Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 21:27
Static task
static1
General
-
Target
3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe
-
Size
3.1MB
-
MD5
9f55b56814015f22fb5a9068a1bac402
-
SHA1
792bfa57fd0d50e1c004044f63cd8b71f7427858
-
SHA256
3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a
-
SHA512
36ca2735c17bdbd72c86d4b7f0c38e6f70098c107840c17772f17f5235f03a4cafab1a8952b125509b68a3e49bc36bb1f58b63eb7f90d07c561f1ab0c8719933
-
SSDEEP
98304:XUG+Xz5Bd651tNRcJFCdUO53E0bBviHQbF:XbQ7Jc3Zbk
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 72d19bfc65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 72d19bfc65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 72d19bfc65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 72d19bfc65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 72d19bfc65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 72d19bfc65.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 415d9bcab4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d22f82040c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dbf820ae40.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 72d19bfc65.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d22f82040c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 415d9bcab4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 415d9bcab4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dbf820ae40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 72d19bfc65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 72d19bfc65.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d22f82040c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dbf820ae40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 9 IoCs
pid Process 3576 skotes.exe 3864 415d9bcab4.exe 2336 055284bf7d.exe 3532 d22f82040c.exe 4836 skotes.exe 3828 dbf820ae40.exe 1836 0bdddf28cb.exe 5204 72d19bfc65.exe 3840 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine d22f82040c.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine dbf820ae40.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 72d19bfc65.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 415d9bcab4.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 72d19bfc65.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 72d19bfc65.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbf820ae40.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013819001\\dbf820ae40.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0bdddf28cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013820001\\0bdddf28cb.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72d19bfc65.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013821001\\72d19bfc65.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d22f82040c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013818001\\d22f82040c.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023c49-156.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 3028 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe 3576 skotes.exe 3864 415d9bcab4.exe 3532 d22f82040c.exe 4836 skotes.exe 3828 dbf820ae40.exe 5204 72d19bfc65.exe 3840 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3448 3864 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 0bdddf28cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 415d9bcab4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d22f82040c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 0bdddf28cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0bdddf28cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 055284bf7d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbf820ae40.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72d19bfc65.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4540 taskkill.exe 2056 taskkill.exe 1088 taskkill.exe 3664 taskkill.exe 4472 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3028 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe 3028 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe 3576 skotes.exe 3576 skotes.exe 3864 415d9bcab4.exe 3864 415d9bcab4.exe 3532 d22f82040c.exe 3532 d22f82040c.exe 4836 skotes.exe 4836 skotes.exe 3828 dbf820ae40.exe 3828 dbf820ae40.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 5204 72d19bfc65.exe 5204 72d19bfc65.exe 5204 72d19bfc65.exe 5204 72d19bfc65.exe 5204 72d19bfc65.exe 3840 skotes.exe 3840 skotes.