Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 16:09
Static task
static1
General
-
Target
bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe
-
Size
6.9MB
-
MD5
82c0cd73fed2e80d61b1e3dfe88a4532
-
SHA1
39430d223fa45488957ff0e8f72ed61347e0fb2e
-
SHA256
bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b
-
SHA512
2acac19997121bc1e5e9bc89357bd3d201c899d96294f55c79bb052c40ee8c6e19c61db9b9c991c5660ec995c3b8824ce581d8cf866c664d4c39a8c362608477
-
SSDEEP
196608:0RC0I/sAMruNuBukBz1RvEnglRcasdo4:0pI/FuHBz1RvEn6fsm4
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4I148J.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" e8f293db1d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" e8f293db1d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" e8f293db1d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4I148J.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4I148J.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4I148J.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" e8f293db1d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" e8f293db1d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4I148J.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4I148J.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2b3011.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3S87A.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4I148J.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b0625ea967.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1T36h5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ae4f243ce9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e8f293db1d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f00a48a2f6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2b3011.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4I148J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ae4f243ce9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f00a48a2f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1T36h5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b0625ea967.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b0625ea967.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ae4f243ce9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3S87A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4I148J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2b3011.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3S87A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e8f293db1d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e8f293db1d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f00a48a2f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1T36h5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 1T36h5.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 15 IoCs
pid Process 2376 F6W49.exe 2788 s0n62.exe 4988 1T36h5.exe 4092 skotes.exe 4044 2b3011.exe 1368 3S87A.exe 2752 4I148J.exe 2192 b0625ea967.exe 1836 skotes.exe 3520 ae4f243ce9.exe 2952 115e5c4d86.exe 6280 e8f293db1d.exe 4988 f00a48a2f6.exe 4624 skotes.exe 6812 skotes.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 3S87A.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 4I148J.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine b0625ea967.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine ae4f243ce9.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine e8f293db1d.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 2b3011.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine f00a48a2f6.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 1T36h5.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4I148J.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4I148J.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" e8f293db1d.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\115e5c4d86.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013747001\\115e5c4d86.