Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 02:05
Static task
static1
General
-
Target
04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe
-
Size
6.9MB
-
MD5
fcc5c005c3ccbddee8bee4dc5ca441e2
-
SHA1
d597f7ec6f9309af338b0bbb2234f9a0a5ca1a92
-
SHA256
04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d
-
SHA512
f9f2ac3fa052093f622989ae40bd4c06871853e507064fd92760b54e0e4973b0cc77339bf4dda99959c083bb34c2a557a701b8161cd16340a4f6fc8d3340ff3a
-
SSDEEP
196608:qZjdOmZw7qclSdCdbM8evA0U4YJtJq8Y4KM:Ej1ZwOcniTA02Bl
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4U637G.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4U637G.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 109fa43a35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 109fa43a35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 109fa43a35.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4U637G.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4U637G.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 109fa43a35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 109fa43a35.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4U637G.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4U637G.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1J17n3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 15d59c197e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dc7cbe8278.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 109fa43a35.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2U9131.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3w55K.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4U637G.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b4410d15c3.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4410d15c3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4410d15c3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dc7cbe8278.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2U9131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3w55K.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3w55K.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2U9131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4U637G.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dc7cbe8278.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1J17n3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4U637G.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 15d59c197e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 15d59c197e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 109fa43a35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 109fa43a35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1J17n3.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 1J17n3.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 15 IoCs
pid Process 4984 f4R43.exe 64 e0b81.exe 4656 1J17n3.exe 4532 skotes.exe 2320 2U9131.exe 3612 skotes.exe 544 3w55K.exe 1080 4U637G.exe 3912 15d59c197e.exe 4816 b4410d15c3.exe 628 dc7cbe8278.exe 3748 7f6603724a.exe 7012 109fa43a35.exe 5368 skotes.exe 760 skotes.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 2U9131.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 3w55K.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 15d59c197e.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine b4410d15c3.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine dc7cbe8278.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 109fa43a35.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 1J17n3.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 4U637G.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4U637G.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4U637G.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 109fa43a35.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc7cbe8278.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013583001\\dc7cbe8278.