHA256ca2d328cf8d3bb990c47a4ea62d67eff34f06a00b7a3a7bf5189120da96d8bc4
SHA51274c7900f42e3d9b5d490e4848c7d12832f14b245065e04baa96604f2ca91ea5e46318ea71e081ee266fc770a94413edc298516abf23ed9f6c7cd6e7a70b72f14
-
Filesize
1.8MB
MD5a996397cd4d1502f1eed95cd693d5752
SHA1e66aed1fe77966fe2d9eebc5ba8e44f873485589
SHA25681a3a8a0412d519ebc63f7020adff204ea2ea0c117fd0ad8d7828615895ea648
SHA512160d03ee92fcc883ba168824d54404ea579b4e4ddebc8fb2ada4e9c0330658f3962b9cdbf894ea31453c27eff3ef04adbd2218eaa1330a8578464049a925d9ce
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize18KB
MD57927a05d2c247236a6b05e8c3b99fa3d
SHA1c274b308925b02a4ec658a4629eb63b1405ce788
SHA2560407d2d34953143bcd8d9d6aa7eeb29253a26b1f68f3e127ee0612c302c94426
SHA5128df1071f22e44c6594427425100db41ba06ee43959a614a1f946ed577c1c53b387d2855b6e78862798423c7078f152732f746d5e90b82ac3423153d1c18120d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize10KB
MD5a86cb6894f17696f49795a18947b54d4
SHA14156e40b4b37804e9479f009559b2a7e4b58251a
SHA256fb3e3bbb75532056a8f660b332948515bad1da3e5cb9a74d7d04f483bf9eba1c
SHA51245e9257afcea420eb9fb66ad53d8cbc00b6a5da735f3c0d0ab82f787936b915537016a65de58e877b7de500d0ee3bf2bbf896d06cf694686d2937d450348fe3d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize22KB
MD5c1e401132032fdab9915eed528041679
SHA15dcaead8ef4e38b32fcd658ad066088a53067eb5
SHA2566faa49da45c20925ca383c69acdfb393c4ac989fe50961c8c224c7a6f4c94f58
SHA5122250b2ef7e930d33517666a43efad53986b5afba8c05bba70d15ae172a7b7ab57b5975de3eb2b62001dd19dc6d9f729a64303cfc5143ac193b9660904f2d909a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5d3d1967aedc9f849305fe2771d318db9
SHA1c0b919216ee812f5ab7870c82c70911ead7e46f6
SHA2565917e8d23db29635a0f21a2cc449812a11def0eb185b22e058bb208984eef5fb
SHA51223d4d2f12a380a89c186e02da2f4846403d466bbc6d3725ac4ed43a8bca26adea9050f9dfcb55855c1a122a805777c7feaa32d83b4280bcb0018a68799157daf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5a7830c2fd890f9c44aaa21ae2512aaca
SHA19373e112f04661ec515bb20ca4d63121950fb974
SHA2569b41a63dde56e5006796a7e914b8dd0a5335c6e9b391af09636ed551f1dc0dee
SHA5129fa0d20ea543c37d81eb6146cb9eb3ed5037a077af8c968ce007cac934c8f3677b7d0b6c215d0eb40981c00602f56a659d74a78515e7cf0629af3750a9e119ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5f8846938a716d4a2d7b61c664e4001e7
SHA151cea4a60168d575b127f4769e5411a68d63d0eb
SHA25629b851650d419eea22233a55929e75b6d6a9485e2dc489c24d09754d5ee7295f
SHA5120f4e1ce82a7c2875f9688440680fd65053bd3183fdebea11dc95fa8503be35ab48186a40f59350afb3a2175a55c16167a80d59349b92d9c0198c2f5a80ecee27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5aed10293b95f5c2561ee74aebb77271b
