Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 10:22
Static task
static1
General
-
Target
a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe
-
Size
3.6MB
-
MD5
ee8159256e50319eca83f757a5bbe470
-
SHA1
83e4b618a175fa632e4be77b4f89295d038373ee
-
SHA256
a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319
-
SHA512
00064265a9e73b5c4a64e0718eed13a71bff4f1f4bb604439c104e14bc995167ff81387af76b1d880d6baa5192dcafb5e3730d5ae5a87ef4b9b803961f839233
-
SSDEEP
98304:FnunKrpJ8JpbuIxjIjhSgxHnxGc6KIdUp92R9:FubBxEHxJWUp9w9
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4b7991b093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4b7991b093.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4b7991b093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4b7991b093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4b7991b093.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4b7991b093.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2k8223.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 14802906c9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0318ec5fac.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4b7991b093.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1O23T7.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2k8223.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1O23T7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 14802906c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0318ec5fac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2k8223.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 14802906c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4b7991b093.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4b7991b093.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1O23T7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0318ec5fac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 1O23T7.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 10 IoCs
pid Process 4392 1O23T7.exe 1416 skotes.exe 468 2k8223.exe 4440 JoYUT4N.exe 1504 14802906c9.exe 1560 0318ec5fac.exe 1032 e358c26441.exe 4604 skotes.exe 7036 4b7991b093.exe 1044 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 2k8223.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 14802906c9.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 0318ec5fac.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 4b7991b093.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 1O23T7.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4b7991b093.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4b7991b093.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0318ec5fac.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012926001\\0318ec5fac.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e358c26441.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012927001\\e358c26441.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b7991b093.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012928001\\4b7991b093.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14802906c9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012925001\\14802906c9.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023c21-105.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4392 1O23T7.exe 1416 skotes.exe 468 2k8223.exe 1504 14802906c9.exe 1560 0318ec5fac.exe 4604 skotes.exe 7036 4b7991b093.exe 1044 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1O23T7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 1536 468 WerFault.exe 85 1172 468 WerFault.exe 85 4628 1504 WerFault.exe 102 2548 1504 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2k8223.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0318ec5fac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1O23T7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e358c26441.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14802906c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language e358c26441.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage e358c26441.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b7991b093.