Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 16:25
Static task
static1
Behavioral task
behavioral1
Sample
8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe
Resource
win7-20240903-en
General
-
Target
8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe
-
Size
3.1MB
-
MD5
f2f1e44d66a7142f3224767e23212d69
-
SHA1
ac045bd0e055e3980662fae03f20860c98adc480
-
SHA256
8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7
-
SHA512
876049eefbf91ef5e423a401cfc9e377aaac386834f3659b411fcded6369edc45a904a808a3b477ea659542e7da19ed6d3d1f8a57799debdc3b507186a7cc6de
-
SSDEEP
24576:e5TQI5E1uxYPGD2Dq0prVxc37ylH6YrI1SnBOWImRTzwHTVPpVwaJ/Ivb79+ZTrh:e5sTFx0ylzVueKg1+ZT3ZSNusu5eMZ
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 57f360ffb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 57f360ffb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 57f360ffb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 57f360ffb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 57f360ffb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 57f360ffb2.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 57f360ffb2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e1cdcf80ae.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2b7d63bc73.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mOqBQWc.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e1cdcf80ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2b7d63bc73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mOqBQWc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 57f360ffb2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 57f360ffb2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e1cdcf80ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2b7d63bc73.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mOqBQWc.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation mOqBQWc.exe -
Executes dropped EXE 9 IoCs
pid Process 5020 skotes.exe 388 e1cdcf80ae.exe 444 2b7d63bc73.exe 2904 skotes.exe 3340 c5c1e2da7b.exe 5220 57f360ffb2.exe 4000 mOqBQWc.exe 4724 skotes.exe 5164 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 2b7d63bc73.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine e1cdcf80ae.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 57f360ffb2.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine mOqBQWc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 57f360ffb2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 57f360ffb2.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2b7d63bc73.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013751001\\2b7d63bc73.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5c1e2da7b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013752001\\c5c1e2da7b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57f360ffb2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013753001\\57f360ffb2.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1cdcf80ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013750001\\e1cdcf80ae.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cbe-73.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 4936 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe 5020 skotes.exe 388 e1cdcf80ae.exe 444 2b7d63bc73.exe 2904 skotes.exe 5220 57f360ffb2.exe 4000 mOqBQWc.exe 4724 skotes.exe 5164 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mOqBQWc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1cdcf80ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b7d63bc73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage c5c1e2da7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5c1e2da7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57f360ffb2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language c5c1e2da7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mOqBQWc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mOqBQWc.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5800 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 1428 taskkill.exe 4908 taskkill.exe 3568 taskkill.exe 4104 taskkill.exe 2468 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 4936 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe 4936 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe 5020 skotes.exe 5020 skotes.exe 388 e1cdcf80ae.exe 388 e1cdcf80ae.exe 444 2b7d63bc73.exe 444 2b7d63bc73.exe 2904 skotes.exe 2904 skotes.