Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 17:26
Static task
static1
General
-
Target
2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe
-
Size
6.9MB
-
MD5
e2856f970d896a79fb954b33c42400e0
-
SHA1
54d0c38f5b82f552c3c6c4ccbf861a1e5e4d3d1d
-
SHA256
2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb
-
SHA512
7669f071ca159e8f5ac498333f0074136abd1efd6c94ee730c811c1b860862bc806ebd978a84cb183c7ef8f843334e3cfa4de0b483ec19be084c6ea205bbd1bb
-
SSDEEP
196608:8qr/0FpqbNkv9rjpmAnbduCVm2unomHDhmDno:8wxbN89cATun5HDwTo
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 100e1ce17f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 100e1ce17f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 100e1ce17f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 100e1ce17f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 100e1ce17f.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2w3779.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3T87n.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4a6e874234.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f9d6a7e11b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1v92P9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4o256w.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 96d24962db.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 100e1ce17f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2w3779.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1v92P9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1v92P9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3T87n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 96d24962db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4a6e874234.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f9d6a7e11b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4o256w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 100e1ce17f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2w3779.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3T87n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4o256w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 96d24962db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4a6e874234.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f9d6a7e11b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 100e1ce17f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 1v92P9.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 15 IoCs
pid Process 4960 N9e74.exe 3712 t8l73.exe 1952 1v92P9.exe 2844 skotes.exe 4684 2w3779.exe 4432 3T87n.exe 336 4o256w.exe 4148 96d24962db.exe 2424 4a6e874234.exe 2184 f9d6a7e11b.exe 1424 52846e439d.exe 2228 100e1ce17f.exe 5532 yiklfON.exe 5664 skotes.exe 6740 skotes.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 1v92P9.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 2w3779.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 3T87n.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 4o256w.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 96d24962db.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 4a6e874234.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine f9d6a7e11b.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 100e1ce17f.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4o256w.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 100e1ce17f.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" N9e74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" t8l73.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a6e874234.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013761001\\4a6e874234.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f9d6a7e11b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013762001\\f9d6a7e11b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\52846e439d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013763001\\52846e439d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\100e1ce17f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013764001\\100e1ce17f.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000a000000023baf-124.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 1952 1v92P9.exe 2844 skotes.exe 4684 2w3779.exe 4432 3T87n.exe 336 4o256w.exe 4148 96d24962db.exe 2424 4a6e874234.exe 2184 f9d6a7e11b.exe 2228 100e1ce17f.exe 5664 skotes.exe 6740 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1v92P9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5928 4148 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3T87n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4o256w.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96d24962db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N9e74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language t8l73.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1v92P9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 100e1ce17f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2w3779.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 52846e439d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9d6a7e11b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 52846e439d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yiklfON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a6e874234.