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4540 taskkill.exe Token: SeDebugPrivilege 2056 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 3664 taskkill.exe Token: SeDebugPrivilege 4472 taskkill.exe Token: SeDebugPrivilege 2080 firefox.exe Token: SeDebugPrivilege 2080 firefox.exe Token: SeDebugPrivilege 5204 72d19bfc65.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3028 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 1836 0bdddf28cb.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 1836 0bdddf28cb.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe 1836 0bdddf28cb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2080 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 3576 3028 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe 83 PID 3028 wrote to memory of 3576 3028 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe 83 PID 3028 wrote to memory of 3576 3028 3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe 83 PID 3576 wrote to memory of 3864 3576 skotes.exe 91 PID 3576 wrote to memory of 3864 3576 skotes.exe 91 PID 3576 wrote to memory of 3864 3576 skotes.exe 91 PID 3576 wrote to memory of 2336 3576 skotes.exe 97 PID 3576 wrote to memory of 2336 3576 skotes.exe 97 PID 3576 wrote to memory of 2336 3576 skotes.exe 97 PID 3576 wrote to memory of 3532 3576 skotes.exe 99 PID 3576 wrote to memory of 3532 3576 skotes.exe 99 PID 3576 wrote to memory of 3532 3576 skotes.exe 99 PID 3576 wrote to memory of 3828 3576 skotes.exe 106 PID 3576 wrote to memory of 3828 3576 skotes.exe 106 PID 3576 wrote to memory of 3828 3576 skotes.exe 106 PID 3576 wrote to memory of 1836 3576 skotes.exe 112 PID 3576 wrote to memory of 1836 3576 skotes.exe 112 PID 3576 wrote to memory of 1836 3576 skotes.exe 112 PID 1836 wrote to memory of 4540 1836 0bdddf28cb.exe 114 PID 1836 wrote to memory of 4540 1836 0bdddf28cb.exe 114 PID 1836 wrote to memory of 4540 1836 0bdddf28cb.exe 114 PID 1836 wrote to memory of 2056 1836 0bdddf28cb.exe 116 PID 1836 wrote to memory of 2056 1836 0bdddf28cb.exe 116 PID 1836 wrote to memory of 2056 1836 0bdddf28cb.exe 116 PID 1836 wrote to memory of 1088 1836 0bdddf28cb.exe 118 PID 1836 wrote to memory of 1088 1836 0bdddf28cb.exe 118 PID 1836 wrote to memory of 1088 1836 0bdddf28cb.exe 118 PID 1836 wrote to memory of 3664 1836 0bdddf28cb.exe 120 PID 1836 wrote to memory of 3664 1836 0bdddf28cb.exe 120 PID 1836 wrote to memory of 3664 1836 0bdddf28cb.exe 120 PID 1836 wrote to memory of 4472 1836 0bdddf28cb.exe 122 PID 1836 wrote to memory of 4472 1836 0bdddf28cb.exe 122 PID 1836 wrote to memory of 4472 1836 0bdddf28cb.exe 122 PID 1836 wrote to memory of 3556 1836 0bdddf28cb.exe 124 PID 1836 wrote to memory of 3556 1836 0bdddf28cb.exe 124 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 3556 wrote to memory of 2080 3556 firefox.exe 125 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 PID 2080 wrote to memory of 3328 2080 firefox.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe"C:\Users\Admin\AppData\Local\Temp\3cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\1013816001\415d9bcab4.exe"C:\Users\Admin\AppData\Local\Temp\1013816001\415d9bcab4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 15244⤵
- Program crash
PID:3448
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013817001\055284bf7d.exe"C:\Users\Admin\AppData\Local\Temp\1013817001\055284bf7d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\1013818001\d22f82040c.exe"C:\Users\Admin\AppData\Local\Temp\1013818001\d22f82040c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3532
-
-
C:\Users\Admin\AppData\Local\Temp\1013819001\dbf820ae40.exe"C:\Users\Admin\AppData\Local\Temp\1013819001\dbf820ae40.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\1013820001\0bdddf28cb.exe"C:\Users\Admin\AppData\Local\Temp\1013820001\0bdddf28cb.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d06d37a-bbbb-4a18-abc4-5ecc29539d4a} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" gpu6⤵PID:3328