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e8f293db1d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013748001\\e8f293db1d.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" F6W49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" s0n62.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0625ea967.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013745001\\b0625ea967.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ae4f243ce9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013746001\\ae4f243ce9.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000a000000023b82-96.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 4988 1T36h5.exe 4092 skotes.exe 4044 2b3011.exe 1368 3S87A.exe 2752 4I148J.exe 2192 b0625ea967.exe 1836 skotes.exe 3520 ae4f243ce9.exe 6280 e8f293db1d.exe 4988 f00a48a2f6.exe 4624 skotes.exe 6812 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1T36h5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5752 4988 WerFault.exe 121 -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 115e5c4d86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 115e5c4d86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F6W49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0n62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1T36h5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b3011.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0625ea967.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae4f243ce9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8f293db1d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f00a48a2f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4I148J.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 115e5c4d86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3S87A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4156 taskkill.exe 244 taskkill.exe 2052 taskkill.exe 4424 taskkill.exe 1464 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 4988 1T36h5.exe 4988 1T36h5.exe 4092 skotes.exe 4092 skotes.exe 4044 2b3011.exe 4044 2b3011.exe 1368 3S87A.exe 1368 3S87A.exe 2752 4I148J.exe 2752 4I148J.exe 2192 b0625ea967.exe 2192 b0625ea967.exe 2752 4I148J.exe 2752 4I148J.exe 1836 skotes.exe 1836 skotes.exe 3520 ae4f243ce9.exe 3520 ae4f243ce9.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 6280 e8f293db1d.exe 6280 e8f293db1d.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 6280 e8f293db1d.exe 6280 e8f293db1d.exe 6280 e8f293db1d.exe 4988 f00a48a2f6.exe 4988 f00a48a2f6.exe 4624 skotes.exe 4624 skotes.exe 6812 skotes.exe 6812 skotes.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2752 4I148J.exe Token: SeDebugPrivilege 244 taskkill.exe Token: SeDebugPrivilege 2052 taskkill.exe Token: SeDebugPrivilege 4424 taskkill.exe Token: SeDebugPrivilege 1464 taskkill.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeDebugPrivilege 3388 firefox.exe Token: SeDebugPrivilege 3388 firefox.exe Token: SeDebugPrivilege 6280 e8f293db1d.exe Token: SeDebugPrivilege 3388 firefox.exe Token: SeDebugPrivilege 3388 firefox.exe Token: SeDebugPrivilege 3388 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4988 1T36h5.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 3388 firefox.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe 2952 115e5c4d86.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3388 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2376 2500 bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe 83 PID 2500 wrote to memory of 2376 2500 bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe 83 PID 2500 wrote to memory of 2376 2500 bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe 83 PID 2376 wrote to memory of 2788 2376 F6W49.exe 84 PID 2376 wrote to memory of 2788 2376 F6W49.exe 84 PID 2376 wrote to memory of 2788 2376 F6W49.exe 84 PID 2788 wrote to memory of 4988 2788 s0n62.exe 85 PID 2788 wrote to memory of 4988 2788 s0n62.exe 85 PID 2788 wrote to memory of 4988 2788 s0n62.exe 85 PID 4988 wrote to memory of 4092 4988 