SHA14ba4eb4f50db135e8d5b1c0a9619d268513dc837
SHA2562ab00ab490b360183fc02dca050e6f3855efc02609929ba979f04dc0bbc2805b
SHA512b4a0d94772b07585789d18839cc48332ee746f54e6ba0231a2fd4bade5402801c3a0c2b0c518b8f97102fcd4ec5b194426eb980c0ff7c0ba8811d6a287f0a725
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\137051ce-7fe9-4759-bc5d-2fd6b31a4bd2
Filesize671B
MD5b835383b6470eba8489c4d3a37b93ab6
SHA15e553fb3a306f75147a69be6b98ec2febaf2abd3
SHA2563403b221c3727dbce83fe0505fd3f584806845d621a7dae7e31d921495311423
SHA51235a8cef4271b6b585bd866e33d61b96590d026c1f97a331de263acc62081cb91653a9e808a03274d9e5cc8ab2225c0a8b7a26e1efeb79ad752fe3ef19fe59aa1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\1cb5dea6-9896-44ce-b35d-835af377e50e
Filesize982B
MD5bd137e81dea4f385b8d6a935187349d8
SHA1252d996d6e561aee625702d1d292e9e30a16c1d2
SHA256171f19dfdc57bdc3dcb669d287176777f459d7d822bb69cddf63ae63b6786d22
SHA5122156d516e37810ad8b7c67036d84bf29f712dbe84639291ccbe1d27f5cdc443f6d0c8173455d8ffbccd40a26ad66606c0aaac845baa5d7cdf12118fb20013e93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\f21b520a-03d1-4490-a3a6-a2664175fc80
Filesize25KB
MD515248af3abbe6cafefd39e7d998e751c
SHA1da3807f20bb5585751063bfbf0b81146186073c4
SHA256720d2667f7f6a5a88d581a40b253917e3005b716beff57853b1a0d22a2825e3b
SHA5129779c0457b431aa47811a387ea4601682bd30f3c667e3111f60b4c2c2bd175e3d03c7a8e0e85a732f08c493ea19645a9c1523d9eb32b2ccbb4ea03fc89a6cf2d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5fc8414547dff57788f3625e4f3af53f7
SHA14f7c35d0ab59c8f3802f1d1f836851d32cdb00bb
SHA256ccd1e84c2a6e3c68349506319f7687521ef0a458d0712caa6611a9d3cb6fd423
SHA512d8ccfe38e8c305218cecbc0be252e2010b7efda247d1f71aa04332ef11ab79ff33871d6f2e935a242814b2acee8b703c2974ca4c999e2eb384d719dba5e95150
-
Filesize
11KB
MD5c594e20b0b849a99b3e554c91e7febc3
SHA1a6f055ffee259e8979aeac821b89157d0f2db2e9
SHA256166d4b8d3cffa578f6eec5cd65eb815980b786ea801e467a5d1bb0d60d9df728
SHA5127a1d84b26c6d3649bd09f83624725deb0b35d8cf805b93f4e3a44879a584eaff2c8415e4a3d0cbaf549c9a11da8376255cafa72c6600bfbd300bc7fff41fb215
-
Filesize
15KB
MD51df4f9818e18ce22b6b3cab96d04cc54
SHA1ec20dc6ee2a1673a0823af67b405d396938472bc
SHA256bed4049848794776613814dd7f5a9470e6aa9d54be90cbf7c473bd646f63c2aa
SHA51282c24a160dd50bf593bf9267d1b6814dfbae4cab81de5f425926cde3e6a51cb75485d6118e1c011a8fc588b2867091e28ad931d4a6d6fb6d9c0b2841843163a2
-
Filesize
10KB
MD5964e5b61def45195d5b530425f0782c9
SHA17225615117adaa38eb26a1ad48d9f661fca9ac72
SHA2564ca9f179a9d446c0afdffe898ffe8fb52a739a3fcf356a36c15b46cd2a3e381d
SHA5126ff357a4c2b7ac77adc7698adb728a0139e1880c75441fee98b9577630f401ee77a2e6c9a81e1e36dbc8d312563e0e6d0f9dd4011c042a5bde9079c5a187160d