Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 15:41
Static task
static1
General
-
Target
1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe
-
Size
6.8MB
-
MD5
46de01bfa59106a889611ac96dff4ec5
-
SHA1
c1ff9114e160f54d47f45c214ee768dfd361fb61
-
SHA256
1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f
-
SHA512
80a0a2c0066f8520d8c5da79b923905aa21b78bf7e49ab89ba6a9c296638805a9adecb330d0c70f1695987adf83448f74b8c7e629da8655b2b4ab7dbd09db673
-
SSDEEP
196608:4c4FY3yDTCyB5DhrTSpHuDJddt9jbu6c9bXqkI:wFwyD5Dhr8uDJfjbu60RI
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 12ffa22b73.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 12ffa22b73.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 12ffa22b73.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 12ffa22b73.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 12ffa22b73.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 665825c9fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f544f39d33.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 12ffa22b73.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1F13S3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2Q2359.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3O22S.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4c676y.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fd69f1f7c1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fd69f1f7c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3O22S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4c676y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f544f39d33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 12ffa22b73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fd69f1f7c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1F13S3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4c676y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 665825c9fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 665825c9fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f544f39d33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3O22S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 12ffa22b73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1F13S3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2Q2359.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2Q2359.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 1F13S3.exe -
Executes dropped EXE 15 IoCs
pid Process 3428 i2k60.exe 3068 N4N50.exe 3992 1F13S3.exe 4408 skotes.exe 4932 2Q2359.exe 3120 3O22S.exe 3680 4c676y.exe 2268 665825c9fa.exe 2232 f544f39d33.exe 2932 422c85e16b.exe 4184 skotes.exe 4760 12ffa22b73.exe 5088 fd69f1f7c1.exe 3504 skotes.exe 5492 skotes.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 3O22S.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 4c676y.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 665825c9fa.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine f544f39d33.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 1F13S3.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 2Q2359.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 12ffa22b73.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine fd69f1f7c1.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4c676y.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 12ffa22b73.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" i2k60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" N4N50.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\665825c9fa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013740001\\665825c9fa.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f544f39d33.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013741001\\f544f39d33.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\422c85e16b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013742001\\422c85e16b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12ffa22b73.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013743001\\12ffa22b73.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023cb6-92.