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52846e439d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 448 taskkill.exe 4956 taskkill.exe 1508 taskkill.exe 1616 taskkill.exe 2612 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1952 1v92P9.exe 1952 1v92P9.exe 2844 skotes.exe 2844 skotes.exe 4684 2w3779.exe 4684 2w3779.exe 4432 3T87n.exe 4432 3T87n.exe 336 4o256w.exe 336 4o256w.exe 4148 96d24962db.exe 4148 96d24962db.exe 336 4o256w.exe 336 4o256w.exe 2424 4a6e874234.exe 2424 4a6e874234.exe 2184 f9d6a7e11b.exe 2184 f9d6a7e11b.exe 1424 52846e439d.exe 1424 52846e439d.exe 2228 100e1ce17f.exe 2228 100e1ce17f.exe 1424 52846e439d.exe 1424 52846e439d.exe 2228 100e1ce17f.exe 2228 100e1ce17f.exe 2228 100e1ce17f.exe 5664 skotes.exe 5664 skotes.exe 6740 skotes.exe 6740 skotes.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 336 4o256w.exe Token: SeDebugPrivilege 448 taskkill.exe Token: SeDebugPrivilege 4956 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 2612 taskkill.exe Token: SeDebugPrivilege 4592 firefox.exe Token: SeDebugPrivilege 4592 firefox.exe Token: SeDebugPrivilege 2228 100e1ce17f.exe Token: SeDebugPrivilege 4592 firefox.exe Token: SeDebugPrivilege 4592 firefox.exe Token: SeDebugPrivilege 4592 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1952 1v92P9.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 1424 52846e439d.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 1424 52846e439d.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 4592 firefox.exe 1424 52846e439d.exe 1424 52846e439d.exe 1424 52846e439d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4592 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1856 wrote to memory of 4960 1856 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe 82 PID 1856 wrote to memory of 4960 1856 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe 82 PID 1856 wrote to memory of 4960 1856 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe 82 PID 4960 wrote to memory of 3712 4960 N9e74.exe 83 PID 4960 wrote to memory of 3712 4960 N9e74.exe 83 PID 4960 wrote to memory of 3712 4960 N9e74.exe 83 PID 3712 wrote to memory of 1952 3712 t8l73.exe 84 PID 3712 wrote to memory of 1952 3712 t8l73.exe 84 PID 3712 wrote to memory of 1952 3712 t8l73.exe 84 PID 1952 wrote to memory of 2844 1952 1v92P9.exe 85 PID 1952 wrote to memory of 2844 1952 1v92P9.exe 85 PID 1952 wrote to memory of 2844 1952 1v92P9.exe 85 PID 3712 wrote to memory of 4684 3712 t8l73.exe 86 PID 3712 wrote to memory of 4684 3712 t8l73.exe 86 PID 3712 wrote to memory of 4684 3712 t8l73.exe 86 PID 4960 wrote to memory of 4432 4960 N9e74.exe 87 PID 4960 wrote to memory of 4432 4960 N9e74.exe 87 PID 4960 wrote to memory of 4432 4960 N9e74.exe 87 PID 1856 wrote to memory of 336 1856 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe 90 PID 1856 wrote to memory of 336 1856 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe 90 PID 1856 wrote to memory of 336 1856 2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe 90 PID 2844 wrote to memory of 4148 2844 skotes.exe 91 PID 2844 wrote to memory of 4148 2844 skotes.exe 91 PID 2844 wrote to memory of 4148 2844 skotes.exe 91 PID 2844 wrote to memory of 2424 2844 skotes.exe 95 PID 2844 wrote to memory of 2424 2844 skotes.exe 95 PID 2844 wrote to memory of 2424 2844 skotes.exe 95 PID 2844 wrote to memory of 2184 2844 skotes.exe 98 PID 2844 wrote to memory of 2184 2844 skotes.exe 98 PID 2844 wrote to memory of 2184 2844 skotes.exe 98 PID 2844 wrote to memory of 1424 2844 skotes.exe 100 PID 2844 wrote to memory of 1424 2844 skotes.exe 100 PID 2844 wrote to memory of 1424 2844 skotes.exe 100 PID 1424 wrote to memory of 448 1424 52846e439d.exe 101 PID 1424 wrote to memory of 448 1424 52846e439d.exe 101 PID 1424 wrote to memory of 448 1424 52846e439d.exe 101 PID 1424 wrote to memory of 4956 1424 52846e439d.exe 103 PID 1424 wrote to memory of 4956 1424 52846e439d.exe 103 PID 1424 wrote to memory of 4956 1424 52846e439d.exe 103 PID 1424 wrote to memory of 1508 1424 52846e439d.exe 105 PID 1424 wrote to memory of 1508 1424 52846e439d.exe 105 PID 1424 wrote to memory of 1508 1424 52846e439d.exe 105 PID 1424 wrote to memory of 1616 1424 52846e439d.exe 107 PID 1424 wrote to memory of 1616 1424 52846e439d.exe 107 PID 1424 wrote to memory of 1616 1424 52846e439d.exe 107 PID 1424 wrote to memory of 2612 1424 52846e439d.exe 109 PID 1424 wrote to memory of 2612 1424 52846e439d.exe 109 PID 1424 wrote to memory of 2612 1424 52846e439d.exe 109 PID 1424 wrote to memory of 2344 1424 52846e439d.exe 111 PID 1424 wrote to memory of 2344 1424 52846e439d.exe 111 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 2344 wrote to memory of 4592 2344 firefox.exe 112 PID 4592 wrote to memory of 4752 4592 firefox.exe 113 PID 4592 wrote to memory of 4752 4592 firefox.exe 113 PID 4592 wrote to memory of 4752 4592 firefox.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe"C:\Users\Admin\AppData\Local\Temp\2949d21f36ac9ddb989dd8ac6948b3e95ee554d70767b8dae6c8bb2aaa1f83cb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N9e74.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N9e74.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t8l73.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t8l73.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1v92P9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1v92P9.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\1013760001\96d24962db.exe"C:\Users\Admin\AppData\Local\Temp\1013760001\96d24962db.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 7847⤵
- Program crash
PID:5928