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 5220 57f360ffb2.exe 5220 57f360ffb2.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 5220 57f360ffb2.exe 5220 57f360ffb2.exe 5220 57f360ffb2.exe 4000 mOqBQWc.exe 4000 mOqBQWc.exe 4000 mOqBQWc.exe 4000 mOqBQWc.exe 4724 skotes.exe 4724 skotes.exe 5164 skotes.exe 5164 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 4908 taskkill.exe Token: SeDebugPrivilege 3568 taskkill.exe Token: SeDebugPrivilege 4104 taskkill.exe Token: SeDebugPrivilege 2468 taskkill.exe Token: SeDebugPrivilege 1540 firefox.exe Token: SeDebugPrivilege 1540 firefox.exe Token: SeDebugPrivilege 5220 57f360ffb2.exe Token: SeDebugPrivilege 1540 firefox.exe Token: SeDebugPrivilege 1540 firefox.exe Token: SeDebugPrivilege 1540 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4936 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 1540 firefox.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe 3340 c5c1e2da7b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1540 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 5020 4936 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe 83 PID 4936 wrote to memory of 5020 4936 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe 83 PID 4936 wrote to memory of 5020 4936 8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe 83 PID 5020 wrote to memory of 388 5020 skotes.exe 85 PID 5020 wrote to memory of 388 5020 skotes.exe 85 PID 5020 wrote to memory of 388 5020 skotes.exe 85 PID 5020 wrote to memory of 444 5020 skotes.exe 93 PID 5020 wrote to memory of 444 5020 skotes.exe 93 PID 5020 wrote to memory of 444 5020 skotes.exe 93 PID 5020 wrote to memory of 3340 5020 skotes.exe 97 PID 5020 wrote to memory of 3340 5020 skotes.exe 97 PID 5020 wrote to memory of 3340 5020 skotes.exe 97 PID 3340 wrote to memory of 1428 3340 c5c1e2da7b.exe 100 PID 3340 wrote to memory of 1428 3340 c5c1e2da7b.exe 100 PID 3340 wrote to memory of 1428 3340 c5c1e2da7b.exe 100 PID 3340 wrote to memory of 4908 3340 c5c1e2da7b.exe 104 PID 3340 wrote to memory of 4908 3340 c5c1e2da7b.exe 104 PID 3340 wrote to memory of 4908 3340 c5c1e2da7b.exe 104 PID 3340 wrote to memory of 3568 3340 c5c1e2da7b.exe 106 PID 3340 wrote to memory of 3568 3340 c5c1e2da7b.exe 106 PID 3340 wrote to memory of 3568 3340 c5c1e2da7b.exe 106 PID 3340 wrote to memory of 4104 3340 c5c1e2da7b.exe 108 PID 3340 wrote to memory of 4104 3340 c5c1e2da7b.exe 108 PID 3340 wrote to memory of 4104 3340 c5c1e2da7b.exe 108 PID 3340 wrote to memory of 2468 3340 c5c1e2da7b.exe 110 PID 3340 wrote to memory of 2468 3340 c5c1e2da7b.exe 110 PID 3340 wrote to memory of 2468 3340 c5c1e2da7b.exe 110 PID 3340 wrote to memory of 1436 3340 c5c1e2da7b.exe 112 PID 3340 wrote to memory of 1436 3340 c5c1e2da7b.exe 112 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1436 wrote to memory of 1540 1436 firefox.exe 113 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 PID 1540 wrote to memory of 3444 1540 firefox.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe"C:\Users\Admin\AppData\Local\Temp\8d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\1013750001\e1cdcf80ae.exe"C:\Users\Admin\AppData\Local\Temp\1013750001\e1cdcf80ae.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\1013751001\2b7d63bc73.exe"C:\Users\Admin\AppData\Local\Temp\1013751001\2b7d63bc73.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:444
-
-
C:\Users\Admin\AppData\Local\Temp\1013752001\c5c1e2da7b.exe"C:\Users\Admin\AppData\Local\Temp\1013752001\c5c1e2da7b.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2d13776-8be2-4cab-bb5e-d7dd248f5405} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" gpu6⤵PID:3444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {283cf772-52ec-4854-8c60-e900ed434781} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" socket6⤵PID:4044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3264 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea15167f-957e-4958-8806-42cd16f70090} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" tab6⤵PID:444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3704 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3692 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3576542-6626-4350-a40c-026fafb9e1ec} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" tab6⤵PID:2208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {483556f0-c421-4d33-8fc2-305adb1d5f47} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" utility6⤵
