Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe
Resource
win7-20241010-en
General
-
Target
306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe
-
Size
3.2MB
-
MD5
8310dd77fc508989327b7242d9f00757
-
SHA1
0f47666d19e93f838bf9e2d67a1a0c42dd2561f2
-
SHA256
306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0
-
SHA512
279770c1ae7698765dca0a7d4cffb6695381f8513ac12283c6e77b80cfd198d2a16c1ed12854f17ca8f91089632bbae65278bf8d157ec01fc3538cdc4416e697
-
SSDEEP
49152:eKsUSrfMdl+qB2OAS4aNPTET48NqCnf9lZOUdcczoJ:eTUqMdQshAS4aNP58NqClPdw
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a614125e4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a614125e4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a614125e4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a614125e4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a614125e4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a614125e4e.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a614125e4e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9851c7a42c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 26867d08b8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29e3da79ef.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 26867d08b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 29e3da79ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9851c7a42c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a614125e4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 29e3da79ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a614125e4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9851c7a42c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 26867d08b8.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 8 IoCs
pid Process 5016 skotes.exe 1332 9851c7a42c.exe 3132 26867d08b8.exe 1900 29e3da79ef.exe 2384 e86e387524.exe 4636 a614125e4e.exe 5432 skotes.exe 5680 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 9851c7a42c.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 26867d08b8.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 29e3da79ef.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine a614125e4e.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a614125e4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a614125e4e.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a614125e4e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013580001\\a614125e4e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26867d08b8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013577001\\26867d08b8.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\29e3da79ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013578001\\29e3da79ef.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e86e387524.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013579001\\e86e387524.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cec-99.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2516 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe 5016 skotes.exe 1332 9851c7a42c.exe 3132 26867d08b8.exe 1900 29e3da79ef.exe 4636 a614125e4e.exe 5432 skotes.exe 5680 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4764 3132 WerFault.exe 84 5812 1332 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9851c7a42c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage e86e387524.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26867d08b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29e3da79ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e86e387524.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language e86e387524.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a614125e4e.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4208 taskkill.exe 3208 taskkill.exe 1340 taskkill.exe 3756 taskkill.exe 976 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2516 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe 2516 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe 5016 skotes.exe 5016 skotes.exe 1332 9851c7a42c.exe 1332 9851c7a42c.exe 3132 26867d08b8.exe 3132 26867d08b8.exe 1900 29e3da79ef.exe 1900 29e3da79ef.