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 3992 1F13S3.exe 4408 skotes.exe 4932 2Q2359.exe 3120 3O22S.exe 3680 4c676y.exe 2268 665825c9fa.exe 2232 f544f39d33.exe 4184 skotes.exe 4760 12ffa22b73.exe 5088 fd69f1f7c1.exe 3504 skotes.exe 5492 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1F13S3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6648 5088 WerFault.exe 116 -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3O22S.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 665825c9fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd69f1f7c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N4N50.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2Q2359.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i2k60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1F13S3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12ffa22b73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c676y.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 422c85e16b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 422c85e16b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f544f39d33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422c85e16b.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1612 taskkill.exe 2172 taskkill.exe 1964 taskkill.exe 5000 taskkill.exe 1420 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3992 1F13S3.exe 3992 1F13S3.exe 4408 skotes.exe 4408 skotes.exe 4932 2Q2359.exe 4932 2Q2359.exe 3120 3O22S.exe 3120 3O22S.exe 3680 4c676y.exe 3680 4c676y.exe 2268 665825c9fa.exe 2268 665825c9fa.exe 3680 4c676y.exe 3680 4c676y.exe 2232 f544f39d33.exe 2232 f544f39d33.exe 4184 skotes.exe 4184 skotes.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 4760 12ffa22b73.exe 4760 12ffa22b73.exe 4760 12ffa22b73.exe 4760 12ffa22b73.exe 4760 12ffa22b73.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 5088 fd69f1f7c1.exe 5088 fd69f1f7c1.exe 3504 skotes.exe 3504 skotes.exe 5492 skotes.exe 5492 skotes.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3680 4c676y.exe Token: SeDebugPrivilege 1420 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 2172 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 5000 taskkill.exe Token: SeDebugPrivilege 2216 firefox.exe Token: SeDebugPrivilege 2216 firefox.exe Token: SeDebugPrivilege 4760 12ffa22b73.exe Token: SeDebugPrivilege 2216 firefox.exe Token: SeDebugPrivilege 2216 firefox.exe Token: SeDebugPrivilege 2216 firefox.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3992 1F13S3.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2932 422c85e16b.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2932 422c85e16b.exe 2932 422c85e16b.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2932 422c85e16b.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2932 422c85e16b.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2216 firefox.exe 2932 422c85e16b.exe 2932 422c85e16b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2216 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 3428 1852 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe 83 PID 1852 wrote to memory of 3428 1852 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe 83 PID 1852 wrote to memory of 3428 1852 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe 83 PID 3428 wrote to memory of 3068 3428 i2k60.exe 84 PID 3428 wrote to memory of 3068 3428 i2k60.exe 84 PID 3428 wrote to memory of 3068 3428 i2k60.exe 84 PID 3068 wrote to memory of 3992 3068 N4N50.exe 85 PID 3068 wrote to memory of 3992 3068 N4N50.exe 85 PID 3068 wrote to memory of 3992 3068 N4N50.exe 85 PID 3992 wrote to memory of 4408 3992 1F13S3.exe 86 PID 3992 wrote to memory of 4408 3992 1F13S3.exe 86 PID 3992 wrote to memory of 4408 3992 1F13S3.exe 86 PID 3068 wrote to memory of 4932 3068 N4N50.exe 87 PID 3068 wrote to memory of 4932 3068 N4N50.exe 87 PID 3068 wrote to memory of 4932 3068 N4N50.exe 87 PID 3428 wrote to memory of 3120 3428 i2k60.exe 88 PID 3428 wrote to memory of 3120 3428 i2k60.exe 88 PID 3428 wrote to memory of 3120 3428 i2k60.exe 88 