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7f6603724a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013584001\\7f6603724a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\109fa43a35.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013585001\\109fa43a35.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" f4R43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" e0b81.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4410d15c3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013582001\\b4410d15c3.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000c000000023b96-132.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 4656 1J17n3.exe 4532 skotes.exe 2320 2U9131.exe 3612 skotes.exe 544 3w55K.exe 1080 4U637G.exe 3912 15d59c197e.exe 4816 b4410d15c3.exe 628 dc7cbe8278.exe 7012 109fa43a35.exe 5368 skotes.exe 760 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1J17n3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 2276 2320 WerFault.exe 86 1532 2320 WerFault.exe 86 4508 4816 WerFault.exe 100 2088 4816 WerFault.exe 100 5260 3912 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc7cbe8278.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2U9131.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15d59c197e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f6603724a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 109fa43a35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4U637G.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1J17n3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3w55K.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 7f6603724a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 7f6603724a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4R43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0b81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4410d15c3.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4652 taskkill.exe 3380 taskkill.exe 2804 taskkill.exe 2068 taskkill.exe 4972 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 4656 1J17n3.exe 4656 1J17n3.exe 4532 skotes.exe 4532 skotes.exe 2320 2U9131.exe 2320 2U9131.exe 3612 skotes.exe 3612 skotes.exe 544 3w55K.exe 544 3w55K.exe 1080 4U637G.exe 1080 4U637G.exe 3912 15d59c197e.exe 3912 15d59c197e.exe 1080 4U637G.exe 1080 4U637G.exe 4816 b4410d15c3.exe 4816 b4410d15c3.exe 628 dc7cbe8278.exe 628 dc7cbe8278.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 7012 109fa43a35.exe 7012 109fa43a35.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 7012 109fa43a35.exe 7012 109fa43a35.exe 7012 109fa43a35.exe 5368 skotes.exe 5368 skotes.exe 760 skotes.exe 760 skotes.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1080 4U637G.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 4652 taskkill.exe Token: SeDebugPrivilege 3380 taskkill.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 7012 109fa43a35.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 3544 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4656 1J17n3.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3748 7f6603724a.exe 3748 7f6603724a.exe 3748 7f6603724a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3544 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 324 wrote to memory of 4984 324 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe 82 PID 324 wrote to memory of 4984 324 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe 82 PID 324 wrote to memory of 4984 324 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe 82 PID 4984 wrote to memory of 64 4984 f4R43.exe 83 PID 4984 wrote to memory of 64 4984 f4R43.exe 83 PID 4984 wrote to memory of 64 4984 f4R43.exe 83 PID 64 wrote to memory of 4656 64 e0b81.exe 84 PID 64 wrote to memory of 4656 64 e0b81.exe 84 PID 64 wrote to memory of 4656 64 e0b81.exe 84 PID 4656 wrote to memory of 4532 4656 1J17n3.exe 85 PID 4656 wrote to memory of 4532 4656 1J17n3.exe 