Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 06:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
1f3880629f4830ad6b109bec208f274a
-
SHA1
55e3d4d3536eb1620d635a6350db4709dcff0ce2
-
SHA256
634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
-
SHA512
3ba9d448fe0de299cfc0f83e902e8149fedff5e9dd3e3cdc3ac7fb153d54e7ab829a25ddd8794470c8e78fdc9178ca690dc3f69ecd2a7b2d61a38180004915e4
-
SSDEEP
98304:pPR9FCxdTCuiZARs+txszDbFuMtzKBbSN:pPR9HksgxcHFbm5
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" faf7156181.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection faf7156181.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" faf7156181.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" faf7156181.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" faf7156181.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" faf7156181.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f50c000c96.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0e0a4ed1a8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ faf7156181.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f9bb9716cf.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0e0a4ed1a8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f9bb9716cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f50c000c96.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f50c000c96.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion faf7156181.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0e0a4ed1a8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion faf7156181.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f9bb9716cf.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 8 IoCs
pid Process 576 skotes.exe 2116 f9bb9716cf.exe 1668 f50c000c96.exe 4960 0e0a4ed1a8.exe 3916 fa98bcc44c.exe 2180 faf7156181.exe 5700 skotes.exe 2848 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine faf7156181.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine f9bb9716cf.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine f50c000c96.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 0e0a4ed1a8.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features faf7156181.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" faf7156181.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f50c000c96.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013630001\\f50c000c96.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0e0a4ed1a8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013631001\\0e0a4ed1a8.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fa98bcc44c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013632001\\fa98bcc44c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faf7156181.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013633001\\faf7156181.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000a000000023b92-103.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2716 file.exe 576 skotes.exe 2116 f9bb9716cf.exe 1668 f50c000c96.exe 4960 0e0a4ed1a8.exe 2180 faf7156181.exe 5700 skotes.exe 2848 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4168 1668 WerFault.exe 90 2732 1668 WerFault.exe 90 5736 2116 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa98bcc44c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f50c000c96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language fa98bcc44c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage fa98bcc44c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language faf7156181.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9bb9716cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e0a4ed1a8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 960 taskkill.exe 1920 taskkill.exe 1992 taskkill.exe 2376 taskkill.exe 3640 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2716 file.exe 2716 file.exe 576 skotes.exe 576 skotes.exe 2116 f9bb9716cf.exe 2116 f9bb9716cf.exe 1668 f50c000c96.exe 1668 f50c000c96.exe 4960 0e0a4ed1a8.exe 4960 0e0a4ed1a8.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 2180 faf7156181.exe 2180 faf7156181.