PID 1852 wrote to memory of 3680 1852 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe 89 PID 1852 wrote to memory of 3680 1852 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe 89 PID 1852 wrote to memory of 3680 1852 1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe 89 PID 4408 wrote to memory of 2268 4408 skotes.exe 90 PID 4408 wrote to memory of 2268 4408 skotes.exe 90 PID 4408 wrote to memory of 2268 4408 skotes.exe 90 PID 4408 wrote to memory of 2232 4408 skotes.exe 95 PID 4408 wrote to memory of 2232 4408 skotes.exe 95 PID 4408 wrote to memory of 2232 4408 skotes.exe 95 PID 4408 wrote to memory of 2932 4408 skotes.exe 96 PID 4408 wrote to memory of 2932 4408 skotes.exe 96 PID 4408 wrote to memory of 2932 4408 skotes.exe 96 PID 2932 wrote to memory of 1420 2932 422c85e16b.exe 97 PID 2932 wrote to memory of 1420 2932 422c85e16b.exe 97 PID 2932 wrote to memory of 1420 2932 422c85e16b.exe 97 PID 2932 wrote to memory of 1612 2932 422c85e16b.exe 100 PID 2932 wrote to memory of 1612 2932 422c85e16b.exe 100 PID 2932 wrote to memory of 1612 2932 422c85e16b.exe 100 PID 2932 wrote to memory of 2172 2932 422c85e16b.exe 102 PID 2932 wrote to memory of 2172 2932 422c85e16b.exe 102 PID 2932 wrote to memory of 2172 2932 422c85e16b.exe 102 PID 2932 wrote to memory of 1964 2932 422c85e16b.exe 104 PID 2932 wrote to memory of 1964 2932 422c85e16b.exe 104 PID 2932 wrote to memory of 1964 2932 422c85e16b.exe 104 PID 2932 wrote to memory of 5000 2932 422c85e16b.exe 106 PID 2932 wrote to memory of 5000 2932 422c85e16b.exe 106 PID 2932 wrote to memory of 5000 2932 422c85e16b.exe 106 PID 4408 wrote to memory of 4760 4408 skotes.exe 108 PID 4408 wrote to memory of 4760 4408 skotes.exe 108 PID 4408 wrote to memory of 4760 4408 skotes.exe 108 PID 2932 wrote to memory of 2248 2932 422c85e16b.exe 109 PID 2932 wrote to memory of 2248 2932 422c85e16b.exe 109 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2248 wrote to memory of 2216 2248 firefox.exe 110 PID 2216 wrote to memory of 4540 2216 firefox.exe 111 PID 2216 wrote to memory of 4540 2216 firefox.exe 111 PID 2216 wrote to memory of 4540 2216 firefox.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe"C:\Users\Admin\AppData\Local\Temp\1a7d6ddfaa0dd56cc155b437969822ae7e8e40784d69c1e0fb55a190d15cd17f.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2k60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2k60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\N4N50.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\N4N50.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1F13S3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1F13S3.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\1013740001\665825c9fa.exe"C:\Users\Admin\AppData\Local\Temp\1013740001\665825c9fa.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
C:\Users\Admin\AppData\Local\Temp\1013741001\f544f39d33.exe"C:\Users\Admin\AppData\Local\Temp\1013741001\f544f39d33.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\1013742001\422c85e16b.exe"C:\Users\Admin\AppData\Local\Temp\1013742001\422c85e16b.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd98415f-2397-47df-816b-4b3f1a59b6a1} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" gpu9⤵PID:4540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04c7605b-0113-480d-8619-7bafc7f021e5} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" socket9⤵PID:3248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 1720 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f992a0c-7824-4087-a482-830bac628ba8} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" tab9⤵PID:3556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -childID 2 -isForBrowser -prefsHandle 4084 -prefMapHandle 4080 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb54cd61-d73f-4d44-aa9e-546728a7253a} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" tab9⤵PID:1420
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 4896 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c12b804-487e-49c2-99f0-8b6beb30cdc4} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" utility9⤵