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1448 taskkill.exe 4272 taskkill.exe 3200 taskkill.exe 2512 taskkill.exe 1148 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4392 1O23T7.exe 4392 1O23T7.exe 1416 skotes.exe 1416 skotes.exe 468 2k8223.exe 468 2k8223.exe 1504 14802906c9.exe 1504 14802906c9.exe 1560 0318ec5fac.exe 1560 0318ec5fac.exe 4604 skotes.exe 4604 skotes.exe 1032 e358c26441.exe 1032 e358c26441.exe 7036 4b7991b093.exe 7036 4b7991b093.exe 1032 e358c26441.exe 1032 e358c26441.exe 7036 4b7991b093.exe 7036 4b7991b093.exe 7036 4b7991b093.exe 1044 skotes.exe 1044 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1448 taskkill.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 3200 taskkill.exe Token: SeDebugPrivilege 2512 taskkill.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 4584 firefox.exe Token: SeDebugPrivilege 4584 firefox.exe Token: SeDebugPrivilege 7036 4b7991b093.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4392 1O23T7.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 4584 firefox.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe 1032 e358c26441.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4584 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4044 wrote to memory of 4392 4044 a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe 83 PID 4044 wrote to memory of 4392 4044 a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe 83 PID 4044 wrote to memory of 4392 4044 a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe 83 PID 4392 wrote to memory of 1416 4392 1O23T7.exe 84 PID 4392 wrote to memory of 1416 4392 1O23T7.exe 84 PID 4392 wrote to memory of 1416 4392 1O23T7.exe 84 PID 4044 wrote to memory of 468 4044 a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe 85 PID 4044 wrote to memory of 468 4044 a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe 85 PID 4044 wrote to memory of 468 4044 a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe 85 PID 1416 wrote to memory of 4440 1416 skotes.exe 93 PID 1416 wrote to memory of 4440 1416 skotes.exe 93 PID 1416 wrote to memory of 1504 1416 skotes.exe 102 PID 1416 wrote to memory of 1504 1416 skotes.exe 102 PID 1416 wrote to memory of 1504 1416 skotes.exe 102 PID 1416 wrote to memory of 1560 1416 skotes.exe 112 PID 1416 wrote to memory of 1560 1416 skotes.exe 112 PID 1416 wrote to memory of 1560 1416 skotes.exe 112 PID 1416 wrote to memory of 1032 1416 skotes.exe 113 PID 1416 wrote to memory of 1032 1416 skotes.exe 113 PID 1416 wrote to memory of 1032 1416 skotes.exe 113 PID 1032 wrote to memory of 1448 1032 e358c26441.exe 115 PID 1032 wrote to memory of 1448 1032 e358c26441.exe 115 PID 1032 wrote to memory of 1448 1032 e358c26441.exe 115 PID 1032 wrote to memory of 4272 1032 e358c26441.exe 118 PID 1032 wrote to memory of 4272 1032 e358c26441.exe 118 PID 1032 wrote to memory of 4272 1032 e358c26441.exe 118 PID 1032 wrote to memory of 3200 1032 e358c26441.exe 120 PID 1032 wrote to memory of 3200 1032 e358c26441.exe 120 PID 1032 wrote to memory of 3200 1032 e358c26441.exe 120 PID 1032 wrote to memory of 2512 1032 e358c26441.exe 122 PID 1032 wrote to memory of 2512 1032 e358c26441.exe 122 PID 1032 wrote to memory of 2512 1032 e358c26441.exe 122 PID 1032 wrote to memory of 1148 1032 e358c26441.exe 124 PID 1032 wrote to memory of 1148 1032 e358c26441.exe 124 PID 1032 wrote to memory of 1148 1032 e358c26441.exe 124 PID 1032 wrote to memory of 3740 1032 e358c26441.exe 126 PID 1032 wrote to memory of 3740 1032 e358c26441.exe 126 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 3740 wrote to memory of 4584 3740 firefox.exe 127 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 PID 4584 wrote to memory of 4376 4584 firefox.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe"C:\Users\Admin\AppData\Local\Temp\a6181d18d9ce25c3c2e3dad8227fbe1d56a4c0dbf38e7245ec63388d16527319N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1O23T7.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1O23T7.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\1012911001\JoYUT4N.exe"C:\Users\Admin\AppData\Local\Temp\1012911001\JoYUT4N.exe"4⤵
- Executes dropped EXE
PID:4440
-
-