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60327a7d-f9d7-4353-9c34-3c1fbcdc175d} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" socket6⤵PID:2776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2828 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a92d22e4-462e-4973-b76b-774f675c8c1a} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" tab6⤵PID:5064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4136 -childID 2 -isForBrowser -prefsHandle 4176 -prefMapHandle 4172 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {320c4436-8358-4e51-8309-2ba8c98ba9c0} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" tab6⤵PID:4756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1552 -prefMapHandle 4848 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50ec9e1c-6a42-4336-8a9b-6255136a319f} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" utility6⤵
- Checks processor information in registry
PID:3448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 4032 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec80d2e5-03a4-4ff5-a75f-4deeff3c0640} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" tab6⤵PID:5928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cbcee1-fbea-4557-b348-0b8181f8bc05} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" tab6⤵PID:5952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5728 -prefMapHandle 5636 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2dab3b4-31ba-4109-9fd6-f91f70dfdaa7} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" tab6⤵PID:5964
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013821001\72d19bfc65.exe"C:\Users\Admin\AppData\Local\Temp\1013821001\72d19bfc65.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5204
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3864 -ip 38641⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3840
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD51f1358a884fb3e3ddd2c1a0f50b4360f
SHA15942d35f5eb5a1347d4834dc5c3a54728ff5c33f
SHA256643e9204dc6676f80e602f9990cac8780e4c2b893070380ecd3a73fa7d3c8911
SHA5129e6e01fc2b89180490333a63a7ca618e5d13c6cc7ae3df35152638b65e47b5e2c45edd4057c88937c7bd41fe3b4a94e8b249215a0a0b471ff62c73fad53c106b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5a3f96cdfcface89429734f6c05f66167
SHA1f6e2f451e8276d076dec67171c94080c10b243f0
SHA256e64d9add20e3928198895de52ae13fe1d654f54658995224410c806e85ea5e0f
SHA512f5601f98489d20581501ea605e823dff04f5dedb2707a0872e5fb9d6d00167c1e796d87fea9eb4d31a2075447c21e98be761c3202f693165f63e23d71fa28242
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.9MB
MD5fcf0bc8b1fa8d11d7b4deb6d36984b04
SHA168adab1a3267460eef1969d6e8b8a573c2f8213e
SHA256ab9d97632285feeeb86e9cb6cb54513704469d3b5eb6501b27a07f0215d2a00a
SHA51289116a34ade27747f1915643761bc071df8b00227cfd56633e54278c1d07991b25b9766c71ca359ed9ffb3439f5c2b7ec4d96b891c9c0b91c167afc167f2951c
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.7MB
MD590dce1932dcde8d949d1db24db4f8435
SHA11bfe974d937500266c7aa9b11ca7c6b84d61d060
SHA256c69cbf09846c2784e868d9bf59fe7f99345cf5d6d27fcbb4c8e7900e3f5e0869
SHA512cdb75fbe28983f84d03be6257ebbbc888202e6b13f0174bfa165149ec6332e8163338f30a10ef7941c960b5534ae9d6bdc7ec778aab811e001138cd814b088be
-
Filesize
1.7MB
MD5940119fb4a1811bf4b96148780249480
SHA110aa2e4f4f3274f0e3565058e61a99e2d5d01480
SHA256b01ded9a55443ccdc5f4f883197cf5ccbcaea96733d172f70e1c8c94fd8af6e7
SHA512006b24a4f63305d923e1f8455f751f85786e41300b5abf5c45900b23c643f60b3a61e05f8b851f65876b5c3e5cddda51a4e1fde00de65e2c7f411f9fe2819c71
-
Filesize
948KB
MD527e9770fd075f0b6b7dfaea7e2043da1
SHA11c9d1440bbf6b36e85145a3c2578aa49a890c993
SHA256f84e4d6470b21157ca301546ef52fa10c7576c4de5e92a400871f6d83547083e
SHA5129d46e085894007c8daae660c3a04615cc5a57aa3dc1977dacabf4137eabaf7d841959c84b6f37d9870e06ef28658524b67091a78b862ea6124448fdac633bfce
-
Filesize
2.7MB
MD56778d98b1d0e2d91d94e691ace705063
SHA18aa1fd9243c2dc618d1e7c227126c0b20d00f008
SHA256797f94d207c02e3a8ddda00c3522547254e5ee69bbe2f39821ef8a3d9b4e6aef
SHA512512f725d9b2db551adc60d23b6a1eeb3bf3249b640d651916cec482cafd3a418ce9363a1168beb1a6719abf67813a03dadfcf74efce411805c1653eee627b062
-
Filesize
3.1MB
MD59f55b56814015f22fb5a9068a1bac402
SHA1792bfa57fd0d50e1c004044f63cd8b71f7427858
SHA2563cd15e8fff1b3254d98a2d7d6c4d41393434d43e07e5f51833e0dbaf4719158a
SHA51236ca2735c17bdbd72c86d4b7f0c38e6f70098c107840c17772f17f5235f03a4cafab1a8952b125509b68a3e49bc36bb1f58b63eb7f90d07c561f1ab0c8719933
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize8KB
MD5846eb3a90235abc572f1e979f2455afa
SHA1ee894542635905db72e02f262fd08dbfb3277f48