- Checks processor information in registry
PID:2008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5436 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7df9dfcb-4d6c-46b5-9407-4f2ccf318e22} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" tab9⤵PID:5076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {124d5d23-0aac-48a8-a69a-8d07fc544aec} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" tab9⤵PID:1928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b30613-20ee-4605-a09e-83fb07a599ac} 2216 "\\.\pipe\gecko-crash-server-pipe.2216" tab9⤵PID:5052
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013743001\12ffa22b73.exe"C:\Users\Admin\AppData\Local\Temp\1013743001\12ffa22b73.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Users\Admin\AppData\Local\Temp\1013744001\fd69f1f7c1.exe"C:\Users\Admin\AppData\Local\Temp\1013744001\fd69f1f7c1.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 15487⤵
- Program crash
PID:6648
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Q2359.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Q2359.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3O22S.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3O22S.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3120
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4c676y.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4c676y.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5088 -ip 50881⤵PID:6624
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3504
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5492
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5f2cbae9c5a960cb07e5ba9f2b093abc8
SHA1e6a005bc909439d56eb49f27674cfaf7550fd71d
SHA2562587cb41267409d4421939f3fd4991ecec8bc78abaf64eec7fdcd67e5134eab6
SHA512e943cacbcdeb7eedcc6113a3924e9925ba9e466c40aa4b24558318550297207b64523b6d90a4474d3713abfd7734c22870dfbc7ab3fc324be7b30d5e772c70f2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD541712c226e49f31a28e78dda13a49983
SHA10739df995daed70371d3034083bb40faae4fa0ac
SHA256de2c86758d7c4f19bfa08000c9f90c9558cb557b1aba4a0715d785ef9e008191
SHA5121dec00cb40b978c3e39b70591382024df14dbdba38de641e0d39d6262745158df4ec23c41c57e2aca7d39eb4b47a161fee5d7b9ff9e8ecf9d0757e468fd0f88f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD578eec814d6034177867d547093eaf7d8
SHA1d8267c5ab4bc8a1194901ef66d0d1ea65b2d40a1
SHA2568bfdc1e85021c5cb619aa4d502a5a6cb16cba8cc0c3442828db08dbcdf0a68b2
SHA51238bfb3e5dd2e3c4ddb6d226d1fa11c5cba75870b53908a7839ce669c84b1fe83197fd06a2c9e953b4f486d8b926d4966deaa533a28fd8c29dd70ae6db7bb3637
-
Filesize
1.7MB
MD5288001b65d38a2878e7d1f424b419f3c
SHA1c215fe8ed0d086ce614fcba865954697364dfde8
SHA256868eda914f608108639b82ddad28ba808eed057111f6d82ad8a3d20c1773be63
SHA5124e4983ddb993e4c2956f241608ee95b04796a62dc170181b400dde198dc2225ba95db96f8c63163624355cbce5c6ce552b3e1d552b401032dfc2a723f3aaa59f
-
Filesize
947KB
MD5a955eb764df77529739f6643d791d4a4
SHA1ee5831be1b650ae2e85e2dc98dce70d7f12d6a00
SHA2568f157c568304079aed462f6de759a8a406f4349921daba8c9ba53a47980413f5
SHA51253695cb1b1c2b2be7483449311989ec44ef1086b133e6c62f0f3b01ea8bdf1e2c1d7bcce9a269dacb70a5b2adc3afea4bc66d33516e8e7474569b6cbad54ab82
-
Filesize
2.6MB
MD509d5a4c9aaaf68609b57f50ef9bc3d10
SHA135ce908eb0034288bd5cbdcfe46b992a7a5de041
SHA256787d624b7d5ca90212789c2cb876db3da2429108729f25f2e6a20f0c64b2473a
SHA512ad2f7f8e451210c86a394704e8805d4c497d4b42d6cedfad46167d04a5f1cc6e437e87872569ded77d7106d166880355390ba2f08cdec7a538b847ca5a88d11e
-
Filesize
1.9MB
MD5b16a303612f8717a90851727a25fdf61
SHA120281be28ae8c170b6dff5939fabd5616e9b7d23
SHA25614a7faa5a16cbc6e031beb668ec24d78b04d8fe4959766cf11722932b93317dc
SHA512c1c83b89a760997dc6740d940628fb7d68e3d82018b55c428ac1fcec0cde4b81ca943ef3dfd247212a14dd5b0eac20e4b4ba7f55b6154ea33a75920be032e196
-
Filesize
2.7MB
MD50b54693ce2c9132ae5e6f0f529b9adf9
SHA1b3c213807ac2d32598d30fb537a14f91cceeaf40
SHA256c616f02b3f897b99db2969be12209cd99abed19640e4686caad4329d71359379