- Checks processor information in registry
PID:5256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -childID 3 -isForBrowser -prefsHandle 5556 -prefMapHandle 5008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fff7758f-4b77-498e-8ac5-eaa8152e3a29} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" tab6⤵PID:4924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5800 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b83c2df-217a-445a-948a-b92036d3610b} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" tab6⤵PID:3584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5028 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef63807c-5f9e-4936-a255-894ab05475d9} 1540 "\\.\pipe\gecko-crash-server-pipe.1540" tab6⤵PID:3864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013753001\57f360ffb2.exe"C:\Users\Admin\AppData\Local\Temp\1013753001\57f360ffb2.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5220
-
-
C:\Users\Admin\AppData\Local\Temp\1013754001\mOqBQWc.exe"C:\Users\Admin\AppData\Local\Temp\1013754001\mOqBQWc.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1013754001\mOqBQWc.exe" & rd /s /q "C:\ProgramData\A1D26X4WTRQQ" & exit4⤵
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5800
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5164
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD54a74fb21b8aa087f8393c72f5a4ece9b
SHA107e2f5e6c4f97447f6ef8000c9e82f56511defe1
SHA256b80627b5eb2ab075be4e9362b9417369b6c234e910bf24191c3ad30b9b9446ac
SHA512748097a2b8d542d1d7fa09850b6ca37485cf1c867e8ac464c998bcae1efce820baa477b1b819903e1d7b4a0f22696d70490d86f8a6cfcc11d5552d1c8a65fb36
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5e3b392f73b14b0f209d0bccc11be5601
SHA1f86a8c489660e1d43f8732d070909752bdbff4cf
SHA256209a914811c8c9ca7760c2b247a63147ccd61f284ffea7d9ac2662fe720dd09b
SHA512937a68463be634373554a76ef918d99db578703c8fbdb4a55af84415ada0f9ab8ca861442af74362713c34a2de82c168ddc84b4c322383e6c52a049a84f3efe5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD5ed7caab0d405cb303792e6a21a63cade
SHA1baa8c5cadec598fa3f71073bdf305b05eeab1d20
SHA256fbe36ec46358b7284655cb7872bce650ec230cf1e57b2a507cce14b4242ca23d
SHA5122a5ca0ec8986cc2ac2945971aff0057967c3046fc390f6b87e7d966d03f4ca2f7a8e7aab0b3ebef6598904a831a1d6a5e05c43d550c39e6d9f7cb3cab974f0a7
-
Filesize
1.7MB
MD548ef533281a49ffec30c76b2a6bc0554
SHA13f2c71d635b8835920a841bb98138bb31a5d2e8a
SHA256420d505f8c86aed008a9dfa888a3acecae32e95bc26a470d7fb756bdcd74a8d1
SHA5128307a02057a649dbd5137d60c7d4ce7719e1b7ef28c776cf27410621d4b5416e5d1d38246d3529fde7a229439994ca6a3fa7ee90e3c498d84ef764a3994e0a6e
-
Filesize
948KB
MD5e26a110d07130ef58bc1dcc2e32c1d49
SHA14a8013b5ff9906a32b0f61494315d76ff281487f
SHA25663c4a11a58416818a4ba7a6af376c485f1e69e9e7646c8e7d19d93918b97d30c
SHA5120566926c9f00fc3deb32754785ca0d4aa8ff16c31b50766f8c348ebb05557658955bad80c6c68551eb30d62b659a50f746f5a93df6f433ba4fa66a52433d5d78
-
Filesize
2.7MB
MD50f95cebb6ce231e39352462e416fbeeb
SHA1aaaa94109952e94de68f1958a7ba3d6f2148135b
SHA2564ee64b13fdcf9924c424e04d3996794725ccc70a99a85fee306ff58a09071913
SHA512a04035523cac17d292ecb57ff632e9b8f891a5d7efd036df610ccaeb7bce311430732b66b02a5f9981499278303efd686ab049fe843bc8feee1952bae9bd228e
-
Filesize
1.8MB
MD53b8b3018e3283830627249d26305419d
SHA140fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA5122e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0
-
Filesize
3.1MB
MD5f2f1e44d66a7142f3224767e23212d69
SHA1ac045bd0e055e3980662fae03f20860c98adc480
SHA2568d8bb5e7534e8ba13cf1e6696463dc2219bf16e052325b5371c7e484b2c28fe7
SHA512876049eefbf91ef5e423a401cfc9e377aaac386834f3659b411fcded6369edc45a904a808a3b477ea659542e7da19ed6d3d1f8a57799debdc3b507186a7cc6de
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize6KB
MD51ea1638cd81beae7b4c69f905c82ae4a
SHA14639d92e8d222f1a576fc5ed176724d9d6cee1eb
SHA256260edb5c69ddcce2bd7f3227a792911cbac9ab18b0cb466448e8ba132ea3f671
