Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241023-en
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
f5db9dcea4098275cb46b5d6fe73cef8
-
SHA1
9b623e4cfff93bffbaf7034ebbf893773700ba94
-
SHA256
34959918550ef8a11fe8e0ef9dde5f85f0dac541e62a2cad53998d4a0eb07d9d
-
SHA512
c68ddb34d1268d47f28f7b8e4ed7ac807b39424d09097aabc3274690d1f37bfc3615bdfb69acec1e8c08eee0a3ebbac6fcc99192441cf94ab4d7e14cb917b9c4
-
SSDEEP
49152:xiF3GbjN188C7PW+r5iGNWF79gUeKBlI3uv/zQKsE6d94/Ubd:xiF3UH8D7W+9iGNWhgBmi+vbpsjd94U
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://drive-connect.cyou/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://atten-supporse.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 8a33f19e5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 8a33f19e5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 8a33f19e5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 8a33f19e5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 8a33f19e5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 8a33f19e5b.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a0aa6d1a22.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9217a2e9cf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f701961e91.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8a33f19e5b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8a33f19e5b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9217a2e9cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9217a2e9cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f701961e91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a0aa6d1a22.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8a33f19e5b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f701961e91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a0aa6d1a22.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 12 IoCs
pid Process 1160 skotes.exe 2660 cbc608fde4.exe 4504 cbc608fde4.exe 1324 cbc608fde4.exe 5116 skotes.exe 880 9217a2e9cf.exe 2348 f701961e91.exe 3224 a0aa6d1a22.exe 1740 a22d59f83b.exe 984 8a33f19e5b.exe 628 skotes.exe 4048 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine a0aa6d1a22.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 9217a2e9cf.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine f701961e91.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 8a33f19e5b.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 8a33f19e5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 8a33f19e5b.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f701961e91.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013536001\\f701961e91.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a0aa6d1a22.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013537001\\a0aa6d1a22.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a22d59f83b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013538001\\a22d59f83b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8a33f19e5b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013539001\\8a33f19e5b.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023cb9-125.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 4740 file.exe 1160 skotes.exe 5116 skotes.exe 880 9217a2e9cf.exe 2348 f701961e91.exe 3224 a0aa6d1a22.exe 984 8a33f19e5b.exe 628 skotes.exe 4048 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2660 set thread context of 1324 2660 cbc608fde4.exe 88 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 1436 1324 WerFault.exe 88 1084 2348 WerFault.exe 99 396 2348 WerFault.exe 99 4272 2348 WerFault.exe 99 5536 880 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbc608fde4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9217a2e9cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f701961e91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language a22d59f83b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage a22d59f83b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0aa6d1a22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a33f19e5b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbc608fde4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a22d59f83b.