85 PID 4656 wrote to memory of 4532 4656 1J17n3.exe 85 PID 64 wrote to memory of 2320 64 e0b81.exe 86 PID 64 wrote to memory of 2320 64 e0b81.exe 86 PID 64 wrote to memory of 2320 64 e0b81.exe 86 PID 4984 wrote to memory of 544 4984 f4R43.exe 94 PID 4984 wrote to memory of 544 4984 f4R43.exe 94 PID 4984 wrote to memory of 544 4984 f4R43.exe 94 PID 324 wrote to memory of 1080 324 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe 95 PID 324 wrote to memory of 1080 324 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe 95 PID 324 wrote to memory of 1080 324 04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe 95 PID 4532 wrote to memory of 3912 4532 skotes.exe 98 PID 4532 wrote to memory of 3912 4532 skotes.exe 98 PID 4532 wrote to memory of 3912 4532 skotes.exe 98 PID 4532 wrote to memory of 4816 4532 skotes.exe 100 PID 4532 wrote to memory of 4816 4532 skotes.exe 100 PID 4532 wrote to memory of 4816 4532 skotes.exe 100 PID 4532 wrote to memory of 628 4532 skotes.exe 105 PID 4532 wrote to memory of 628 4532 skotes.exe 105 PID 4532 wrote to memory of 628 4532 skotes.exe 105 PID 4532 wrote to memory of 3748 4532 skotes.exe 106 PID 4532 wrote to memory of 3748 4532 skotes.exe 106 PID 4532 wrote to memory of 3748 4532 skotes.exe 106 PID 3748 wrote to memory of 2068 3748 7f6603724a.exe 107 PID 3748 wrote to memory of 2068 3748 7f6603724a.exe 107 PID 3748 wrote to memory of 2068 3748 7f6603724a.exe 107 PID 3748 wrote to memory of 4972 3748 7f6603724a.exe 109 PID 3748 wrote to memory of 4972 3748 7f6603724a.exe 109 PID 3748 wrote to memory of 4972 3748 7f6603724a.exe 109 PID 3748 wrote to memory of 4652 3748 7f6603724a.exe 111 PID 3748 wrote to memory of 4652 3748 7f6603724a.exe 111 PID 3748 wrote to memory of 4652 3748 7f6603724a.exe 111 PID 3748 wrote to memory of 3380 3748 7f6603724a.exe 113 PID 3748 wrote to memory of 3380 3748 7f6603724a.exe 113 PID 3748 wrote to memory of 3380 3748 7f6603724a.exe 113 PID 3748 wrote to memory of 2804 3748 7f6603724a.exe 115 PID 3748 wrote to memory of 2804 3748 7f6603724a.exe 115 PID 3748 wrote to memory of 2804 3748 7f6603724a.exe 115 PID 3748 wrote to memory of 396 3748 7f6603724a.exe 117 PID 3748 wrote to memory of 396 3748 7f6603724a.exe 117 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 396 wrote to memory of 3544 396 firefox.exe 118 PID 3544 wrote to memory of 4052 3544 firefox.exe 119 PID 3544 wrote to memory of 4052 3544 firefox.exe 119 PID 3544 wrote to memory of 4052 3544 firefox.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe"C:\Users\Admin\AppData\Local\Temp\04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4R43.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4R43.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e0b81.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e0b81.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17n3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17n3.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\1013581001\15d59c197e.exe"C:\Users\Admin\AppData\Local\Temp\1013581001\15d59c197e.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 7807⤵
- Program crash
PID:5260
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013582001\b4410d15c3.exe"C:\Users\Admin\AppData\Local\Temp\1013582001\b4410d15c3.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 15767⤵
- Program crash
PID:4508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 15967⤵
- Program crash
PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013583001\dc7cbe8278.exe"C:\Users\Admin\AppData\Local\Temp\1013583001\dc7cbe8278.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\1013584001\7f6603724a.exe"C:\Users\Admin\AppData\Local\Temp\1013584001\7f6603724a.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d6bd799-a5f3-4b7f-94c5-ba9de8faa56f} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" gpu9⤵PID:4052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e025313a-8a36-4e40-9e72-d63ed0eee922} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" socket9⤵PID:3876