SHA256f5b5878dc9eef5433d0085610d3941aa824b6df5c6828a3c5a6cde3e412af9f6
SHA512cfad28b59809556cdf0e7d4ea10cac429adb25f4c6bfdb7f29660bd68680fbbae57ccb50b0555a4381d3cb816362ec44364368aaa0b2369bc2cacba097307eb4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize11KB
MD5c916fe6f4da699e67dad7281dce9a476
SHA1ae548053728f2be822c26a11295d9468a41e9386
SHA25646af631dc808af8ad8758c1cd690573fbb17009e990dd40e4a5052d0ecd257ee
SHA5129258c8906ef52fea5f9822e4312fa64d608a244c74ffe2365234842fb46e2f09f88a0ed8e058c654ceecf0cafc0002e901dfd8f916a3b66e1312e933eafb301b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD57bada19123d9b289d8153fa78840c415
SHA1815a5b60dbd86bbe3e41e591d97b437a9fdf18c2
SHA256d28d3fba9b11456f5e96b32136c01257a5cc51d47881f45ed7bdca05585354c2
SHA512a41d40d1601f243b6aaae8531bb16bf9006f147f46667c83b56d299f3bc2b82a916c83121024d4f524b82e9df8fd46e9b65ac491290d317c610fef501d8665ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD52f8ec25b5d0989f90a3bbc532d72b3b2
SHA1feade9e7da168fbb4bd55df6e4a09344145a3247
SHA256ace40d016260d1ee258c6aff5fa4025f90561a5a88d28f0c84696a9882bd4fef
SHA512a1332336f89fe53410473dc108f74eebac624b8ec6c0496590f714f4df780aa4faa4c755b59376cb45419cfc96ea46df4deb8532ebfcc010343e678c9bfa6e55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD53ba83a4f6aaef2cade8fa9d0b44bc368
SHA1291e465fc9fa1c2536ca6854722f98c2518d8b0d
SHA256281b524b5c40813905c3fe07b1fc7b43fefc8b785f32d17aad6d2fc21a411a4e
SHA512adb3447de3ea866c0b645fd412ac8da0f22f8ec20c9a27a4e2c1331083a7fa4090ae437ad931a2581ae7d619c278012d43f1f671b4ac93f053b5ca7b60033fd0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD51f5753315b507b18facf3faf0db60fbf
SHA1c5cb4e29909e8e29ecd92ffd35a753151ba6d707
SHA256f55cd57aa7784b46ef53f8fbe2f16147fae254ef705cdd9d5a88185b6adab4e5
SHA5127cf842856914f73821242567620e4572b6aec35c62c2bac5a6a54647dc2bb58024403b4fbb1dfbd0ae91c9135609a40765db56f36fd93fe7bc9e78dbfb2d4bd7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\9e88141a-f380-47a9-9205-fcafd42e9ff1
Filesize982B
MD5e49cdb241c6349670e75a66d14e87aef
SHA1752fa8d62b509335aaac2787f7ad4a3ed2460a6f
SHA2561d44b50b7ee33b1782fbac988c85bdaf8a36765a94a0cdb6ae2b20511b984a0a
SHA512370e936a02929e59c4f90e68c733f77a97b5c8b396177a6f9c9074017ade0138483a410f33138cf30410c3207fc27de857a81d56516db82a546b70383b4efef1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\ab99ceca-4584-47a1-aef9-157ae7ff40c5
Filesize29KB
MD5c7db2ae83e56b4d4ab1f00012e036dee
SHA159eb27ba4679a6a4f099e39c7183f7450ac0fa8c
SHA2562ddea6ace175850f7a731d6b095d7bc2e72dabbd4b5ea5d0882cceba5e018b32
SHA5127bfd7a0a4f1fd906cc38ea2cf21c674af31b7fdfe0c53300db609ed28e1b492f2f1a2038f506b201513a4a0f95ce8dacd9bce0854577a9b10dd0f75c56889efa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\f30dc7df-60ec-4cd0-88d0-28d5f9ef8af1
Filesize671B
MD55c2c5b8ecf5abc28f2e4c6ac9eb632e3
SHA11fa36c876cf4a86b4048924cda18e03e10f1d90f
SHA256513c005696b6d33846802d8328ff5f166b85dc013fff2dfeb0719403ae8a5edf
SHA5124fa1c39aa40b012331f74ae1394130e0a782bacae559474ff9536ce98299131e6efa8a71e3675634b8c21ea2bebb916fe5a1c72f1acc65e8572462d262c40686
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5317926803ed487afaa921c82d10fea41
SHA1c0221c7f7174428b2947687968d09b225fc6cd04
SHA256ae4534f984ad53aed3d31e7e2616f081766a3b68096ba2cd2be76bce3042d9cd
SHA51223430b8600584f98259f88c16d6c1817a3ff070c796718eea57b115d840446486996e29e98e37f5f88f825a13f45d4bf470b8d46d0da842f0e988603226a85c1
-
Filesize
10KB
MD5802e8343dc7b4aefb2f2a056c75b8dfd
SHA17cae60203fd9075f2d9a500aeed72e2207f0317c
SHA256a641041802cd13a5f455f5f284f5ab84ab350ffa20aa5c2779441225234f750b
SHA512a5c3567870a94f9777761cb14e63ff0e0a662dcd6394177944707fae84e15ff7a019268bb649d6dd3190ce50445b8094e64b610378e096acdf53ae0be3999ac1
-
Filesize
10KB
MD524f3e61ebb1a14ab2d350927fe8947b8
SHA1601368d01059532da59869906e75d2e585aec1da
SHA2566301ea6f708a24c12979323871b14c9d40f6d4b81a130b4aa207e6124aa3913b
SHA51228bf37ff43bc245f720c0794df156f78273db380bb99e44daaf808c54ff8b6359e524563b365d8c6b22485f90e51f518149e6c4d55e7b3f91b277be6a908ee39
-
Filesize
11KB
MD52073c740c050388dc8bbfc8728a44127
SHA14ada704d1abd445fff93bfb73e851d701601abf4
SHA2563b20f3bac39d538d920d9422c63cf4475d97ef7ff320c9c3c5c1b3c7521ecfc6
SHA512ad26d04a6230beaf395d6f77a155a076c1d0eedd9c81eff6463a4cd2db5b88188fb00d4ab0c06e20e396304981674732b5fc27f89037f80f9260a6ebe546a846