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 4636 a614125e4e.exe 4636 a614125e4e.exe 4636 a614125e4e.exe 4636 a614125e4e.exe 4636 a614125e4e.exe 5432 skotes.exe 5432 skotes.exe 5680 skotes.exe 5680 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4208 taskkill.exe Token: SeDebugPrivilege 3208 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 3756 taskkill.exe Token: SeDebugPrivilege 976 taskkill.exe Token: SeDebugPrivilege 3744 firefox.exe Token: SeDebugPrivilege 3744 firefox.exe Token: SeDebugPrivilege 4636 a614125e4e.exe Token: SeDebugPrivilege 3744 firefox.exe Token: SeDebugPrivilege 3744 firefox.exe Token: SeDebugPrivilege 3744 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2516 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 2384 e86e387524.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 2384 e86e387524.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 3744 firefox.exe 2384 e86e387524.exe 2384 e86e387524.exe 2384 e86e387524.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3744 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 5016 2516 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe 82 PID 2516 wrote to memory of 5016 2516 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe 82 PID 2516 wrote to memory of 5016 2516 306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe 82 PID 5016 wrote to memory of 1332 5016 skotes.exe 83 PID 5016 wrote to memory of 1332 5016 skotes.exe 83 PID 5016 wrote to memory of 1332 5016 skotes.exe 83 PID 5016 wrote to memory of 3132 5016 skotes.exe 84 PID 5016 wrote to memory of 3132 5016 skotes.exe 84 PID 5016 wrote to memory of 3132 5016 skotes.exe 84 PID 5016 wrote to memory of 1900 5016 skotes.exe 92 PID 5016 wrote to memory of 1900 5016 skotes.exe 92 PID 5016 wrote to memory of 1900 5016 skotes.exe 92 PID 5016 wrote to memory of 2384 5016 skotes.exe 94 PID 5016 wrote to memory of 2384 5016 skotes.exe 94 PID 5016 wrote to memory of 2384 5016 skotes.exe 94 PID 2384 wrote to memory of 4208 2384 e86e387524.exe 95 PID 2384 wrote to memory of 4208 2384 e86e387524.exe 95 PID 2384 wrote to memory of 4208 2384 e86e387524.exe 95 PID 2384 wrote to memory of 3208 2384 e86e387524.exe 99 PID 2384 wrote to memory of 3208 2384 e86e387524.exe 99 PID 2384 wrote to memory of 3208 2384 e86e387524.exe 99 PID 2384 wrote to memory of 1340 2384 e86e387524.exe 101 PID 2384 wrote to memory of 1340 2384 e86e387524.exe 101 PID 2384 wrote to memory of 1340 2384 e86e387524.exe 101 PID 2384 wrote to memory of 3756 2384 e86e387524.exe 103 PID 2384 wrote to memory of 3756 2384 e86e387524.exe 103 PID 2384 wrote to memory of 3756 2384 e86e387524.exe 103 PID 2384 wrote to memory of 976 2384 e86e387524.exe 105 PID 2384 wrote to memory of 976 2384 e86e387524.exe 105 PID 2384 wrote to memory of 976 2384 e86e387524.exe 105 PID 2384 wrote to memory of 4164 2384 e86e387524.exe 107 PID 2384 wrote to memory of 4164 2384 e86e387524.exe 107 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 4164 wrote to memory of 3744 4164 firefox.exe 108 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 PID 3744 wrote to memory of 4924 3744 firefox.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe"C:\Users\Admin\AppData\Local\Temp\306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\1013576001\9851c7a42c.exe"C:\Users\Admin\AppData\Local\Temp\1013576001\9851c7a42c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 6364⤵
- Program crash
PID:5812
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013577001\26867d08b8.exe"C:\Users\Admin\AppData\Local\Temp\1013577001\26867d08b8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 14844⤵
- Program crash
PID:4764
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013578001\29e3da79ef.exe"C:\Users\Admin\AppData\Local\Temp\1013578001\29e3da79ef.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\1013579001\e86e387524.exe"C:\Users\Admin\AppData\Local\Temp\1013579001\e86e387524.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d8d275f-c6d9-438c-aefe-1ffae885f332} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" gpu6⤵PID:4924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03d1a962-57c6-4f8d-b54d-81ce6132202e} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" socket6⤵PID:3176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3560 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3344 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd203b6b-cf41-4f43-9443-6a9e6fa89dec} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" tab6⤵PID:4192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3368 -childID 2 -isForBrowser -prefsHandle 3224 -prefMapHandle 2616 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0874eee-44e7-4bc9-a248-78e0c472db13} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" tab6⤵PID:3292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 4768 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ea378f4-9a17-4685-b8a5-4ee5426be1a2} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" utility6⤵