1T36h5.exe 86 PID 4988 wrote to memory of 4092 4988 1T36h5.exe 86 PID 4988 wrote to memory of 4092 4988 1T36h5.exe 86 PID 2788 wrote to memory of 4044 2788 s0n62.exe 87 PID 2788 wrote to memory of 4044 2788 s0n62.exe 87 PID 2788 wrote to memory of 4044 2788 s0n62.exe 87 PID 2376 wrote to memory of 1368 2376 F6W49.exe 89 PID 2376 wrote to memory of 1368 2376 F6W49.exe 89 PID 2376 wrote to memory of 1368 2376 F6W49.exe 89 PID 2500 wrote to memory of 2752 2500 bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe 90 PID 2500 wrote to memory of 2752 2500 bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe 90 PID 2500 wrote to memory of 2752 2500 bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe 90 PID 4092 wrote to memory of 2192 4092 skotes.exe 91 PID 4092 wrote to memory of 2192 4092 skotes.exe 91 PID 4092 wrote to memory of 2192 4092 skotes.exe 91 PID 4092 wrote to memory of 3520 4092 skotes.exe 94 PID 4092 wrote to memory of 3520 4092 skotes.exe 94 PID 4092 wrote to memory of 3520 4092 skotes.exe 94 PID 4092 wrote to memory of 2952 4092 skotes.exe 95 PID 4092 wrote to memory of 2952 4092 skotes.exe 95 PID 4092 wrote to memory of 2952 4092 skotes.exe 95 PID 2952 wrote to memory of 244 2952 115e5c4d86.exe 97 PID 2952 wrote to memory of 244 2952 115e5c4d86.exe 97 PID 2952 wrote to memory of 244 2952 115e5c4d86.exe 97 PID 2952 wrote to memory of 2052 2952 115e5c4d86.exe 101 PID 2952 wrote to memory of 2052 2952 115e5c4d86.exe 101 PID 2952 wrote to memory of 2052 2952 115e5c4d86.exe 101 PID 2952 wrote to memory of 4424 2952 115e5c4d86.exe 103 PID 2952 wrote to memory of 4424 2952 115e5c4d86.exe 103 PID 2952 wrote to memory of 4424 2952 115e5c4d86.exe 103 PID 2952 wrote to memory of 1464 2952 115e5c4d86.exe 105 PID 2952 wrote to memory of 1464 2952 115e5c4d86.exe 105 PID 2952 wrote to memory of 1464 2952 115e5c4d86.exe 105 PID 2952 wrote to memory of 4156 2952 115e5c4d86.exe 107 PID 2952 wrote to memory of 4156 2952 115e5c4d86.exe 107 PID 2952 wrote to memory of 4156 2952 115e5c4d86.exe 107 PID 2952 wrote to memory of 3320 2952 115e5c4d86.exe 109 PID 2952 wrote to memory of 3320 2952 115e5c4d86.exe 109 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3320 wrote to memory of 3388 3320 firefox.exe 110 PID 3388 wrote to memory of 1576 3388 firefox.exe 111 PID 3388 wrote to memory of 1576 3388 firefox.exe 111 PID 3388 wrote to memory of 1576 3388 firefox.exe 111 PID 3388 wrote to memory of 1576 3388 firefox.exe 111 PID 3388 wrote to memory of 1576 3388 firefox.exe 111 PID 3388 wrote to memory of 1576 3388 firefox.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe"C:\Users\Admin\AppData\Local\Temp\bb94330d7bb4d60f1247bf1ab358ac2960823d8289d2016ea8e3489b6919038b.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F6W49.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\F6W49.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s0n62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s0n62.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1T36h5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1T36h5.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\1013745001\b0625ea967.exe"C:\Users\Admin\AppData\Local\Temp\1013745001\b0625ea967.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\1013746001\ae4f243ce9.exe"C:\Users\Admin\AppData\Local\Temp\1013746001\ae4f243ce9.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\1013747001\115e5c4d86.exe"C:\Users\Admin\AppData\Local\Temp\1013747001\115e5c4d86.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:244