C:\Users\Admin\AppData\Local\Temp\1012925001\14802906c9.exe"C:\Users\Admin\AppData\Local\Temp\1012925001\14802906c9.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 15845⤵
- Program crash
PID:4628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 15645⤵
- Program crash
PID:2548
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012926001\0318ec5fac.exe"C:\Users\Admin\AppData\Local\Temp\1012926001\0318ec5fac.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\1012927001\e358c26441.exe"C:\Users\Admin\AppData\Local\Temp\1012927001\e358c26441.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2076 -parentBuildID 20240401114208 -prefsHandle 1996 -prefMapHandle 1988 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d4fb6c-fef5-46ed-b6d3-034bec2c640c} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" gpu7⤵PID:4376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2484 -prefMapHandle 2480 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6bfc991-c7b1-492d-aac0-3871c2c3992a} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" socket7⤵PID:2932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb7cee0a-4745-4674-8e6d-02adf3c0513a} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" tab7⤵PID:2492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1692 -childID 2 -isForBrowser -prefsHandle 1280 -prefMapHandle 2656 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84c30fdb-8af1-426e-895f-405da4dc614a} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" tab7⤵PID:4536
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4752 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19f7e6a5-c67b-43d2-aa0b-6a21217fe6ae} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" utility7⤵
- Checks processor information in registry
PID:6084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d392a361-5d98-4f54-ae30-90cdd9bd4149} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" tab7⤵PID:4576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5520 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c668aea9-68e7-43a3-b94f-d35d40c07d1a} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" tab7⤵PID:2812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5780 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d366c3e-7726-46c5-8d48-edce45e9d13d} 4584 "\\.\pipe\gecko-crash-server-pipe.4584" tab7⤵PID:4596
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012928001\4b7991b093.exe"C:\Users\Admin\AppData\Local\Temp\1012928001\4b7991b093.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2k8223.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2k8223.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 16043⤵
- Program crash
PID:1536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 15923⤵
- Program crash
PID:1172
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 468 -ip 4681⤵PID:1216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 468 -ip 4681⤵PID:5072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1504 -ip 15041⤵PID:2280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1504 -ip 15041⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4604
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1044
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5faf6d94d35326d596d59131869bc946b
SHA10365a038cf59250140ceaf74128c4a5c169c43c3
SHA25654f9943a19d933d82b95f2a99ffa37365868f8bb55a7ab1c74b370996ede70ab
SHA512df226b2659659202f59f5bbded5bb01bd744b271a90b7e7140e4a0aa92a2d5be5d439b21afb609a7cc214879e645c61271c56409ddcb3493bda99c8c044adf33
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD56b67e7473f21076c0b63dea3e1bd927e
SHA1b4eb2e6288edbf28263a6f1cecd9a820d2df3d4d
SHA2567bf13c1e420b28467dd74b6ef725c38fe450a7fa4c15cd451ffe0960a7069bcf
SHA512be80f6c9d32f8d04288d8accdb7825695f9a3819973c84ef762bbefe360aac5f38ddc7ad79b3db7844abea68943e226b15371cf5b833cc287952994cc00b0242
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
491KB
MD50141baf82bb318d465d2207be71876ef
SHA1842c96e333bc63b130763369edb5048dc3ca8241
SHA256f90cae22e1c93ab14789f1a8c238312bfdb1885a90058f696f7f446e1c922c48
SHA512560202c3668921b0c8c6e25ba59231feb55d61178e2337f0f70cd2a2cfcd2dceabe2df87bfe46b391fc8694bfd64fb34c645fe9997e43af9026935b67db6a569