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 640 taskkill.exe 4428 taskkill.exe 3712 taskkill.exe 2732 taskkill.exe 740 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4740 file.exe 4740 file.exe 1160 skotes.exe 1160 skotes.exe 5116 skotes.exe 5116 skotes.exe 880 9217a2e9cf.exe 880 9217a2e9cf.exe 2348 f701961e91.exe 2348 f701961e91.exe 3224 a0aa6d1a22.exe 3224 a0aa6d1a22.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 984 8a33f19e5b.exe 984 8a33f19e5b.exe 984 8a33f19e5b.exe 984 8a33f19e5b.exe 984 8a33f19e5b.exe 628 skotes.exe 628 skotes.exe 4048 skotes.exe 4048 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 640 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeDebugPrivilege 3712 taskkill.exe Token: SeDebugPrivilege 2732 taskkill.exe Token: SeDebugPrivilege 740 taskkill.exe Token: SeDebugPrivilege 3964 firefox.exe Token: SeDebugPrivilege 3964 firefox.exe Token: SeDebugPrivilege 984 8a33f19e5b.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4740 file.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 1740 a22d59f83b.exe 3964 firefox.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 3964 firefox.exe 1740 a22d59f83b.exe 3964 firefox.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe 1740 a22d59f83b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3964 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4740 wrote to memory of 1160 4740 file.exe 82 PID 4740 wrote to memory of 1160 4740 file.exe 82 PID 4740 wrote to memory of 1160 4740 file.exe 82 PID 1160 wrote to memory of 2660 1160 skotes.exe 83 PID 1160 wrote to memory of 2660 1160 skotes.exe 83 PID 1160 wrote to memory of 2660 1160 skotes.exe 83 PID 2660 wrote to memory of 4504 2660 cbc608fde4.exe 87 PID 2660 wrote to memory of 4504 2660 cbc608fde4.exe 87 PID 2660 wrote to memory of 4504 2660 cbc608fde4.exe 87 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 2660 wrote to memory of 1324 2660 cbc608fde4.exe 88 PID 1160 wrote to memory of 880 1160 skotes.exe 96 PID 1160 wrote to memory of 880 1160 skotes.exe 96 PID 1160 wrote to memory of 880 1160 skotes.exe 96 PID 1160 wrote to memory of 2348 1160 skotes.exe 99 PID 1160 wrote to memory of 2348 1160 skotes.exe 99 PID 1160 wrote to memory of 2348 1160 skotes.exe 99 PID 1160 wrote to memory of 3224 1160 skotes.exe 104 PID 1160 wrote to memory of 3224 1160 skotes.exe 104 PID 1160 wrote to memory of 3224 1160 skotes.exe 104 PID 1160 wrote to memory of 1740 1160 skotes.exe 107 PID 1160 wrote to memory of 1740 1160 skotes.exe 107 PID 1160 wrote to memory of 1740 1160 skotes.exe 107 PID 1740 wrote to memory of 640 1740 a22d59f83b.exe 108 PID 1740 wrote to memory of 640 1740 a22d59f83b.exe 108 PID 1740 wrote to memory of 640 1740 a22d59f83b.exe 108 PID 1740 wrote to memory of 4428 1740 a22d59f83b.exe 110 PID 1740 wrote to memory of 4428 1740 a22d59f83b.exe 110 PID 1740 wrote to memory of 4428 1740 a22d59f83b.exe 110 PID 1740 wrote to memory of 3712 1740 a22d59f83b.exe 112 PID 1740 wrote to memory of 3712 1740 a22d59f83b.exe 112 PID 1740 wrote to memory of 3712 1740 a22d59f83b.exe 112 PID 1740 wrote to memory of 2732 1740 a22d59f83b.exe 114 PID 1740 wrote to memory of 2732 1740 a22d59f83b.exe 114 PID 1740 wrote to memory of 2732 1740 a22d59f83b.exe 114 PID 1740 wrote to memory of 740 1740 a22d59f83b.exe 116 PID 1740 wrote to memory of 740 1740 a22d59f83b.exe 116 PID 1740 wrote to memory of 740 1740 a22d59f83b.exe 116 PID 1740 wrote to memory of 4412 1740 a22d59f83b.exe 118 PID 1740 wrote to memory of 4412 1740 a22d59f83b.exe 118 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 4412 wrote to memory of 3964 4412 firefox.exe 119 PID 3964 wrote to memory of 952 3964 firefox.exe 121 PID 3964 wrote to memory of 952 3964 firefox.exe 121 PID 3964 wrote to memory of 952 3964 firefox.exe 121 PID 3964 wrote to memory of 952 3964 firefox.exe 121 PID 3964 wrote to memory of 952 3964 firefox.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\1013509001\cbc608fde4.exe"C:\Users\Admin\AppData\Local\Temp\1013509001\cbc608fde4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\1013509001\cbc608fde4.exe"C:\Users\Admin\AppData\Local\Temp\1013509001\cbc608fde4.exe"4⤵