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 2180 faf7156181.exe 2180 faf7156181.exe 2180 faf7156181.exe 5700 skotes.exe 5700 skotes.exe 2848 skotes.exe 2848 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 2376 taskkill.exe Token: SeDebugPrivilege 3640 taskkill.exe Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 1316 firefox.exe Token: SeDebugPrivilege 1316 firefox.exe Token: SeDebugPrivilege 2180 faf7156181.exe Token: SeDebugPrivilege 1316 firefox.exe Token: SeDebugPrivilege 1316 firefox.exe Token: SeDebugPrivilege 1316 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2716 file.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe 3916 fa98bcc44c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1316 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 576 2716 file.exe 83 PID 2716 wrote to memory of 576 2716 file.exe 83 PID 2716 wrote to memory of 576 2716 file.exe 83 PID 576 wrote to memory of 2116 576 skotes.exe 88 PID 576 wrote to memory of 2116 576 skotes.exe 88 PID 576 wrote to memory of 2116 576 skotes.exe 88 PID 576 wrote to memory of 1668 576 skotes.exe 90 PID 576 wrote to memory of 1668 576 skotes.exe 90 PID 576 wrote to memory of 1668 576 skotes.exe 90 PID 576 wrote to memory of 4960 576 skotes.exe 98 PID 576 wrote to memory of 4960 576 skotes.exe 98 PID 576 wrote to memory of 4960 576 skotes.exe 98 PID 576 wrote to memory of 3916 576 skotes.exe 99 PID 576 wrote to memory of 3916 576 skotes.exe 99 PID 576 wrote to memory of 3916 576 skotes.exe 99 PID 3916 wrote to memory of 1920 3916 fa98bcc44c.exe 100 PID 3916 wrote to memory of 1920 3916 fa98bcc44c.exe 100 PID 3916 wrote to memory of 1920 3916 fa98bcc44c.exe 100 PID 3916 wrote to memory of 1992 3916 fa98bcc44c.exe 102 PID 3916 wrote to memory of 1992 3916 fa98bcc44c.exe 102 PID 3916 wrote to memory of 1992 3916 fa98bcc44c.exe 102 PID 3916 wrote to memory of 2376 3916 fa98bcc44c.exe 104 PID 3916 wrote to memory of 2376 3916 fa98bcc44c.exe 104 PID 3916 wrote to memory of 2376 3916 fa98bcc44c.exe 104 PID 3916 wrote to memory of 3640 3916 fa98bcc44c.exe 106 PID 3916 wrote to memory of 3640 3916 fa98bcc44c.exe 106 PID 3916 wrote to memory of 3640 3916 fa98bcc44c.exe 106 PID 3916 wrote to memory of 960 3916 fa98bcc44c.exe 108 PID 3916 wrote to memory of 960 3916 fa98bcc44c.exe 108 PID 3916 wrote to memory of 960 3916 fa98bcc44c.exe 108 PID 3916 wrote to memory of 4592 3916 fa98bcc44c.exe 110 PID 3916 wrote to memory of 4592 3916 fa98bcc44c.exe 110 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 4592 wrote to memory of 1316 4592 firefox.exe 111 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 PID 1316 wrote to memory of 3228 1316 firefox.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\1013629001\f9bb9716cf.exe"C:\Users\Admin\AppData\Local\Temp\1013629001\f9bb9716cf.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 6444⤵
- Program crash
PID:5736
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013630001\f50c000c96.exe"C:\Users\Admin\AppData\Local\Temp\1013630001\f50c000c96.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 14804⤵
- Program crash
PID:4168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 14804⤵
- Program crash
PID:2732
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013631001\0e0a4ed1a8.exe"C:\Users\Admin\AppData\Local\Temp\1013631001\0e0a4ed1a8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\1013632001\fa98bcc44c.exe"C:\Users\Admin\AppData\Local\Temp\1013632001\fa98bcc44c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8e82bc1-cc5b-4acd-bd9b-522432590856} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" gpu6⤵PID:3228
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c64d980-7364-4148-b76c-e299ad623a3a} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" socket6⤵PID:2208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22552f83-ae31-41b8-a5b2-190a6644d4fe} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab6⤵PID:1668
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3808 -prefMapHandle 3804 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22b05006-3204-41b2-82cd-264cee4813e9} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab6⤵PID:3544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4892 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b298cb0-0b9b-4ed3-b5f7-8ac320815fb8} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" utility6⤵