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3068 -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 2852 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bff2dfc9-4665-4d6b-a389-a12343463138} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab9⤵PID:3056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4036 -childID 2 -isForBrowser -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e6373e-6416-4cbd-ab3b-476d2aad8a34} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab9⤵PID:1732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40bce6f6-bd03-4135-b409-05ac58ee8a40} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" utility9⤵
- Checks processor information in registry
PID:6072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67e543fb-3713-4bd3-9b78-81da20e3a631} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab9⤵PID:2016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5604 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dedc5495-5974-409e-8053-2bb58f53ae78} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab9⤵PID:1600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5884 -prefMapHandle 5880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c25ad70b-4010-412a-a377-fff00519b97e} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" tab9⤵PID:1416
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013585001\109fa43a35.exe"C:\Users\Admin\AppData\Local\Temp\1013585001\109fa43a35.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U9131.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U9131.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 16405⤵
- Program crash
PID:2276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 16165⤵
- Program crash
PID:1532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w55K.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w55K.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:544
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U637G.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U637G.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2320 -ip 23201⤵PID:3452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2320 -ip 23201⤵PID:1036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4816 -ip 48161⤵PID:5104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4816 -ip 48161⤵PID:3032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3912 -ip 39121⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5368
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5f5cb7eba8e45bbe52ad3746c5ab36399
SHA1b0df33d8588b847863199c386a55f936c3748d45
SHA256d04848e182a2528c4ab0ab5dd80e72cf33a696f1c44fc6fdc2a3903c73a2f9b6
SHA51267cac8ee1ccf0a79fcec36cba0a987769bda36e4d429e227725bf82e2229e9912c88c240e9fc4258add354e6295865366c84c695d2e87bbbc644873075640050
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5740cd371c60487cadf045635f797c513
SHA150a14f2cee6a074f93ba5a323534a77d7ccb870d
SHA25652d3226f77eaf6d8deca0a53d717e1c160b6e3b3d51c6e0040bd296f8bd23104
SHA5126d2fb4c0beedeced60743a11c238408dce73b4eb6c023fe01c21e15e458b237ddfb2ce213fac7df039709fca2aa7ad447b3bc740dbbf3edd66125c13e534415e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.9MB
MD52e19a105ae94d5cfdba8166af58f7a3e
SHA1398ec17fa4b03728c4c48c6d2e6f99e01ff78a63
SHA256c4a16bac6cdc5735e1bbb57c7f4c300e35a4c2f617c85585d17ac5a55a875383
SHA512181d6bec6fe7a93bc6ea1c5521977567a9565b1f7ef6b3a5cd8f8607ca27bdbca3c775ed6d5253ef1bb26227648d6a2d118c45b5e43af78a992135bf70b672ba
-
Filesize
1.8MB
MD5d7229a6c265f82bc80e0908656b99344
SHA15f7a6a735d114a12096d8b5e8048f62bf1cdb748
SHA256128194635b1cd03bdd7da72b0346b5a5d82da29cde42dade730b15252396a6f7
SHA512d48561086b8c2c29c6953beedf1d48d67fad4121a9b6f5a5998e6cd9f8274b5a2310f37a0eeef35ec85a6b582b94ab0d9b9e4f4c377a7b20a5740bbca813124b