- Checks processor information in registry
PID:5404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 3276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a14f6c66-5354-4490-8c03-7fd0d5195984} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" tab6⤵PID:5956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a643752-4d31-4ba4-85ea-5e605d144eb3} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" tab6⤵PID:5976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 5 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a6cc443-408e-461f-a7e1-f2275751c324} 3744 "\\.\pipe\gecko-crash-server-pipe.3744" tab6⤵PID:5988
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013580001\a614125e4e.exe"C:\Users\Admin\AppData\Local\Temp\1013580001\a614125e4e.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 31321⤵PID:4336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1332 -ip 13321⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5432
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5680
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD537a15d69a236d7fba2ee1723fe84c5ca
SHA17b5cce2144ed3821bb920196452d1ee9833e66a3
SHA256e2ca2ee53ab10795b8c213e78216262142934f68a0d5d8df7a02add7efd73bf3
SHA5122028739cc04aa38c4194e1ecc3079598a017c715f9e14d939085908cd316fe36325fd25c02a9dc14ff38a5ae3c6d0113203b4202588b319d78c0b6d95dd983ff
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD54c4528a243b5febe4c05946ef61fccc9
SHA199283e794da351d1e95379cb3903573cc86679d0
SHA256495da5da4757878cfe5cf083e5df6211544d036930f53d7ee2c831f64c9a9079
SHA512e312f9d7b31cb964aab435698b7dd24e3c3ce352e8b2f0c0b10accf2ec3293bae9da3eb85b09044b18ffdfb1fa104f03524caf7f20a53f3f49f9ddb1020d71af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD5581750565a3e5579b7bd6c0c59d917af
SHA1daa71434b34b0f3d8388abee85aab4276db50722
SHA2569feeb023da017398cca7a3aa30a253eedb8b304a513923c6f9a4ed7c2f7f5544
SHA512addf7b0db724a2d311dfe02a6e67deeb455b441b9e5388a6550b318d01e08add8ac0c0eb2efc8c0279ed430191cd2eb7195b3113474656fa7c2c1b5c7133446c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.9MB
MD52e19a105ae94d5cfdba8166af58f7a3e
SHA1398ec17fa4b03728c4c48c6d2e6f99e01ff78a63
SHA256c4a16bac6cdc5735e1bbb57c7f4c300e35a4c2f617c85585d17ac5a55a875383
SHA512181d6bec6fe7a93bc6ea1c5521977567a9565b1f7ef6b3a5cd8f8607ca27bdbca3c775ed6d5253ef1bb26227648d6a2d118c45b5e43af78a992135bf70b672ba
-
Filesize
1.8MB
MD5d7229a6c265f82bc80e0908656b99344
SHA15f7a6a735d114a12096d8b5e8048f62bf1cdb748
SHA256128194635b1cd03bdd7da72b0346b5a5d82da29cde42dade730b15252396a6f7
SHA512d48561086b8c2c29c6953beedf1d48d67fad4121a9b6f5a5998e6cd9f8274b5a2310f37a0eeef35ec85a6b582b94ab0d9b9e4f4c377a7b20a5740bbca813124b
-
Filesize
1.7MB
MD50bd6feab9ec3faa844bdcdce20bb139a
SHA1489a61c409dfb7d18be79e8ee0e6a357e2441b32
SHA2565facd021cf569f15595a5bca8a9e248e6c32c1811f8b4c70ca037a15fed258ab
SHA51248c0db3c10b1ac30f86705f98d653ab487728ad131167fd3a7f26f3666d54bbc0c034139c2baec8c66749999cadf9354b5231e43f05eefef3ed87c9d4057592f
-
Filesize
945KB
MD5b96df7b03681a0ccccd55bec984830b9
SHA15662645c21901d6494e0ac4fe194ba7ff9ce429a
SHA2561863d39014b60eb609302b2e3646d97b571eadaa234cf787b821ceaf057ec45e
SHA5124a87d8a4a7e93d13abaef95e5f562d3aa93333b54336d47e41bdeb25315d9b64ad6b4d3a1ad0547fe7ee83f8e3d61698e2801b1ac32a24e2beb454e9b6df3d87
-
Filesize
2.7MB
MD5d445052255ec75c77bf79748bd082efd
SHA13ed90fe05d24c1709ed86b252f676e506bc0a52b
SHA25601d67e2f0de76a97a5af84425b8b7f88b6729de593c5dd7d9e203fd23dd8c561
SHA51267355cfeecedfae91198f67a502fc4c075e77acbc13b9e0c67fcdd0bdf33a2d0d2ef72093b7aff730d4393551941debaa4f6969c2c3c20fad1cf8d876108848f
-
Filesize
3.2MB
MD58310dd77fc508989327b7242d9f00757
SHA10f47666d19e93f838bf9e2d67a1a0c42dd2561f2