-
Filesize
1KB
MD5558ff77f562cdacc269e8eb3af5e60c2
SHA188aaad33d5c4525df22f396dd0199ac97984c1d8
SHA2564fa207bb8a326740884a36e1bac2e1f3d3bee6a199a94807cc2477e20a24c86c
SHA512935f2461e3e95902506420b23cddf26e0406adbd13b526e35422a00e24c2f5f3207e9bbe43a66306b96845d3b4ad65f778ef84e2438901534d764ad1a71bd0c9
-
Filesize
1.8MB
MD5e0933ae8e72f7faa74c26e20098c6279
SHA161edd92c5d8a5416a556b6a822bb7e7cef73068a
SHA2568c60e2eb2504988a8b4d55b0b5d9b430896e04c8b40547efd5e5930b168a7beb
SHA51205ad0f15d4b78581bb7b2f2df4f9c8e38cf83825fdc963d9d8bf633030418bbd01e2330eb411d2c42f78acf3ffe7e9cf6f492cc68316630763fccf811bf8fb3b
-
Filesize
4.9MB
MD5443c778fc72c59824a828ece66b8e82a
SHA191fb9df41bba19b6d6612bbafd6d35dc81dc01d6
SHA256a43029c07921865be726ccc99e368b445715a3e55279c7faaaae5cad38eb4276
SHA512b7d2ea13089446be522b2e69f8a326ff218180aa1a341cd251b13df85ef0f3c68afeb7bb0e2fee57624c9c8a17d7407f75aaf17147186d285d5799b42da00c91
-
Filesize
947KB
MD5af37fe81c11b366a272710684c1c3aad
SHA1db9237e149092c166908deac48bc21fff19e5552
SHA2560faddfc4413703b1d9798592d5902dca7e7bfa737b4df44e92cc3d75b3fa21d8
SHA512b7bcbc21eb7848acac7e193889fd04061937c58660b36cb76340b6a19d92d7f36657709b8bd4593f8c2443796c7b249b807c5212849306f9b44ad0540bcef05d
-
Filesize
2.7MB
MD55fd8503c7d22ef556ff89841f26fe03e
SHA1aa6cea0d0b8be5fba6e1cda19d485c65eaf8f534
SHA2563db166ad30011af27341fe917b0e53fef80ab8051c6a64edd0c76841c6fcfabc
SHA51254c00e445a7e2b97a96350a17a14027dd0910b9db33afaa5ee8a518573b33b5b74bf33038155b69c1b9371cad32d3d98337863a5888b56342d429d72adec8543
-
Filesize
1.8MB
MD505cb9fab7f63090af8daf42b731aa11c
SHA1d03cb29fa974a9754ab4e44c7339d95633039857
SHA25633202814f6f3ede944bff5d417d7125f8f07bce8d099b4ccd29d8cd774d0e148
SHA512025248950624f59c54a9bca741132472f5c7a0cf2060587c533f54c707894d4929fdbb82116004f34f42f0f5f05351cb0f3a14ab2a18acf2bd0c64874ad79215
-
Filesize
1.7MB
MD517cc76520a0027d6de469a4ac441c76c
SHA1162746e63bea82f47a1680638148eacef0723da3
SHA256fae41c9cd3c7b33f4a46f5a5bcc54f0cb464c7a41bd11e59a9f47a806da2ba64
SHA512afa887ba5f5e26be05720c074d7ab2265a789f6fb573c25524dc8059a5684c85c03546e1b3e0c8a4fb49c428721bfc0615db1e9b17a32a631431b6ba43fe22d4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize8KB
MD53d082bf14a174bf0d282ff8cf2c44e7c
SHA1c413d1d8f176ea1874220da82c2182c2763d5ec9
SHA2567ae2119746739a0946a33d89c8246c66c9dcc2c81d6ec2edb9a8c8d33b89ab2a
SHA5128b8255b0a4f1c182562a2138151e6f37525950f9744e6146d9f750ffe94b63cdc4d710815d9500a4ab461e30687446529ce9a09875045b090edb8148b11434a0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD57a9d260d886ee1dd560c713c9914e21f
SHA1c0c95c72f03a667ae8efc2070d7c683c284d5a33
SHA25661a60674fef4ac90db4e5bf475892597fe6f71125305336866ffed24d1e883f8
SHA5120092adf4bfcc55cb4cf73e28c2bdfa2d01cf141e60bf12007b9833a3797c207fbb6d7e5fb0348ce830d8c612ee0c0241069e09235e8035afe5531df9c6d2bc9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize14KB
MD566516db40ac90631df9f6569f8b2b0ab
SHA18ca2a0f9064478d6e8e562d5cc3781c589be6e99
SHA256a2c8bacacb114d8a3208ae09a610acf281d44ded488aa544761b160add8e1eb7
SHA512859ed1b4be2ec7592f7a67bbdca83ae529e74b9f3cf714beb3e536594c6da1dcc45107478ce3452248d1b3b9207601a8db1996ef766fa72cdf6ab7ea2e545620
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD5e842ac784a34d5909874d6c77c89fe88
SHA17ecc7f789d9b9fe54ab99795733c2d1c5d3ec4b9
SHA256a62facfeae8906d871e88c6ba8b2e210c773a57f0a9b8582bc53cff626c1b1ca
SHA5127466ba323b6cb94f14fe29f5f2b6e08e159f0f601abbfe4de5d11a213c62e064b2b0340d00b24c11614762d1d89acd3fb171f1eab4c46346f6a97b24dff0c237
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5c31aa7afe0629542e9603b5e9c884ae7
SHA11c592c8dd344bd2efda0f219f41d1cc0be35ee12
SHA2561cbb71db753f88ef8c0ac3028da8da3275821f9c33e3483bae2d70b96ad45be0
SHA512a79ba13fedeceb6c7ce425e405f5ca2b2bd0a8180cbc3c6eab17ddb22e47e40b4aeff2a5037a67f7cb21dd7eaec3b5779bab6e864029761945ab1073b8ca8583
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD56de643ac266931375a90537948a07d49
SHA1f0ac659e36ed726debd379d5cd52ea568cfd9248
SHA2565280fd2d17e677e8944e9cab1891467aae339d1ae88766a7340206be9d2f8eab
SHA512a6caf9bfb5d1b8c351790bcf8a2faf5a8ceee920f257459369ec0a1eec156cbd38ee75cbed2661dcd447f0fd2d5458b7761271f13cbb564321d19fa6cde37050