-
Filesize
1.7MB
MD50bd6feab9ec3faa844bdcdce20bb139a
SHA1489a61c409dfb7d18be79e8ee0e6a357e2441b32
SHA2565facd021cf569f15595a5bca8a9e248e6c32c1811f8b4c70ca037a15fed258ab
SHA51248c0db3c10b1ac30f86705f98d653ab487728ad131167fd3a7f26f3666d54bbc0c034139c2baec8c66749999cadf9354b5231e43f05eefef3ed87c9d4057592f
-
Filesize
945KB
MD5b96df7b03681a0ccccd55bec984830b9
SHA15662645c21901d6494e0ac4fe194ba7ff9ce429a
SHA2561863d39014b60eb609302b2e3646d97b571eadaa234cf787b821ceaf057ec45e
SHA5124a87d8a4a7e93d13abaef95e5f562d3aa93333b54336d47e41bdeb25315d9b64ad6b4d3a1ad0547fe7ee83f8e3d61698e2801b1ac32a24e2beb454e9b6df3d87
-
Filesize
2.7MB
MD5d445052255ec75c77bf79748bd082efd
SHA13ed90fe05d24c1709ed86b252f676e506bc0a52b
SHA25601d67e2f0de76a97a5af84425b8b7f88b6729de593c5dd7d9e203fd23dd8c561
SHA51267355cfeecedfae91198f67a502fc4c075e77acbc13b9e0c67fcdd0bdf33a2d0d2ef72093b7aff730d4393551941debaa4f6969c2c3c20fad1cf8d876108848f
-
Filesize
2.6MB
MD599cff6034a2010e18f19281afa021aec
SHA16b045ce6bc1d26d244c083dbc4381c1d38539700
SHA256bda24b571a92286e33963d7790a6cada3b23b2d5b8c4099eb7f4922d41df113e
SHA512eed961481c0678c7777e79d5d9fd3fad71d6af44fa74a704018ce5dd5290945fd28e5220ffc8b6ab8aca5497d2dd9f8f062f61ffc9a8e77aec62d525f1dc41f2
-
Filesize
5.3MB
MD5777d6a67707876286fe17d655c830ebf
SHA179867f542222556a1e256d800495f471d0c958f0
SHA2564280ed645ef5b31060f54161c295196fc3ea72407fc1c466f43d21a96ffb133b
SHA5123824620a7fbf59927bf61ed4cb0844a97e94e2f3d8c768b2530eea4b957212d81cb8364f7b1ce5e01f1c980f396bcd9df079ace9fc1bfeeec55f0a2c39167dd1
-
Filesize
1.7MB
MD582b70cb96dc208843a0380d75ff08f9b
SHA1d6d8eeabc5868e73a39ff5c9fd86270bda3a48b5
SHA256697d7f31a1d5adab597902ceb9228a77b6e84d776be1f49a610b04de25d87801
SHA5127c33eb7aea7854aade6aa7c94b1ac5fde978e57904dd344bd4405edd6d7652d8c28cd3075c87e37306a89d333a740f7552d7f4ccdc42c0d64a008449b5bdd39d
-
Filesize
3.5MB
MD5dec11b3cc0ee1492fbf2c3f8f5e21497
SHA10fbe6977002f563e309b75e36a89db3a33060254
SHA2569223019e435ac3deb348e7ae211abe23c5f7bbccc4d2b9765a5cd1b7be82c06b
SHA512c569ef71e1738da249b0efb35542f414392e7c3a620f4b7ca4f42498a32a2f87b5b1d39eb41b866ff6660f32082fe09c5b2d6bfe31ea73b8831b9370336dc04f
-
Filesize
3.1MB
MD511c23f104d7ecfcb5b535f22214c5dbe
SHA10899ffd81ea3727de16614c5f9e84749f8182552
SHA256c5741977022e908fbe2c233df25c5d5c6b0b88af01a026acc6085f30793708ef
SHA512eca9bf13c3f03db9508a83dc3abef5268a9fcd8ffc3307a832fd871196dfc4e09bc1c1416ff5f66c49b153cad22c22e14bd7eb3da11ba848641d88a984764388
-
Filesize
1.7MB
MD5ffbf4dac7f1ed0ade66186644f98132c
SHA1dfb1a1993b0de0922174dce31e80df9508cd162a
SHA256ea3d6a813bfa00a6fe5888fdb841e24063e24bf7723ac233df33d1e07129e23c
SHA5127bdcbdc172e4b7fc1d1d072f3258e4a5144b065d4b2d327bca306eada4f70bca5fd9ee603b3e1d1f4c98b298e4032bcd83dfbf9eb2b85b5abce649769645e856
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize6KB
MD5e78246f3e98c396bf81d171fe68d5eb1
SHA114f27422a49f4cc04c6bf2c43a42c831d0383a1f
SHA2566eac9a9d476c9025877cd4da8316a3916a17184f55df5922f94765961e5775f1
SHA512ef797d3de21f9d19e186648326f0967f0b91916feedc9bfdc1c113cd10f3b2532feb0251ce571a3a846706821acb2092284871bc92a9dd036af88cdcbb68f8cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize8KB
MD54ae641c66cc1ea558b18ac3f545304e1
SHA192cd6ec42503d35609248dd8a8ec3bba19876788
SHA256ea37960b82ef908346ee69af6ae1fb87ce4eb75d2bc686dde0fd7e8af33165a3
SHA5120413a0ae53d44c6b007196c76540a4cf0bc22748fa00f5d2f51167fdbeadadb23de95465e7fd6b738aabc30273456c50899fae2366ab28e3a6fa7e1667cdf8ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD5a594c82f428e08630672671a9b8ccf0e
SHA1c8987700cda8d8eabf7c67c5ecbd90cc4dbf02da
SHA256dd308a66353c4c08c4f27c7ed753b3f952fe9f9c795ab83ae956d11b959f8726
SHA51251e1f9b1a0f03e1886d73dd73bec36f4b452965606d4fd58e3f77d5ba745d2cc963ca0cd97abbd5f19e218f8dbb0433686185ac197b45178708fd2d33b15a1d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD5427cc744afe83d2c0c0d6003aa62e3d5
SHA1a415e83f6c5d11011ca37e0dd64828ed43c8fbb1