- Executes dropped EXE
PID:4504
-
-
C:\Users\Admin\AppData\Local\Temp\1013509001\cbc608fde4.exe"C:\Users\Admin\AppData\Local\Temp\1013509001\cbc608fde4.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 12565⤵
- Program crash
PID:1436
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013535001\9217a2e9cf.exe"C:\Users\Admin\AppData\Local\Temp\1013535001\9217a2e9cf.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 5764⤵
- Program crash
PID:5536
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013536001\f701961e91.exe"C:\Users\Admin\AppData\Local\Temp\1013536001\f701961e91.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 14884⤵
- Program crash
PID:1084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 14684⤵
- Program crash
PID:396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 15164⤵
- Program crash
PID:4272
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013537001\a0aa6d1a22.exe"C:\Users\Admin\AppData\Local\Temp\1013537001\a0aa6d1a22.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
C:\Users\Admin\AppData\Local\Temp\1013538001\a22d59f83b.exe"C:\Users\Admin\AppData\Local\Temp\1013538001\a22d59f83b.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e1d6152-4242-455f-bac5-72a2047abe0e} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" gpu6⤵PID:952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2484 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69bd0d99-2e61-4471-9ede-8f9649663dce} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" socket6⤵PID:2500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3020 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0ac2b7c-d900-45f7-8a28-d37947000e45} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab6⤵PID:1960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3932 -childID 2 -isForBrowser -prefsHandle 4028 -prefMapHandle 4024 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a09286d4-3ecd-4ca0-ba59-396920fee270} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab6⤵PID:2324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b2a6239-a933-4367-9730-0a84161bb793} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" utility6⤵
- Checks processor information in registry
PID:4276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b3e3542-d4d5-4bc6-ad98-65c79b771e86} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab6⤵PID:1952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5764 -prefMapHandle 5760 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1986a201-4667-441d-91ad-0853db5ed3e8} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab6⤵PID:1436
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5904 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aed441f-33a1-4e0c-9d9f-7e35be1dd8d0} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab6⤵PID:4244
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013539001\8a33f19e5b.exe"C:\Users\Admin\AppData\Local\Temp\1013539001\8a33f19e5b.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1324 -ip 13241⤵PID:628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2348 -ip 23481⤵PID:232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2348 -ip 23481⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2348 -ip 23481⤵PID:4864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 880 -ip 8801⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:628
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4048
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD522283d7c773b4d7f539a477a5801a473
SHA17061d674e6a942ca40865458a98472732a986b96
SHA256f4bb4c87c298982d8f9d2ef686d3736320e73facd75e5a8037617c25c3dc056f
SHA512b1357abb3d439ba8a789ea3e60cc67cb9f1179be48a106b6e8ba92b409a07b0f4340d702cb341bac2b863fcae68e7594427d44d32477fcb1d9febcf9f49a5cb7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD54558d3b8f7d267fb0b2ba487bc9521bf