SHA256306e3f1775f8481fe89d3575b57d8bcab355e9d55d1b66cbf7b246f8bd2a3dd0
SHA512279770c1ae7698765dca0a7d4cffb6695381f8513ac12283c6e77b80cfd198d2a16c1ed12854f17ca8f91089632bbae65278bf8d157ec01fc3538cdc4416e697
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize10KB
MD5440ae2d327ba3f9c9acad9a90d6b1d33
SHA156ad2c650e034aa13f3def9639c0401694b818db
SHA256105302ff87aa577fc7e14cbf5783bede2688d48948e67be820ee3870f2006807
SHA512b40f0a5c2cb808ba8729b451b9339f92960880ea5282a03928ad2f9e9df14ae943c9be29603ee2ee727fff998e0b83eba2477c7f9643da3ef8c8a488f1f9255f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD52b23586072be630744822d59f923817f
SHA11061274c4092acceeb3b39522ec6e46b0c3db915
SHA256691d8dab90fac4c7bb7745208d2767958710c20331fc83e9ac8468e3a6ea6c4e
SHA5125f82f7313bed210ebd67c417a93c0ee5141415829bb31b00ea597dd07eea5bf105968a3cc5ab8145180b2476ff085b7593c99a41bf05a64290aa952453e0c663
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD50cc2ac0db174f6f0cfbf3caee9736a1f
SHA18c261e153b9966ebf5ab6dfbd47bb369b702b77b
SHA256e4f1a49a0d16ece536e915f60516312ccb68e96c891be91fab68d2f7a29f0e63
SHA5129220d2e4bb299e0fe906060bfe3ea7129e7d752a8a0c9d442259baa8132ea1eaa6b7d9e2f52d7d4b88ff0cdb87e8830508173205b2ad2f4420809c70ffa54b3f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD51874bb4e79896d3e9e02a309c591e27d
SHA10fd58004cd245463b10c7949e02b594df17590eb
SHA256fee76052e9d61787d99c117301a84e9c68c9840bbc30ae3097b7ad22fd93705a
SHA512585ae5b5faee8f670214e04a17acc9e61db3d5818de5c2f9f3a8bd1684ab1deab0051e619e5325a9a6f7a59d895d6ed8d2c225f8371d88ec2027c6c4a32cf5a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD55873c98cc43a12250f37cf751cd04c83
SHA1ca4a3e05669e612fa9df65f70908a4238804165b
SHA256ffe0f667d2c85c364c0be0353ad8c7ceed7c0776fcb63a3c9f2bd448a16258cd
SHA5124d27a3a0bcbb24ed431d34d3af224c380138a57076c3a3716485307a614cf25e2574b84ff5ae64b1487c50904221e9b7505a7a9d06336a0d63e1eae8255fa96e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5b86af5fd19eb222a607f78997dd44173
SHA1af44b099637404f27636b2da91d0bc557653e052
SHA256dac96661a5055cca723ad5a26c1a9f24b223bb4f87c0b61b969f2d5be15385be
SHA51207885f6f5b5612382d4049d729001e6d063dcd55b10349984a2eeb9240c34d527593b6fca406525332fcb6893163ce9697f626e653e314a099792f59736298d7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\6b8c6cb4-241e-4495-83b6-ed7a6e683fd3
Filesize659B
MD5a0b8a5c92692cb822f57e6b8a370ba1b
SHA12ee8493946c0d1f704a1f360d1dcdbf1de0a265e
SHA256832b1f26fabe17318187054d4175b08cd5a7e17ec04a8ee9e2c08366bd3ac8e0
SHA512c841f0b0d4eecded2c5180ded6668fec1545e0361b2946456246557a7100b3f1fa254830df5184b98e1ebd7ead678e2d1f4a5dc17ee97f6a1e4b05e203f0a4df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\fbaaf2d0-f81a-4c44-bffc-d943151342e3
Filesize982B
MD5319441f0dd774cb8654ea998dd681e45
SHA186c14b6f6cad1f0dab95daaf193b7fb15cdf8eae
SHA25644a69728e68a1c86e1668cff149780a8f46e76685454ea829d87ab1cd71a184d
SHA51205af03d4fb091d230de073121787a395e8e8430a03e2b9c58d7a976bddd6e808227b3a6e4a9c57f004bd2105129c9256d67439137e02f6e0033d96f69206d404
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5a3c155a69b6a8630f04009b33be6b11e
SHA17b980a24d81a0d84f3bd3838d7c102af5478816b
SHA2564e32561e7c81c3bbf771422a906982663d0a06d8f698a7020d040deea70db7ed
SHA5122a62661d6132219bc2a9b3bcdf56ae6e05a21089ea6cf3f02db8455df1a0af4eaf87a98c60e6ef2b7e58757f90d650818ca35be029bd75a42c3e217ba58e902c
-
Filesize
15KB
MD5a37132eeddafd46dc47370502c20470f
SHA127aac020dee178af53d82f08699696f105d416ed
SHA25616b26d2a932952658c76000239c8f4c10062c2fea47b5881d2cbafff01060e75
SHA512128d76c79a79b065765ff3c823dde5d8cf1dca32742fc70164f05f9b5e8563fdc148020f58585581c8f7d4b993cfbe165881e64ff7b689474aeb0a69ba83b066
-
Filesize
10KB
MD5a11a34157c9d6aab208fa0820a76ae9e
SHA12e42da32ee216b5e18af509c911e208f3e86183a
SHA256c1cb129442537be8f0a797876e37f00a86a784025ea59c16b6e94953a2e60c91
SHA512608cac5726b3f4416cef315ab8dde639c1d93081208ba15bf9da0e52ae7bed04c9af0a510c88f280714ecd0e99a2ce18008958372564a61a853502d5f6057390
-
Filesize
11KB
MD52c1d341f5e44760614817f5ad6f38f94
SHA1991c3b0f9a725453074c885351e31bee42e5af06
SHA2563b0ceff55532c939a1439c2939a35a25421fb2224f3ace7477b72e6a00cb3270
SHA512ea12aaa29a59bf6daf8d11ec485e7ae8a478c60cf5b11770a9cce3fbd111883442b124307274e56ee6cb11938b34525f8d8acb3c4e0845f06a7e7942535e5388