SHA256b805be7fb22caa677c9425965753b70b4583b06568bad16e69fb3db756642afa
SHA5126f6fda3855d5095916e48de5ac32f02d0c1e3722a3ffe444c14decd3deb5f46c41b82c1da53dc00b4919f9c47cad6b76dcc0a2a5abf33d1c0310a49875588d86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD559cde9e2d9edec4094c5fc71814ca8f5
SHA122f755369148c4de83045000448b2021f5b79613
SHA256ae0be626eac731bd669e0c84a43e60f49daa17858c17671b6b3aecac9744d963
SHA5122fb2c569177facda0109cb5cca9c43d3842d996884dea2e4c5161c1b27380b27f3c82335142c6b089bfd2217dfe393989dfa36adaa928883670a50e26d746c10
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5c02c920e52d90dacfbad296188082191
SHA16a7ad058c30d9f811946729fdf75218f2ee940f9
SHA256f4f2776ece3059b44f44914f5da09b08b77ed88eb33eaf023a9694d278277c86
SHA5126baf72e4aa4c4d2ea1cf82ecf2f04017dd4829458ec76aca3d948d86d328455f3b4cd2dda13a78f169a253534e682d6fb474cca1720a617b0376eae7ad7aab18
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD506063197b196189e93d804ca397ff2da
SHA1cf36a1c698f78abf9926858313105e23909afb11
SHA2560a83d0a687837e87f659e82f7696849cca0252a8d19e90773cc98ab9b5e2c017
SHA5127644f4e465ce5c46e64fad334a1a520c01cd601ba9b740f52882f7dabbe7a66e6324479dd795c02493dc5f52e6e6d8294c11de6c790264bf2c4d572d08b5c683
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5a78fad6ac8d1028c7a70af369be2a962
SHA1afe11ed504281a79df026ebb75d4aabe5532a925
SHA25655d2b630eea3f447a0f5d78a42c58912db811407cfb5bd644ff86840e28ebdfd
SHA51290e196807249aea06631c3238cd1f67a676381ba18030015e4e5acf910322db2eeb5f40ecf719c93a5fc2b9a45f87654ff3ecc35636c9e4c30242a1cb588ea7e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD53e6dcb2b7e5c48a13b7b1819ef3b021f
SHA15c42afcaa3e8ab9006a28a9eea7c0cc0ab9ec6f4
SHA256f6560826571eb9d84880fdb2e8462fb221f8fa291c5157da01d50ec5f99504a6
SHA51287d6d75d4af949310df39f07bfb0edc4f86c6fa64bfcffa5aa996f9dc47896d919fb7f20aec0558ab93fca6c5c91cc89152d3b1cccb68966fb5858bcf0ea12a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\34e2d92e-9639-472b-94fd-8ee9a2e42e01
Filesize982B
MD5a53111d536eff782b85f5b26746cf845
SHA18f8f091fd6fc0cc0d4a6c144e444ca17016e9be9
SHA256012358a306b0401e7230900aea786a1ccf0e6573edfd6ed83e4f8882eea9227b
SHA5120f22abf4917a399929c9de3b74786b842d59c14121c619fd9406d4a36bbada75ccd4edaf1928b51328d8b8973afc9e31347d937c58f66abe8ee8a17150d53187
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\b5179224-40e8-4a41-a147-e6010d894bf9
Filesize659B
MD51181bbd9d228a2a64ef4025ab4f7fdcd
SHA14c6dff9929700154f9290ca198ef0b9810f15d7c
SHA25659bf053b0cae403a2396479b9b9bdd750ef0189d40b7c3181b50f80eabce2370
SHA512fed53e61923c22bd2c54b9bf10f6b9b1486104a22353ea69fca71f963ea55758d87d8ea4b7fa1b7f80bde80a634400dbb48b5be89f3ba0da460cf80281b7ad0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD57e2a8e86af1a5491d7f948df20dcd507
SHA17089cc916c8b43a9796b5c8d6d1bc23ac244bbac
SHA2569354478ee7d99d25538a9d93d327c980f0792b729b0905444bf05454e8ad542c
SHA51298f6a4a27fa611f4c21f73e4a62a071218a4b020d5970d6978d3bf821e6ca28adaf468aee74b6ba43903f7c6966c8a8abd7c99aad7a98a1559a26cf50a4b6084
-
Filesize
10KB
MD5a9393d860b16d010da374f2fb6ed5a9b
SHA1ed1b559f5866eac87879a7863f60a8286dd3838f
SHA2565f787d4a0f36f2eb6c88ae6637dc4ce267989b43cb0b8ccbe019fb012be4634a
SHA51295eeebcbab741fff4d1971e5ad57ec9ac6ca31c01304b1ca4be4a6509dad25eae2817ba09a14ada339abaed68f5a89e50a5661a5a6837cce3241c6f845535b04
-
Filesize
15KB
MD51c029d222b823b81050f6357794be6da
SHA1753f8c69ea72abc028c5ead6acda3b23a3bcfcd9
SHA256dc001d0e2a2f573bbcb33f64eefa92de102a9e5e36ba1bb5d604a95bee0c4657
SHA5121070c49f0a908f89c205b9e49a86d7d76e78f798d375175e0bb05306154d5e9486f94fb89f9f8e61dcba0a1b7aa029f511e8bada0817e3af02247359a12dd27a
-
Filesize
10KB
MD5b70d01c4b7b4b64b26f15687492a5bf0
SHA1b74f010d0e02d5b0ea15542a750a7d80f9e9b007
SHA256b7805dd4b26b5f5c79871218a302bc231ca2f45ee402f7447e0aa57e3d4318c4
SHA512db9aab016cc0f3ce0a09ed0360d7b2cff29a0982f1afad241cdace2c842b4b205ee36654c8c226e0e7ad9ef4bda178ecebfcaab16fc31f25513f18d19589bd12