- Checks processor information in registry
PID:5496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 3 -isForBrowser -prefsHandle 5688 -prefMapHandle 5684 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69195ab8-c740-431a-97ff-98d2c2842100} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab6⤵PID:1420
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5700 -prefMapHandle 5696 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc2f8ca-6064-444a-af75-3f755c005917} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab6⤵PID:1568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6048 -childID 5 -isForBrowser -prefsHandle 5936 -prefMapHandle 5940 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d97068c-41cc-4961-bf76-4e03f6eb6905} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab6⤵PID:4568
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013633001\faf7156181.exe"C:\Users\Admin\AppData\Local\Temp\1013633001\faf7156181.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1668 -ip 16681⤵PID:2416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1668 -ip 16681⤵PID:2144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2116 -ip 21161⤵PID:5712
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5700
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2848
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD59a95683e4435277bdd0a7ed624dd78d4
SHA1b27c536f7315e480b8dd64ef93170f031be58b84
SHA2563e9907836e09e2351223bcc6c4f85a0bb43b49cf9ec31fd394387015b7bb5e79
SHA51210ea69d860dd3d2fe262b61f14050e57ca2743d89e5dc70b80c6d61689af99a9569d43af302daef48cc8b2aaccb4fd182fb30cc52879c0b1648f06f926c7470f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD502715368be18f518df660ca167862066
SHA19fa51b8236939a6474e1dc29b82a431ba178ac8d
SHA256f8054c8d5ceef325d7c955a6892afd315c0899d63a8d851a552e206ef83f7f61
SHA51265d93c77920268af2b1878c1ce4fa2c79db5c5f2678bb2a2b5aab28359c335e2b485142ab8ff5a8a91b1fd5a49e12095fc823681ce41dd276b726a700fbe43b1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.9MB
MD5ae289ab30dfebf9432c69040df09a610
SHA16039324f5b9ff482f2111b0fe1427c6b0aa64c14
SHA256d6f64f42200504958f0d75af57b0766aab46ac3ccd770cb1e5cc91927579d9fb
SHA5128165695a7160d1be996c2fb17eb157bf0dfdfc451029c7879db5de0876d4e9c623ef0842b134a1bcc4ff58109abe242f03a8f76b68a7159b4b5ea56e5a3204f3
-
Filesize
1.8MB
MD55a9cac2f794b43f5d882fca4c8b69e01
SHA1a8599eb0cd47d74d71788a7c7d2002a068b844fc
SHA2563997786e3af8757f0fd6c93a105c035fd32af39f1a16e08f28636a8bac1816d5
SHA512fbb69193759b1aea7e984902e0d8817b4fc5274d9b51e81b8653f4826a920b0e96e9ec9c4ca78041d6abfe3b12a78ed336282c06351efe274a089faa0fd10c61
-
Filesize
1.7MB
MD5f2594aa2805079965e15394622d2ccce
SHA19ececc6808e161984c062b8c6bd37126431e8c0d
SHA256fb80d25dd32bb05e9256ace05a960de677c80c5b5f148d49614877dba352b926
SHA51265af33bd170aa2520e06e458e26592bafbd7e3cef071a101ce08de039f7d6d2b37063f9a974f799c130266c833dfc9668811bac535692beaecf5db0152b7a5b3
-
Filesize
947KB
MD545f170439dfb5ec70ed1a1e7234ccd6d
SHA147dadb5c3c0b157460f4c2fe26e5d6d1ef03e7ab
SHA256f358e982d31718c8a6ec9803e16c765d8a6ef3c8002fbcc465e75a9e173ab9e5
SHA512e640d4580eb8c6a3c3a21aa8761b81a0209aae8bc8526ff522fddb7183aee467d7c23a88af35dec12304a561e8483b5425dcf7a6917ce69d2addf1a913808dd3
-
Filesize
2.7MB
MD5718a8fd7df8d1fc74324fc0316026e0a
SHA10e79cebea9ea00b2666a40487204b3bcb118fd23
SHA256ed37e25ccce64614ae767339bc899b669de6b7a4651c18e755f77bdea1c0015f
SHA512533b9b9f53dbec7c285177a64bd1094206c3fae25be28cc1a0607cf9dd3ee9db5471b3099d8f1e0e685734ae57626bd16c93a615b1f038f73f56c25668ff93be
-
Filesize
3.1MB
MD51f3880629f4830ad6b109bec208f274a
SHA155e3d4d3536eb1620d635a6350db4709dcff0ce2
SHA256634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
SHA5123ba9d448fe0de299cfc0f83e902e8149fedff5e9dd3e3cdc3ac7fb153d54e7ab829a25ddd8794470c8e78fdc9178ca690dc3f69ecd2a7b2d61a38180004915e4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize6KB
MD5734483578d82d0346d38ccca5974ee68
SHA179be73dee4cd6460cd2fa6ad1183749792ce8087
SHA25691e05774c78cee1b98e533834f01def307db7c4e47f35680771e0f8025a397c7