SHA109f450393b683c1faa4b99f34f431bd19589df78
SHA2563cd14dc0d8171eaccca5753ed590c933dbd6b990770ba8309aa57a36b4815a7c
SHA5122fb931bb6c2870aef780d0dadd39b9714f11f27da3f969535e541dc5aa60e842eb3f0404bdb9578c3bbe542eaa10a9597a112f8bcdd697465eaf6e953ed5d8a2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD5375fe418490373d4bc4815daf7427224
SHA1452f71a78e23064be89940ed73a40fb2d271a4bf
SHA2569478f0922ace27fb81434a5959b0374271e5a003e64cf973f748b2859cce3f75
SHA5121457e0b90c823007904dccc5a4de3cedffcefd89ff7ac86aa91d88ec728967e9b0a2b1339c9b92563f360243bb8f82af0a7f55bf5ccd64427dccf02820b2ef9d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
809KB
MD59a2cc9d6c6282e7b2a0ff5649a70b0df
SHA199c7c3969c9ab39261b59f047514ff7de2bc4c07
SHA256b08f2b65885b9ae1825d27ddf6dc9189641e0f8817999f4386da55ffcc548287
SHA512b61aa465d601a75426129b2096e900c008faeee6d67b729bf3b2fdeef6957934e9bba7353ad55b499c2722f5381c9cc684f867e4c2b7958e743d1a459eae88d7
-
Filesize
1.9MB
MD508efa0bf248584557641dc5db156248e
SHA18b64a7d0ea9af4524e7be713ba22ab0191528403
SHA25615df6347f76b4d0c86e07c4482e0b81b119265a4dd71f2c729c6bcc59e1cfa9b
SHA5123880c4bb59d0a00be445c3571efb0fbcd679b982d86ed88574f51b788c917f943f10cd71a35ac4389f1b320f6947a15feabd1a5d206bb7be88e8c77990e89add
-
Filesize
1.8MB
MD552f0f216dfbb86683b1e318a0796dd81
SHA12e2b8710e0a077ed8a2124fde2486f397857b8f6
SHA2561d95373c2284b657b614f07051eed5fed72f34f787350409e49e8dc30a5ea494
SHA512bf3bff59a42e2d10238306fe34f072c14bd482cac5c20563987a27174bf304a06cfc9c0b3914254f17695d80b006261b29ea025e2b31324ca3caeedf3da211cb
-
Filesize
1.7MB
MD5cbf2b84f9b993a77c0e2170cccbacb7c
SHA133fdf37b3a3f1394edc5d64c0952064b7f4177ea
SHA2569c9687e8c61b784d08f6d80853666faa0884043ce7b99f4fb3676f3bc563c2f5
SHA51233fc97ad5723e42c856e8797877e2cfb8a6afb48718834dbc4efc3407cf96499844910eff60d60270f72ed288ca7c05552287283ff412f0901739ec9c19ef2d1
-
Filesize
946KB
MD531e83117e3f9c52a9c42bf3b2ab06016
SHA18583f8f8a3264a01dd9991a0f1e0275c0a26f83a
SHA2567eed919e39fe9d07c7a3119281e6e261bed4c4769c451101f72e005a04e11078
SHA51293295bcfcbae4b055d5124aead7d07510fbb44fa8af8f54cf0eea6471e2e0c8d74c3b3880e190dfc153e60d7f5a58147672d3f08dbf39167600cb54fa8fb1476
-
Filesize
2.7MB
MD58ac4a1b0cc739478c779d0909f664099
SHA1b90363c3750ab3ac2cd36d18356108c8be3b647a
SHA256afa4fd51e40bd644b329f993a157df79194ac9820100c3378dacb674dc63ee2c
SHA51228afa024a71aefb0491a4af9d328747dab6c1682cb4a9746e3b01fbc5e610063acf186b6cfcb493491e0e24863dcfaff2f6765d69ab71eb8f28a6c40acf2e8a1
-
Filesize
3.1MB
MD5f5db9dcea4098275cb46b5d6fe73cef8
SHA19b623e4cfff93bffbaf7034ebbf893773700ba94
SHA25634959918550ef8a11fe8e0ef9dde5f85f0dac541e62a2cad53998d4a0eb07d9d
SHA512c68ddb34d1268d47f28f7b8e4ed7ac807b39424d09097aabc3274690d1f37bfc3615bdfb69acec1e8c08eee0a3ebbac6fcc99192441cf94ab4d7e14cb917b9c4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD5b8c1a3eb8dbddd491d2fa2d7fa66e1cd
SHA1f6aa2268bd018eb53642b7c8074e705af9275d1a
SHA256e7f300a6d9b4b249ba10de278c1c9d0667dcef57d8757053172ad926a33943b4
SHA512730867ed7bd95f36799d67012328c7601dd771ff40c6fd862aef6bfe67fc3c3bec1656cf73f5400526e02dc4840f3347257b1373727bc492b40be6c4f6e13e34
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize7KB
MD52d22449c497f2312a2b5730d89d9f377
SHA151bdd77e26b0842cc486493d80aa2b1c9faec549
SHA2562844247640d74339592bd1674ce9810d8fa1126d6b068f0512313c510caaf51a
SHA512cc6cfa1781f52c4632ea9ad589d8d0f184541e89159929f03b6deadbcc7b77c2f5339422fbbbdd9379e9234fc1e433661e1f6dcc90ae38a1733f953c662d6ef4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize10KB
MD5f9b759da0cabc38a11e0ded9b5564462
SHA13eebc39d50380622d642a3934a7c9ec610201460
SHA256410d039d965362aeb2e069031d14f25e98b1830db070f59f15b88a91ebb1f78f
SHA512e2e9f30f4b32799df4c1661f1d95c674b2e5613cb873c15a856e960ddc747590a4792b8eaa7629c929fb6a1257b64c5bb798711c4dcc5ee691506804db84522b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize17KB
MD5eb5cb2f89d2b108be458720326aa9eaf
SHA16ba2b63cc4e3421422814bc3d9239fb7b1cd6a76
SHA2566bccce18470fb072215ecf865f5f5ce76d2152b8c9b96ded881a7d9e4e8b626a