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD50c1160e316455b3f2d28bee97ff68cfe
SHA19f79f78013c10e5907464d2bf8bd8c96c44bd10c
SHA256546ae6194d9644f637fcd41277b1fba313a6ec51cd6df045cf5578ee258fadd5
SHA512b0fa6d5657007da0d39b8497cda18e3106faac0f651f4654da4627004d378cd7f0a5c2f681b1d4284e0b455887745ec4bb784df5dc400488fed1e47687b70e95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD544b5d121b3d245a1422234a22bc75ab4
SHA193dfe7a4d8a8e72035f17a867c39ff428d0c927d
SHA2568619520c280d7f8d574f0b25c6e7f1711b6b0fcdf6af9ac6278bf0b77f6b11ca
SHA51248c85615a3c7e868f0c3baa988ed5a6bf383fcf62a7736690a9701ea4e8ce867d01c15467a1e63252c65f2df159b655d656dde57b40fc263b8d5f854fb485c2a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55c04c980ac88b50e80c3f51f8502189a
SHA1c82b33eb6ab190698c1aed903b938aed226f78fa
SHA256c15fe04c4c4f66d144b2077c3d7533331e7f81fc7a4fa0b39144cf839a10c086
SHA512ba96ec525dc14d417cd42c946ad704afa90acc5b37211bf4a3e423615b2848c82d1e3be53575c4a9007d8970411c752c408d2b4b15764d0b444c61f02d586b14
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD52c27cf88b7fda5ca28fdc063e6af972e
SHA13006f8bf3b867adba1137421e7c6be5e22474902
SHA25676b252aabaf1f3c322343e59064f145493f4d0b4073483d6290abcf93f82650a
SHA51265784f826bb09045d94a67961cad3fed5f80a1155e27558a87ae055ea424efa0f5cceb5c0f5056a247c037dc4c95bcadad831dedbe9fd598082a4c7122c03977
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5da08b1330f2300d029b250596489c49f
SHA1c992373e4cbc78286da7426c349c57047fad33d2
SHA256d570cdf5c9e7102e75ca1d42adbae95fc376b25004669312694c7d32bdaff461
SHA51237c220420ad2527db52c96ef5462ab62366a69386b9de341b46821e2236dae064c348c36b42d5ca9648e90b0096d6b541857ee814d11c4bac84ee5acfcb4db63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\a7b2371e-d105-42b8-b5a8-29df91ab4e16
Filesize29KB
MD5ea9dc79aabac7ad63981cad7f0803bd1
SHA1ca5cc02535595c167efa2dd1f8eaac3dc5c03b51
SHA2566df250b770716f7420afa6064147f902c8ef5cc1a471934e75d98e9bf202b940
SHA512b3bc0d4e568c3eaf55b2383774ae5bf67a52253cc8a3ed09721a385edd19e403f449a2c02e9329319ed3c968b1519877ff8912a263517e509c58f7308312b677
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\c4f535ce-1658-4fb4-b8aa-03934fcfa7c9
Filesize982B
MD5a98cf6ea6cd75b8876ac35bab2d84210
SHA19d0ccd9188ee530cf89a24468f5a8df8b2598a57
SHA256f78b615df6a0320c2b49a7c92e1c88b31dd85cd25cc09b9448c1a1b898795828
SHA5120758674179221124edd9266f43578a952d1cfe3dc51e2961def7111580ee657c5c038e208e91eedd726cb802511b692e75080088c6c333eec193633765452b91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\c63fd733-a5c0-4831-a315-dbefe8c75e4f
Filesize671B
MD5ec873776e4af79a7083f1054b07d2799
SHA165e21039a3e53eb637550d35cf5e2afba0ab8234
SHA2563b04618ece88ae8e013b6d70527f2c124bc208a9c930c8baabf106d07ebea272
SHA5129c9b4638c45244ecbd067e4e21d09061f8ea98f9c3fd460bc7f5df68f03c737cc4b8d9177ac15a05b6dd91f5e52d069c8837904174e60a4c09b9d14abf7ce7c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD55e65616f33af350f815e661a7edd3fe4
SHA12fd820136e4ca7766bca2b80ae78b25b52979661
SHA256bef7510a50fd0d874eb9ef6e6ca8e33377ef6862cc7da8bce854cdffa8e895bb
SHA512f92117ed975da915b78a9b2029cf15da8584393ce081b03044c079a1d56a91a6b920962617a83af9dcf63f42e2f76a71ecdda6c3520b5e3cc4be5c7581ac7fd4
-
Filesize
11KB
MD57f9c9b50b2d43161d6f717494159665a
SHA1eb3d3ea28e986d0fb5a2ded5c0245ad315faf47c
SHA2563a7b4221c2f4dc08723feeba11f01e72c513160985d16a6c28fa7f41fc9a5928
SHA512e216b2bdc38833b1907b01cb00e5a4abaf895c537d671a16eedbc97723653d9fc830a0ca50ad6dfd555c421ec4f99ef33f636a30504e3c8061c29327784ec868
-
Filesize
15KB
MD508b8795b136d32d1ab4834d6b643de65
SHA10390ab77f3d7473569231a2ce28b3018bbf3a166
SHA256bae26ab5f39ad9ae39217c57fce8763a33dd40674d012a957b311fde685a90cf
SHA51299545828521c8d362e47476b647ce2a22761dd19ee392415832ba9cdc8cfe14fadc29e1560d2d75ba2ab5ff179dbc7858d16fe9051c3a0c336e6d8e4ece11ead
-
Filesize
10KB
MD5ba2b82954e7202b8e98c1e17e819da43
SHA18b1a24e9953714a543062aff7d9aea90b435c8bb
SHA256e89a303877a7dcc323a843464fbea62a1f4a31419f83859c96f42b34c2410761
SHA5125b56e347df29f751d2999fa3ec5c970e5cfd72514c15ecd2ea40d9bba607f50d9b5a2469d8eeeef5fd2aae2251de738f883400eb2dc0e5b4e3f73f2171667a53