SHA512823c790c54c7f26307b3bd752e719dfc08f330a880c4dd55a39966c0754645ee09fb0266496bc7eb766ad7534c41b764f0d602d4fde4e2da358e24136f1591bb
-
Filesize
5.2MB
MD54343bd940a698275b313fab3a0e9667a
SHA112359c497504de4d7509df60973923c085d44271
SHA2561820058b4e7bf80a9adc9f07cee03863cb0871402a4c3511eda0398f488917c7
SHA5122eb8ba81ee4d5d182f5e506c8b043c69aea95428da5256979e1b8a0fd6a05fdc8df6e47a06c4198ac23351ec9b88328874551a50b1fbd6f9f94016452a1fd552
-
Filesize
4.9MB
MD53254044826ed67058897fb774aeb7a74
SHA173520e3a475f132ef8a684d990667c11714b6951
SHA256283973a22fd7c41dad85168ff57e7fde4aed37e13f4dc90889c742b4619ac7d1
SHA51215a7369dbeed3060e2aa3085a56662c23aec15b0f07c312d2922b6ee9d2a55bd1e97759fd65e254042119b5b21387972c1e5f44c5e09d4c8708896d17c81758b
-
Filesize
3.5MB
MD5b13d54c9be238358ad1b805e6ed892c9
SHA161ea9cf38ffff5442d2423006fc636ab260da29d
SHA2566c5484e55236a3b4fd285f08a76ee70e2f283cdc067a5c61e6daf97efd5e2dfa
SHA5125f5bcde3eee9b90de0e1943d68c46c42573e1537735f8a523bec5953201f8b0d2e74d2c7a190966a66202123249c751c19448a147cd84d148ab94ffd99ab6b1d
-
Filesize
3.1MB
MD52a73a6b49541d8f9c58175642e96875a
SHA16544a1c1b83d506a4ec4631bb2a859431cc61d0d
SHA256249e81f3e3071f987ff6f13b37de783c3e18f31ba9444678f4cfae753dfb5a3b
SHA512c3972fe75344bbcff70f88507f9ff4e25b35585315d7784fad1a1c9b91cac54c66db05dbacb36e5befca6d8fc2311388801b2fee82172a44e3bd5670836a71e4
-
Filesize
1.7MB
MD5d5bc4a8695314205ef66011164accd65
SHA1935deabb18a93a14d0925a8eb7a410e0c91b9734
SHA256304a303f1765879a9bc64d63fb2f2f31b5a3f498ff25d67cf4b5cc7aaf33ce6b
SHA5128b52cef4b30057062a3d9febdfbbe170bc4fc8aa0d17694ef7d872e5e987e645540fdc2cb9251496472bcd9dc66c3992e18646ee9fe1268e1f81830ac0055789
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
Filesize6KB
MD5ac99606b5818d17f8d75fa794ad993c9
SHA1f42d2e2d4efba0329c229debc197476b482509ba
SHA25664142a1a92a64590a9f552825119ec32f35c6cd3a27b137102075d8cad70ec7b
SHA5121f20a7560637a961455d11d6c36076d3dd8b3c2e894297edf405df0e12b9d2444847c8796d9f7bf06e98fb60359cb9be62843a47d404c25a0e20169a8c8f13e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
Filesize13KB
MD5499bd07704051baaf8c25b334448883b
SHA1d6e596c3edd8b58fbeab4d7d1c5dc73a1f7a33b8
SHA2565a46a03e536829057a107398a663a11524a4e9cc57fe0316936e46fc2154a01a
SHA512751ef98f3e56cbcd844745aac7a03f2a604057d4d7851d2128ceadbb107e5df9e8ffe6d1f25676365fffcdf4b490cd6980788b16f7fa6b03b450e47d43a7e0e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD57f3bf1feba13c70babd05d55471cc759
SHA184fb4db489adda16f157692e44561c1f563ccc3d
SHA256c812043dda6503d9da606f6ac8dac4fabf18924b1d3e3cf69a5109ce2fb07b3f
SHA512635687e17948c12f86b11a80374e3901fc929ff6ffcbbc774a852e23f4f85af7f5382f97d1a78c7a241f18f2785d85a0c8f34f21737d45773d738df41814bb54
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD551b529e17e84569a3f325f24f553591d
SHA1c9c1eae3dd1dad48cc4250ec3faa8ca6cac324ee
SHA2563c10487967e64e48c34f5050b4afbee3d99c3df7d20ac34f5e7b4271504dd2c8
SHA5121d598defb35944c30cdffb544890079123173c86fe500e48125d0e6cc9209201a68d0123082db8a12b215c8ea5534e800fa88fa15fabfaec961c8a21c1610de4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD5e3c2cf7cecedc51d678717afcc5b8c3a
SHA11e9ed4ec6f23e08d914e770926311603db26ec85
SHA25649f3fefa8473f05d7571402374271f69fdf4022d2c12bd8522ba99bbedb37861
SHA512ce1c26d4fbc999463109021eea4278293c63ec8a8e69846233cda125dee58a100d584d8d2e9385875f192457d065647412ec8a9422b3dbbb7adb02f25acd6115
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5373f629516a486185bb6d536dc61c8a9
SHA13371647337d53b7463203efd952064dabb7bfe05
SHA2564fd907a8c0f9bcf54905fd299fe92a8ca74365bc7e77793e4f10f09e92236830
SHA51273c8dd03c257b17d14bd60f22ee07263f44df22fa7d64db0fcbbacf66198577af7defe17850cb3796109b1ef769c3f0c3637658ec42aa084bc22affcaf66b260
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5d1c0de8ae6dac12361e78f57784f139d
SHA17d83dcff71ab2c025dcf934b061cf9228d561ef2
SHA2567a929d443ab434eeee9a6cc5931aa60cf266adf5f5e1970ca82428ebce032b5f
SHA512588eb6c3e5199e90620ec9773962722911347ed4946d536a339b3a65320214f340f2cea8734c4a9fd4df487a3970b271195244a1d0fb86a8c049336ceac5eee8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5458865af4021b5f419cfb7439dc3c475