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 1984 -prefMapHandle 1976 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b389349e-4dfc-427d-8f5c-bee1d20c11b1} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" gpu9⤵PID:1576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2496 -prefMapHandle 2492 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4c69b5f-3af6-4241-a499-f07b3094f7d3} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" socket9⤵PID:1616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1616 -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 3080 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5924c3b6-79fb-438b-be58-50e2d996e884} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab9⤵PID:1512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2644 -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 1216 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d6ba48a-50c3-405c-a4d9-0392ea20c273} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab9⤵PID:4068
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4776 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec853f0-eb78-42b0-9638-013f2d3495ac} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" utility9⤵
- Checks processor information in registry
PID:5160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {171c1713-9687-41da-aaa4-f516db00e821} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab9⤵PID:6908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31b801fe-c16f-4397-b175-bf21f651f35d} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab9⤵PID:6920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5664 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf99940c-8e77-480c-98f2-b1d6e70fc989} 3388 "\\.\pipe\gecko-crash-server-pipe.3388" tab9⤵PID:6940
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013748001\e8f293db1d.exe"C:\Users\Admin\AppData\Local\Temp\1013748001\e8f293db1d.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6280
-
-
C:\Users\Admin\AppData\Local\Temp\1013749001\f00a48a2f6.exe"C:\Users\Admin\AppData\Local\Temp\1013749001\f00a48a2f6.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 7807⤵
- Program crash
PID:5752
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2b3011.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2b3011.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S87A.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S87A.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1368
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4I148J.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4I148J.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4988 -ip 49881⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4624
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json.tmp
Filesize19KB
MD5bdff3a17f8d6ce208d28e8aba6b0020a
SHA153c5ce5abb9fb6f4a02cbe4fcb512af4ec0b9acc
SHA256a185d2bd52bb0fed86f9b069338c61a4331c0255921bd9b4e00461f61772f7cc
SHA512489c9a9a550c9f1b1cbb889c2e50375e16b01dd1f4470bf32e24961cd28ae0e33841e9e5d29db0f869cd694b22d884ff3985fb501839300560626c08ac6dbb02
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD50ce0913004638f9996dbf60535a467dd
SHA10feaa457042cddaad7c835a7879792da303967e8
SHA256997bf8235ae8692ff3b6a9cb1a8c40eee7576975c2dbb8606256a60524675d4a
SHA512aa9dcd40852db3f93aca30053c8c1f833cde9f5bb76c5e749572d21b0300168ebb3d314b681d39470020f5585cbe6b01bb829ae195e47c9e33c153de93566230
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD5ed7caab0d405cb303792e6a21a63cade
SHA1baa8c5cadec598fa3f71073bdf305b05eeab1d20
SHA256fbe36ec46358b7284655cb7872bce650ec230cf1e57b2a507cce14b4242ca23d
SHA5122a5ca0ec8986cc2ac2945971aff0057967c3046fc390f6b87e7d966d03f4ca2f7a8e7aab0b3ebef6598904a831a1d6a5e05c43d550c39e6d9f7cb3cab974f0a7
-
Filesize
1.7MB
MD548ef533281a49ffec30c76b2a6bc0554
SHA13f2c71d635b8835920a841bb98138bb31a5d2e8a
SHA256420d505f8c86aed008a9dfa888a3acecae32e95bc26a470d7fb756bdcd74a8d1
SHA5128307a02057a649dbd5137d60c7d4ce7719e1b7ef28c776cf27410621d4b5416e5d1d38246d3529fde7a229439994ca6a3fa7ee90e3c498d84ef764a3994e0a6e
-
Filesize
948KB
MD5e26a110d07130ef58bc1dcc2e32c1d49
SHA14a8013b5ff9906a32b0f61494315d76ff281487f
SHA25663c4a11a58416818a4ba7a6af376c485f1e69e9e7646c8e7d19d93918b97d30c
SHA5120566926c9f00fc3deb32754785ca0d4aa8ff16c31b50766f8c348ebb05557658955bad80c6c68551eb30d62b659a50f746f5a93df6f433ba4fa66a52433d5d78