SHA51283339508fc62c65c5510a0dcdc4dfc0aef1742fbc120b8744fbb6b3a507f71e18a3c16b18072f13d03a5ee33f3ff2aae0c6c572ce89456bcd4ee346419239b24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize8KB
MD5b56bdf1d2e70c97a140d7e7b8b22ecfe
SHA100e75b88c0568e093138156ee9d5922e1ec6efd8
SHA25682f614f70098993f1872573a2c39127001841bbfa80efdb13fa526a4fdb217f8
SHA512bcbd63713bf5800e81831c77ef9b08d7f8bf1efaab708fa3360b4d403957f2179191b828355632551ee575024700bf07a47de1b9a8e2444758dd78cac6dbeb08
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51f8f90543a5b6c4c5f477c7dbd637c16
SHA1e6d1224f3935c0455a83296d488a852d8168533f
SHA256cab28f7031d948d328a8df03c2265121e21b5181f23b6fc8eb0cdafa1154cc88
SHA512d7668e12846711040b661da76d57cc7f7cc66bc0ed96958ff270fc8c5dba041006d217372b6463a56d9bc7c2e04361bf254a2ba0d84f9f0cef4a7a89a451c774
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f8e92c921ac4cf56ec5f025a611b4807
SHA14cc25e8f59b283618adf22ef2207d57d9a7b129b
SHA2564bb9166952eecec66cfe34a56440cdcbfa4df8f1639c6bd6b4ad02a25af13edb
SHA512769e9a079ea1aadcd56a5e40788e0f959bbb6bb4768f141f903f615e4f7ed22a762f0e5ceee47a4a2d12a928da210b7aed6c3a433a499d139f4fe1ecc108e3c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5e06b38548a89d34801d62838cedee46c
SHA1b25757ce81d12c3ddf161622b872f6cadfa1f78c
SHA2564eeb4cc809073ba5ab569e33f995591e30b3a4599735f795a4400d4b118af66f
SHA512ed7baeb65643831408e4ac66939aa8b54239cff5a1772246cfe8310cee9dd66a09927bf5df624f365660eff898707a688f9450cdf1343c2c605a894f08457f9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5bd285277bb823c4b486a025cae62f99a
SHA1618cff3da89f65f95c61c5d8069ada39b7b3e605
SHA256916b8d8f177bb4889ed6bf2ffd0f6d64f8178a592914b260ef084019bed7601a
SHA512efacfea74fb2cbd948777a94a8610344621dd23ea716605d8217daaae2a83473b66d2053296f88ca75f0c06c1c237d4b7bafd103f44ab7af7f27e4a9d18c7fdf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\2e621c71-387f-4058-950f-52e1fee9144a
Filesize671B
MD50ca9e0b72134a4cd5aebbb7a8f5abdf3
SHA18a5c279ceb00b96d4b5c6831a701ff79c15ae6a6
SHA256c6c6a19fa26958df21d196e3519fae0105c317c546ef89f577fc6d8170f667b7
SHA5124f99714da4e42c15a48af6e0bf4cf9e2ec2948252e027853a430cad22212176afb33fc5fb5464e63f560d2976aac84ceab08dcd108e69bc534e11559f7cc7477
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\5c69cd18-68ca-4746-8bb5-a398d6946bca
Filesize982B
MD5847c99a5c29b53bdec8ca49c4ea6c389
SHA145025147b0781e5dd8cec16f1475cf34f134f507
SHA256c0d86bca2bacb15c96d19599a9accacb04ae4440204f24b49e650d75331923f8
SHA512c38dcb29457608c35ebc5a80f33cb3ee99a2802e2bf13faf36ff45a963e063a53f522cde0bb755af02a992f96f42f47412e3bdf5549d48e6b89b5e334984506e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\d454c244-7fc3-495a-b09d-3e5d37df44e5
Filesize27KB
MD5f2724bb38cf28445549d59ebfd898499
SHA117d601c6982a7042c439d51045de870ba90910bb
SHA25699c31e32ebf5b588cc49d50758b7cba5f8524e0d1f796b81880c0139c422b9e6
SHA51295b0a33891d490731a87a157590cdb8c2a9cf4534020f7a729b655c010b8c24298571b3a97e7c8e7d8745f34df09767a70a76ad82c023dc106ad702a3191afd4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD586d2d16b92bc80af4875e7794457e819
SHA14768ec37fee950a2f37912970b25c798f6f66117
SHA256a10c6b940759295a72d20d803de679934602562c8a5986f220deafe74e1009db
SHA5124694640aafa62ea9e0c3ae46f9751a7c7c020893d689f3a59487867d7f988044e0b1f0509a69d14177fe94c4cae5f4ec06c8308d3a695a74aab15fdd95614c93
-
Filesize
15KB
MD5b6ffb2df45232660b3c0bcde06f37375
SHA1779f578109ee8ca29e55d3a0295291eafc1de4d0
SHA256354c4545a22d18c356565e4c6e053518d44ba734d061f43409e10e045ab1fe89
SHA512ee4f1c530baf029ac592af18167a05a648cacaa91eee491c7230a7fbf8674cfc3c3abfb5422a833974f88ce23b220f2eaf577e4b0de0fcd7a16c2fbdb6161125
-
Filesize
10KB
MD5562549bee9df2bffcc7772ea8ce43ed5
SHA154f22104db93d3253a9eea724319ef81a79b94a9
SHA2563a87edc01ee1c1949adcab96de314ecaf1dfb6f9a20f0efabfc6abda50db56cf
SHA512c28a91381909cc298407f159d21821d046ba550227229e3e1e3a1fa343c94bc17f0c6610c17b5226029c47339a6da0d1a1704b9453ea027773e395cec4cfbcc0
-
Filesize
10KB
MD51cd94ac8f25b4ab623d744ad51d5925e
SHA16ed557d3bc1a80bc8c1f7a83c64c248e0e5385b2
SHA25613d304a6baaa0527e447f9f8e25b4557f08a2643e1de17832f7c0d356889bd71
SHA512ef19bbc3550df11eee61d04e40a12149ca5fbc801103f6e0dd84beaebbadd01bceb3e0a5b82b58b68a95c66d2d171b84ca3f10e8c08d4da514593cfebdee70b0