SHA147358e3291f68a6d295b50a6f50b7019f2e6c373
SHA25631b4ed3f1f4b96a29d5dd744ba8b1f2d83e3876cf2c7a9474b94803d36da174a
SHA512fe334b2c9c801d4a0f23dbbe0910ca469111cf25761ec42873f9d2bdd6a4c993e0afe99ce5af67b6c79ff80c162e6c707f9dd77784e468744a3684ea9581b1f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5e7d1f6462588e319649ee4b162be6ae6
SHA1e90c9c69542cc2d75ddf75abfa658529dbaa8b5f
SHA256b49739d68da172959fd99c971b634d27ab68d0dd90fdd3d429572227d64dce6d
SHA5120bc101ed42b757631e641fdf657efa78446a4659fe411d834debd1be1767f79d3ea11caedad79c79b683bb39fa6526d6496ab60d8082fa3b28b1e268819bdbbe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f6d30b2a3a20593d5d352636c4e7f292
SHA186e2bb1dc2c847662dcb8b28a116a326e962ada4
SHA256566be19467aa912faddaef887e140d7b9db563cc2692da6387cd8c8a11efec3f
SHA5121211d7286399cc1e438d7358907d0435e244bd7da7b2ece223f7f39d33d9f1ef0eb1f4d470adf012470e29f81a086c8203525dd6ed910cee9344334deae4555f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD586f47546dcaf7a7e05752689c1b8dc22
SHA1dd3edb4b3da50b4026537786734ef402bc2854d7
SHA256bb4cf000600ddd4021cfb6ecc4617516d90f7a2c4a74d1f42e165433846c932b
SHA512770dc06fe993674e59fccff83512064678508bf4e69eb33680ed0e80c6319ed6432ed86f3a3a76c66199b4cdb79d793e8df764c7948f9d273327dd735d4e7788
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD501fb389b6c7de07e3074e737b89c4c88
SHA16025d466e3be4734d0b674420bb1a72c8b24c424
SHA256989df053825227ce1635dfd475bb84f476faa5d4bf713613b55c51e547af643e
SHA5123caf2eb1a226eafd80f02dc94859417a65479bf6967520077207e524155a7d6b110c4121410093d23882933d2c30cd89bb3ebd6e92c155b4882e6ab64c2c6dec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\4a2b2e93-f9c0-4a67-9d65-4b6d3513028e
Filesize24KB
MD5eeefcc144986ee7b01517c9e45cf9e1a
SHA10554f1f045cf73b0f0ae3621c27dc02b3d5d19a2
SHA256aa33448297ae02e9d76c4ebd150bd45cf71929f68d3e993c941cc3c54cca14b4
SHA512864e6d37d1224251edb38c161992dcb0b5482d96292dcac7488cdbd50dbab5609df9f7422511acd471d3802c2be70d9e26697ca87ad4c904ce5e7f7ca19149ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\882410b3-e5d2-4edc-aaa4-259932476100
Filesize982B
MD54f49f03176165276d65ea3c4fd36d83f
SHA1880bca2957faf56251a99f1afb8a31b87a5f8845
SHA256c22cbe43d4f2ba144e868121827733df30d8073a4063589b9db3e85f9cfc02e8
SHA512edd44d6272f5f29899101b94edbe4973b848ce1f49753c193fa8812f26509e9879e13a6a44f6994941a460fd66bf52996d1e13aa7b547cfc84ea0fe8462b7966
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\d720d9b7-7524-4efd-a085-27aa9e52c882
Filesize671B
MD54cf3fd9ce12a3ebfd84cfb63e599c6f6
SHA1e184b32e650ffb674ecdd46bbed49ed25b39cd58
SHA256baf848be114e1838c794d44666f0456948beea86112519e1a8259a3fc9b6d106
SHA512f4503668fa6d0d3f56a6dcec5868aa60455a0ac74dcfd9ae8173b4440e04447ca16bb1151a32c1edd86d02c9555d01422d9d29a8dc73ba96b0c0a37c7a056f23
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD57e2034b5731a09f70c053cfc4d73adde
SHA1fc96e9ab30e5b33cc4d47bb1363003cb51691c67
SHA2568c0d02d8d1d617716f03a5f2e5de93e3321ad09f25b758655f3cceee1e9d1ac6
SHA512a0ce35617121130ea095061c59d5fe356c8d45dd7f35c647345a0bfbd0ccb51495a2d2a060008692ce23b4efd342e4dfbeb7f5c62204a45d31d5b820522aa464
-
Filesize
10KB
MD55de36d355c6054dfcd2deac0099d669b
SHA12385037579a43a0dd705da3580d3bab6e21cb8e7
SHA2562b7c1cf541a5aa1e69b337324d1a847feeb60029ca52d587d9bb16af5a3d521f
SHA5124c48f97742e09fc1faa6d6a5c94dadedd26a10ca37bad2472fce0f374cd2021f38a14c63259e05b2871f8c2fb020503db64531d8c85b94bf1e338f2f74368784
-
Filesize
12KB
MD540567cea3eac267012ccec66a406e789
SHA169ee4f7b44f33616962057152b26769ac6a0bdcd
SHA2569f66e5113caee8354bf76e4f9c19cb6722ae51d3e9fd60b2f976923a9ef01c66
SHA512a984709aa929ed301b2879c69e7d8118ea91ba7f145dc08ba21d2587bc2b2052551b72174fc882fc12277d19f58f7dcb50526651ff2611431dbf79602b5356da
-
Filesize
10KB
MD5284c6f61dba6c76561de62a2286ade89
SHA119eb401e912569ad11f07df7aff16c6e4842c9a4
SHA2565db5b1a79c683e1ce01ca8696a076f3dd3337813d002b64a5fb767786888aed1
SHA512ae5cc545380d3dabf4aa35068b33cc43be237a52ab42c801c3f862f7115f34d243bde479ff5bb5e8e2bea5fd6f98af6dcb3a38b48203a77b290e9bd146e6b939