-
Filesize
2.7MB
MD50f95cebb6ce231e39352462e416fbeeb
SHA1aaaa94109952e94de68f1958a7ba3d6f2148135b
SHA2564ee64b13fdcf9924c424e04d3996794725ccc70a99a85fee306ff58a09071913
SHA512a04035523cac17d292ecb57ff632e9b8f891a5d7efd036df610ccaeb7bce311430732b66b02a5f9981499278303efd686ab049fe843bc8feee1952bae9bd228e
-
Filesize
1.9MB
MD5b16a303612f8717a90851727a25fdf61
SHA120281be28ae8c170b6dff5939fabd5616e9b7d23
SHA25614a7faa5a16cbc6e031beb668ec24d78b04d8fe4959766cf11722932b93317dc
SHA512c1c83b89a760997dc6740d940628fb7d68e3d82018b55c428ac1fcec0cde4b81ca943ef3dfd247212a14dd5b0eac20e4b4ba7f55b6154ea33a75920be032e196
-
Filesize
2.6MB
MD509d5a4c9aaaf68609b57f50ef9bc3d10
SHA135ce908eb0034288bd5cbdcfe46b992a7a5de041
SHA256787d624b7d5ca90212789c2cb876db3da2429108729f25f2e6a20f0c64b2473a
SHA512ad2f7f8e451210c86a394704e8805d4c497d4b42d6cedfad46167d04a5f1cc6e437e87872569ded77d7106d166880355390ba2f08cdec7a538b847ca5a88d11e
-
Filesize
5.4MB
MD55b4da92b919f3ceb8d6c7025b2950df2
SHA1feafd3b962a05eeef9a8468eea61c097a0d553a2
SHA2564355f6ca34cfcb42c600fb9b328a937f5fb98e7571bfae97b9fb85d082549b05
SHA5126384db88719051dc1d9eea2e49f0e4b93819f9f52397481bb52afaadb4e627d27102ab4a38ea374f160c50d10fae86272187220a588f1589446e366224cd2fc0
-
Filesize
1.7MB
MD5288001b65d38a2878e7d1f424b419f3c
SHA1c215fe8ed0d086ce614fcba865954697364dfde8
SHA256868eda914f608108639b82ddad28ba808eed057111f6d82ad8a3d20c1773be63
SHA5124e4983ddb993e4c2956f241608ee95b04796a62dc170181b400dde198dc2225ba95db96f8c63163624355cbce5c6ce552b3e1d552b401032dfc2a723f3aaa59f
-
Filesize
3.5MB
MD55d2868645e25af8446b0111ec839e16d
SHA12389be1b09f8ebb1720e76d3a8d072b96f9533db
SHA2562cbae9a9c84843a1157ed48798f6e6cbe36a26a7563818eb71b0f4d6fa5a87ac
SHA5123e10914d1113a33a5f1c92ce5e503a60bb1cbd789195a248dd0891550c6d053e56056cd296df2f55f9ce3bcc194827d6c488bdda38eded12103d58f71b02477d
-
Filesize
3.1MB
MD5f2f1e44d66a7142f3224767e23212d69
SHA1ac045bd0e055e3980662fae03f20860c98adc480
SHA2568d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7
SHA512876049eefbf91ef5e423a401cfc9e377aaac386834f3659b411fcded6369edc45a904a808a3b477ea659542e7da19ed6d3d1f8a57799debdc3b507186a7cc6de
-
Filesize
1.8MB
MD578eec814d6034177867d547093eaf7d8
SHA1d8267c5ab4bc8a1194901ef66d0d1ea65b2d40a1
SHA2568bfdc1e85021c5cb619aa4d502a5a6cb16cba8cc0c3442828db08dbcdf0a68b2
SHA51238bfb3e5dd2e3c4ddb6d226d1fa11c5cba75870b53908a7839ce669c84b1fe83197fd06a2c9e953b4f486d8b926d4966deaa533a28fd8c29dd70ae6db7bb3637
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize6KB
MD5327368042517450744192e83ad2fc768
SHA1ac792180768bc4bcdce1ed5450fee799aeecda5b
SHA256991f536f3674556a5357b0b867a90b1a78bf9fc174b64a52f3631c7e3befbac3
SHA512566ed495b3b91fc0a50360a265e5ff4ebf852ec148b5120a344d18fd5d5ef46e1f65c549297575036a8ea9245dc90b5754c6362df9f74d0beb32eb495941a55c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize8KB
MD58a414ec3ff1c6bcce22c5e02639b0bcb
SHA1cdf1d1ad3b574a3adee655e9e284055261ef23f9
SHA2561c8fc2c610fd6ab2cc5739dbc8674ab21a491bce0d76c5ee14163b78f5362369
SHA5126d465f513dc4e2517d1b21b930d3ff4226677dc24759ee3ab214a57a976476557f9d2f5684beaffc42b840460736abf4ea8a5942c46e6314f77f266586de8805
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize12KB
MD5d776e70e43a6c4e930ad842517eb80cb
SHA10c20ab204c01e8254e128b75b9eec64d640ef86c
SHA256f174069d9fcf5c637bfc2829a7ba388d28755a3fa4181195af9d20a1e7f072b1
SHA51255de3626f3cfc6ec292e4a8604dbfa6cb8d06e686a23b3ccfeb2e4685767e5b0142919d97faa6d960fcac3e65b365762a494a12d2f801b3c30cf2406f7114f6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD522476eb21fc5a17d9ec755af4f1efc5b
SHA1bb739712e79a87e99a9b776fd6aa2f0835d06536
SHA256c26595e20bac3f397eac49e1e0f266954e695790e1e108d0beb60d90246ff641
SHA51207c0aec1eea74bee72e0286eb71b9dc051f4014dd4e25010ab3df1b7613e5995980999ec91405da5d7f6d44a5cfb4eb9a3e93352916c3e0ccaeb227b7d062c9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5dca526c4ab32d94f3262908bb65aedfb
SHA109285759757ce6a34dae884ff2d75a33408d8bfb