SHA5121d58692375272ad1b3c40c01a944a112f2ac49379cebf99d842296b5a23f38aeec51b71d697026a10d47633fae94c52b0c41c80771fa5e43de819a564aec9a99
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize8KB
MD5dbf4c24167c03b5fa271ded9117c719e
SHA1cc8e97c98e5bc7569288e0e336d885f8167bcc8b
SHA2564ed451ea19ea985efd2c17ceb9730bb173c79c877b9d622c363344b202f04404
SHA51212ade61f9c662140c4834e576ae0bcf183166c3975b2cf2603d294d0f014b8af8c1b3d727511a1a4fa270d710e30daca1527ef173f6ca766e643805434a7a282
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD59a5e52c5256d901bf605ca7808c1f0b4
SHA16ce821c66bcca1b3e881278312efaa8f0277bc81
SHA25696cae8565668f2e30a3b2c61799b6e99fd2a0d177930a75faa2f2042e9959d46
SHA5124de63c67a81bb1d8cd7245ac79d1530012954ff67ff01c5bb31b110f838b7097e61d3c0d39e6060dfe9d1d3312be43f09a3235fd3feaeaafefac666ecf720214
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD57f33706a535559d1f8bef74916d54205
SHA158fcdd2fd223d1d78431c0d4a530f20b6ebb1808
SHA2565fe09676e9856482a782d2f04d2185687abaf4d267eef0af017bc1ff50ccfa35
SHA512d2fc4362cc7260ff7ee01540c1989699e21f1261e4475cfffff80c829a48c08651d127267901db44a07e67d6b485f2d4ccb67b518c62378a4bace26dd586a84a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD538d2f3afcbcbaf9155ffdbf9119981bd
SHA14ee2711c49561c6a6a1ddc55756de93c791a6f48
SHA256855ed9214a3c4dc2394a8fd7ef1288107dd822c100fc50591c1740b8feaa0460
SHA5125010a04ec4766adf07d561598f572600ac9074ce4938b434ddcf7f911efd9741a172029a915cd88d47de58a7107d94ddc5e97e2361bf5780c40a1bac3843a401
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD50fc9d113e279945b852c4b165df9cc38
SHA1d8fa5790be6779d583b9c1f3117bbb3ea57aa0ed
SHA2568f220e5bc02794d7ba3899297db56fb6ea995aa2539ca0b1ff53751609fdfc2f
SHA512a1bfdcd9eca981ffa3437bb558187312f9dc6f75f1fea8eccdb11c90fa0d781d4c3351554b551c2523c5de7d38efedc4ac4cc42477b5ea0dde3ba3465c36f339
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\02146319-0fac-4b95-9936-e69c9d47c486
Filesize982B
MD5c2b84ac5ebe201542545707db45b49c1
SHA140235770aca03daa8e8430b456760d3b3bd2508b
SHA256c44b7c91661a56039789728218cae556b35b67fb6e68f8bf13ef63b1549b5381
SHA5122bafe2f2ddcc428f0ccc67d585a85ab9e303933667be1f4151536307adcd482bea4a19e7abc7a43276a5affcbc9783bcd449a3ea906b0ba6f3491973305d7258
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\a74218ca-eb05-406a-b5d9-7e63bab98008
Filesize26KB
MD539334c07b50e6990eeba75ac2ee184dd
SHA1dab3592b624db1dbe9cab182689cb95743873585
SHA25633c37259c18dbbe83335f822ae0e2f5b21d19bf9cb717faaeca93fc3b60e8512
SHA5121e94dde6e261545b213e075b02b6980bbcff8ef46ce9cd5c876902df147e43ed5d1e54d7bdc767e8ec2b126855934c8aa94fccf15706b500878f6ba01b517716
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\d05c9497-878e-4be5-b7d7-99da7735f0bd
Filesize671B
MD5e050c844c564197ffbcafb2e29186ea3
SHA15aded584f659ee60285a1291dd4a24204e7c18b9
SHA2565eaca177746b464610fd8660d15bfbe7b412e29db60e0e03bcd31016b71b4f8a
SHA51211ff533a81909988de1e0bd5f5b2af0922aa097fe91cc2afb4d78316b01c052a90dceca1291a5eb94df162233c85b3bf9e6f3d8f88cddf01d46fbf3d2b932616
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5e0b83727b44f55e1dc1d1dc30c00eb8c
SHA1a32391b301944927093e644f49805bc95ae85b66
SHA256d4fbd8ddff658fe41e7256d9eed4311bebe4c122cc1204f9353f1f21ef1afb2b
SHA512779ae025fb9902f0276e5d55db0206e77c71f47b3eb5c66bac6b23136cbec8239eb44429f6639ba8ca58a7e3ee99638c2f730b30fa16aafa79191a4b37168aab
-
Filesize
12KB
MD5735f44b853f82f88c327843f8f58513f
SHA1e72e5fca0cbc2c64b84ae4ac3caa6b149223e4dd
SHA256807293a8b0865fd0f1299db25dd423ac0638e7e010c657cc5e1a091c81616a89
SHA51272a5eb3416cb09e7df4435b6909042621d8c7924b4ebb8974b2f8330d4e62dd2acd3b108c4b9756ffef7e482b0d0a62b6e759645c14390302c500027c85c0d34
-
Filesize
15KB
MD5208b9a93288090219c26076f33749c6e
SHA15e65f8edcc0e7ff8e1dc8792859e1531bf7c6186
SHA256a358cb75b2905c2f5d2aba038164a982c69b1165d3fe19ed0aab05cff2f5d9db
SHA512f4a0b22b529f8448ad9973f51d9c4fe63220d8460c4365a88370321690ef19cab7c09944ebddb491d61cbb07f9146a4d13103cd1ea5c6b7d3d53f094a53d892a
-
Filesize
10KB
MD5a09d7d93a66be78eb30ef61948567fd0
SHA1e4d00d2a78e9bd57dfc4d099629dba81c524ee8a
SHA256f89e8493d29030c4623126f4e875bab23808c6077df12f606ce9291268aa0a0c
SHA512389a37e48da7ee59e7a5e301d641ba8ce869afcb4815753afa4dbc3a6bab46454194c7daff7a31710d39a33f5531684a9a7a6ee44ab279a303f87f5f6210a789