SHA512c4326807785615833457ebfdd8dd08d2875fff4c4cebffaa146c10158375425ece361c5b8ad82750cf110495b62c50f247ffdaa7fb5698dd51fa37067c059959
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5697473c32d2fb06278ffa8b1ccab0842
SHA1094a6b5a69e593a1604049064d81198cbf0e50ba
SHA256dad3c67cd8374367e856c926060f6ab761f96a86c2dc21fa3607006e32f1925b
SHA51298f20a109c3d62f10755bb08e574b6057d3613b9f387b203b8afc7e7e222a3bd17bc0b7f9302addf8bd4a977caa30180443b1b72020448416916cd45f0c59d4d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize28KB
MD52edf3b0ab63ee01d4a3780c60a3ab931
SHA18c9b5c9d1094583b6ea1dd2a6603afcd65315d8e
SHA256c80f85577ac0daefc4d2f182d934fbd489103dec53d4bd9e5d8d7b564212a510
SHA512ed2f784de31089a0df3b3d511fdfee7707dec1eace316c58ee6ce03b0af8fbd89b929e57276b10277450a920b1ddc62be6f12b5e617f393d6f07dff162d25de0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize28KB
MD551e323896e86336cbf9b47d9c75ff0f6
SHA1e1ae64c680e0ac45bf4635784d6aa1e5d59da095
SHA25603c9907f198735b77d9c245a372bb9e9bf8f29917f4e9f7e50daece594c482de
SHA5126affad904bef88faa881ffc43daee2b6740fba5941b336c41c61e98627359e75bc1cd48e54aa5ccb25a8209b18e10bec96f950132cc9861faddc7b3370c070ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f3caffc0783df87cf967a0e50f587d3a
SHA1e38eb881b098dbedc3a4b5f39b92fb5779565fa4
SHA256511711cb6138cf8f66535614b188e656000b947ec37c7c4acbc072c23495d1ae
SHA512560327d23d4a7b7bbe6efc0686ba4b0f7447f4ffd466b899fc6c8b6e839993bf1e123faba534b7269ef24ea108fb1a57ba1620b0c7a512555843f4fc21b65866
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\8fcf2c80-b326-497a-960d-b8d477e2df0c
Filesize671B
MD5f3b2c327320ae29e0b2d0919d6b9e09d
SHA1f813f062c718ebd11ed6c8abf61a420f7b3052e9
SHA2560f9425cc3b04df277867af4f41d22760de04aa78a4844dd54d09c2a86e829aee
SHA5128e18cb7a943993264c0e2b755a06e89534ead216bcc7727a8abade56ef0224fb5aaf2bcd28c7de394f52cfb5cbf212a4ba753ac15b9283aee6d8d601297cfb92
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\acc3abbe-3b25-4571-a622-078264de99d1
Filesize26KB
MD56587a5e0a6453a6edeff447a13fd20d9
SHA10ecfc8f958b72a0b21c164df433877be36b2bb1c
SHA256cf2a342ddac5edbdd3ca6ee6f58bc06cf1805cde45d6010703e36df32cf91f9c
SHA512a92bbd5283b45606ef5542a4e90685f9cbec3f3675c9dc97517e20ab2512dbf579bd42d367e8f7d52428c78201c1732b7aece4d851415b0429c4aaf7426ae3e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\f3ea54aa-07d1-408f-a86d-31a21eb6bbd4
Filesize982B
MD5184da7e2e587f217286dcc4bd7c05f5a
SHA1600616c09856b2586bc6a923a7925623712c4df7
SHA2562c9739406d1b54812cfbf3111ebf2396221a2791bfe79bafe954c9d7ae3e5b00
SHA512fd15c0a766bbe0a5fdc2d541029893b539bff4e3907eb49085a4689b0b068a3e69f4c080a4c188d0d6008f22b67c5fe2e5febac246b0b31644480ce0e0568863
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp
Filesize1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
13KB
MD5e66b22deed4aca845fb6ac78a36eb7a3
SHA131446d6455786a9b4b23f785ce768350ef73676c
SHA256c6b6b2a0c5f4a872552a14b5283d173ba80bb61276978f9e81c86c5a6c42dba5
SHA5123944bfcfdb810bdeda0cd9bdb7fab6ccdf1b46ed5a9ef3c9eba4f5028bba60ddbc1b81a4abdb03bd0f92f3e4b59a4ef6c08800f0745e227ddfe92209cdd55f9d
-
Filesize
10KB
MD5e4dab3d74845894a644a2bd51943ff35
SHA1e86aeb1ab888146a6d196f2739016cee446ac094
SHA256e81e68744f6f282163baa733fa0d36b330dbb5ac4351ceef4a148787e20ff5e9
SHA512c8e1668c4b04401236f5f80aef1d17fd57ce2d51d25d481f6fffca083d6d35caf090063a07afc7787ee0c881e1fab73b916527b24d506fb4c7ec38fa5aa434e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize896KB
MD59a99aded13e427fe94cf2f47cc84d3ca
SHA1a6d0a3a7fffc27ec1eb48438b7ea476795256646
SHA25693a790b610f16f2ab9546260c0cfc78069cb1a30bdbc18b8790d7bafc5db1072
SHA5123e9b27ca43f7c34a45db1a7e54b3166168e86f0007cbe717dabfed7a4b65cf3a77f4d900e84b39a9d3e323ceb049939048977e00b0e00065431eaab03cd7b9cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.8MB
MD5fa3c0410393e86ab18c8acf9c29ed513
SHA1af01c2e469848faa14d378cd8b0c589a9e284b09
SHA25692dfcc00e0cb87180bd701643f02ef412c6dba6f59b05d391d75f6d37236b492
SHA5122e9511c3f05d0a36431b07cb830fd54e54615d3cc157ca2d3c95b1fa47f6ec20fcefe4d39ed20fb59a4f6863363aef739bb96cb09069ba001ea659b9ef4fae1d