SHA2561616072dca0a9152004da50dd7554ca26c7d03aa5930cc8927c51eefefb2503d
SHA512b4536ac252b6df0c40c2d3c18cbe923e2c59650c48e829d2c0691eb04a923fa88d102f5939f3c6220f1415c33b0a9e79073a817e5774685ff68d5cd6487b45fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5141484c0b089af98ac2bcbd72b178475
SHA1e2461cdfdee2ccb9f885d59439c92f2aa449c97c
SHA256fbe17be941f6c67c7d48b9ae5dd2fc754b4821a1bc4d808212268f8a99362a0f
SHA512e8c20a64c6b77c8c712aecd7e972d5bc409924f2e5b7c6a5638a0b427adb49d3bd821359211d5461334510f79612a889ce96535f3ac0c231ee6d9b779d2b8017
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5704f41561bc06fb80c026f4e862e3e4b
SHA1a540e79d607e44a13c697cd1791bb2ff5e7865bc
SHA25643f61acd509ec177a521c4fb9cbadf56dabbe0889aeb456f3d0520fed11a9d2c
SHA512f01c3f054f1a0d5001e0faf920575e81799c4ab9a7275f53e40c7619b87023e038e35b4bda9ab6a30c2090732a057c9ba1464ba57302f7487bfcc97d73deda48
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD533b9afb65509f2a54024e527c1d18c27
SHA14741188fb6adf37ee7cbf59facfd2d8a01456c9b
SHA256cbe60b32b2564a21eb4af767e84bb124f01acc496fc6ce0334d5f6fdb96f6b03
SHA512440eeef585dc63bace07c99060542a77369a8d1e1745bc63b79f04185b6fd97f631a95f927d5423f233a3d099fef80972e6291eed6aab1280d6973c3bbcccc93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5ad62658699742a3c1eda1ef4f4c6fe52
SHA1f5b663e0bb5c1b58beb27f2270b686d065ca111d
SHA25673d7a2451dda7b543799435e76421eabefc4e1a716a737b0e92ecf9392f8fd18
SHA512c55a04efa2c87d091c4c9afb82536b1f06c20fcebcc6c5ea0b581889136a253038491b200d31c6ea2c47e8ce49deb35dc9c5a5354008dc4d4fa8b2d2af6a9f98
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\10d638f1-2ba3-460b-942f-a7f30e86350d
Filesize26KB
MD58a60a2a64b898313725ea2f09e502fd6
SHA1f23eed32e6dc6902bf1b3eec920b79876f2f135c
SHA25635a662059431ebe1962409d0e9d13c7d698dc4cdfc8646aa37ee8dd25bf578a6
SHA51296035d87327d5b32bf6577b5bf615417019a7bc47e96f7aa1e00764723a681e45152930352c6b6dd17e1f463b4aebaefa6d866c95e412e9507694bdd0990d244
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\143afaf0-5663-44fc-abcb-a2ec109acbfe
Filesize982B
MD51bad2b6d13924063ad461f2a9cc764a8
SHA19f74c735dea605954a053c1b512af0c859a432fb
SHA2565ddd2a2f23480560775d52e9e7d479c7a3b59d422435b3bf53289c66ccb78a04
SHA512906f2757848c68fe9f2b8946d9acad8e4124d1b4b9c106635f886568c9fba46124b70b5316b5bca626fb38bf3c607e140861ce13bfcbad7edc014d6525ebe34a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\e4cc63c1-3486-4d87-af6a-a5be22f140ca
Filesize671B
MD5b4c612e38487bf62ebfe03de6400b88f
SHA1e55fb94b5ed3b362d3a2a70cd5771f4726929d7b
SHA2569cfe43aeeb06706aaf9054f5004aca32fff42bcdfe719d297299835e7ed1da8c
SHA5129a46fce0f1dc9a02b422b0fa264d10cc2806213c29690327162899b5c01be49e9443be8577555f8e7bb72b9fb971870f856185c1ef7f1fd72b596398193f9b3b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5bcc349f023e3d30788928aea61489f9f
SHA1ad2a9df495630aed49b2b05c3ddcc23f3839086c
SHA2561ac650b6c9637afda59bd482f0940fa53676eadd59068298e1fa5af615a31468
SHA5129c01dfd13e75f8fc0d67a8b20515579affb9e955dc3a22a5530e0309ed7e3c09c55489380463300101dd4feddf63546e4ff115190674660359bdcefa8bc2a723
-
Filesize
10KB
MD594f75c8f9d60a48072f6244c18b82848
SHA1b21f2f61286631b2bdd3b2997822d6fa361e440c
SHA256ddcb043e3beeb4ea247b852663fb03416834ca9fc6182c9b1c2779c8bc1a2873
SHA512f910589dc8045e324592ce7e2e62464663b393eac09e763172e2c030a84130087f1605895c76f6a9f40ef472af7cb403cf0eb65c164c00332d9aa508aaebca23
-
Filesize
15KB
MD5cc7820d87ee562ef2f83b45f7d7382ac
SHA159406079c045296ca378a15ec883c1805eb3cd4d
SHA256ac793bd261608ea5eacdc918cd80ea433a5af7be574a3243fbf6b432150474a2
SHA51217bc9731ded20130a85263af72ec6492ad4c1ed1891aa1e0cf59173a0cdc8f62a84248d1c3525e831dffc688cf29354e55faf7ef6126ab99a611e575a4d0b348
-
Filesize
11KB
MD5febea3b36838c67906e5f8191b0317db
SHA12df424e0590fd06418e27bcc64fc1f3bb9350264
SHA256d9c1151f813fcec23c255220573dc3d119302c730ea7d910307ffa04ee6283bc
SHA512527c98c3bb4df645770c2f9a806b8a829084f6326a6e8e10fbd21cafef6fc845eb57c92b9fa9a44faad7e6a0a6a7c1f109c0a81782ff85bde2950720b878b32f