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013761001\4a6e874234.exe"C:\Users\Admin\AppData\Local\Temp\1013761001\4a6e874234.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\1013762001\f9d6a7e11b.exe"C:\Users\Admin\AppData\Local\Temp\1013762001\f9d6a7e11b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\1013763001\52846e439d.exe"C:\Users\Admin\AppData\Local\Temp\1013763001\52846e439d.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {192671cc-a97f-4463-856f-f52ff5f73005} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" gpu9⤵PID:4752
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d595553c-7fd8-400a-8146-6eab08fa33b0} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" socket9⤵PID:4460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3432 -childID 1 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7428b7d-6d06-4d2a-9eca-167988db933e} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab9⤵PID:868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3832 -childID 2 -isForBrowser -prefsHandle 3824 -prefMapHandle 3236 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ace60b92-6614-4c45-ae28-db3dc6f8e018} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab9⤵PID:2364
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4384 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4360 -prefMapHandle 4332 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {565b8ea7-509b-49b3-84dc-df8af998aff4} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" utility9⤵
- Checks processor information in registry
PID:5804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc81120-91a1-4094-b63b-39bb933a68bc} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab9⤵PID:1736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 4 -isForBrowser -prefsHandle 5912 -prefMapHandle 5628 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3f473fc-13b8-455a-91ef-a926aa241d18} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab9⤵PID:1960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 5 -isForBrowser -prefsHandle 5816 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ead213be-1be6-40c3-acca-2cff87c057c7} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab9⤵PID:3736
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013764001\100e1ce17f.exe"C:\Users\Admin\AppData\Local\Temp\1013764001\100e1ce17f.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2w3779.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2w3779.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4684
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3T87n.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3T87n.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4o256w.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4o256w.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4148 -ip 41481⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5df04c723d79e8e8e558ca4061876db3e
SHA1ba521515f6cda0f3a92ed535ce64cee1eb5c79fe
SHA256d8794a619fab3791ff7f1743bd1c946036e223cdf4cdea3ee3a10c8957fecb6c
SHA512d89563114e9f7c8b7ee2b932ecfd2b897220d8c078de2650ae252f7945ed9fad9021255bb42cb07ac735f06c1704658ef6c1a1f6aa97d977646ef025792cf786
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD573b8dc59e8d02e222f18d697d12f8d10
SHA15366f84bbeb6069197ad5672962e43f109d30fcd
SHA2561c00a0865ca4d1cd51d297101d0e23a416687435e932da3f8894ac2dfd3b824e
SHA512df8fbe2b4a6b8ddc0b4b9147f3010ee732f18f556234d2948229eefacb5731ce7345dedf1e57d07dc51f33cef50a32997699df9c231ee07c408894095575f91f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.9MB
MD5b16a303612f8717a90851727a25fdf61
SHA120281be28ae8c170b6dff5939fabd5616e9b7d23
SHA25614a7faa5a16cbc6e031beb668ec24d78b04d8fe4959766cf11722932b93317dc
SHA512c1c83b89a760997dc6740d940628fb7d68e3d82018b55c428ac1fcec0cde4b81ca943ef3dfd247212a14dd5b0eac20e4b4ba7f55b6154ea33a75920be032e196
-
Filesize
1.8MB
MD5f311c4e019a62fb6a0151f10f30cc2bf
SHA133741cc7dbb6c8ab5661b01be59abc95bc2fe93b
SHA2567fe212bf16319044794c1dfae79a8c3c6d6f0f9752eb8682472b54c6b15c9381
SHA5129fef6e8e3c1dd403c906caa6d2afe7d401790260c5bea21992211406c28e43831529ed99ba03d5b2b149cc3e4c196c5bbbe0a822d4ed20bc28d6610c4ac85db7
-
Filesize
1.7MB
MD5b1389ec87bad100fad616612b0f8850c
SHA12893314486cb66c4454a83f21be67c536dcf0822
SHA25631b4f87080ce3e4bb1425ac640fdf884e0c54f27992177d9006174c9a662673b
SHA512cc16a98f23a91a30cf8042000c5db986c24c20b6cb72faebe94728815f73fa6c12a6a5f0625773a0f2aa46b08736fb4b4ef083192dc94e49fefcbcab3cc9e040
-
Filesize
946KB
MD56a8c39af3a76c1d0a21384cb2af3ea88
SHA1ce3c9fc0ba78b6bf25178dcd55aac1cfd4f9561d
SHA25632a9e0d7c38c38f02796e3280d0099f920aeb62b69122746d28a35226000de8c
SHA5128fa5daaf36fbbea12cbfaf68d3c4bb85e729b5afd52408bb0460236cb0048fe2bdfcfe8aed3a0a4fa3253142227f7a32a72b88409e118f6fced7639c675c49f8
-
Filesize
2.7MB
MD5208380dfdc7f14f216dcff3bfc6b89b1
SHA134b2e815fa63715775ac1164a157c49224f75196
SHA256cc525c548d50066182f348f4aa679522d171e2cad1e5a941e854c7e5045034fc
SHA5121616cdbc43826ab069b9894d8c17e7d345c8fbb50c861c4d67d2f4dd96645d48cb1923f5feda1c37a1ad787f7e267ad064b24e0d82095a09f36d745d6aaff996
-
Filesize
7.4MB
MD5d71d031f039f8fb153488c26fb7d410f
SHA15b15fd6f94bdbb35ecd02bf9aa51912d698ebf45
SHA25636541a0e062085fed175a4a5eae45aa9e3563fff4a816a1bffa1b2c6f8280e5b
SHA512d97c801c73f14ae20b11529d0b0f58afc3981d92bd00f88dda59881f24d89d3b325a8c61b88adc77753cebb1c320afc64af7522c61c34b2a4916b13bddc278cf
-
Filesize
2.7MB
MD50f95cebb6ce231e39352462e416fbeeb
SHA1aaaa94109952e94de68f1958a7ba3d6f2148135b
SHA2564ee64b13fdcf9924c424e04d3996794725ccc70a99a85fee306ff58a09071913
SHA512a04035523cac17d292ecb57ff632e9b8f891a5d7efd036df610ccaeb7bce311430732b66b02a5f9981499278303efd686ab049fe843bc8feee1952bae9bd228e
-
Filesize
5.3MB
MD5e14681502934bb8a69ee022990fa9fd5
SHA1a5ae0721d14bc62ec14de5ccd1341ac76c0d7a9f
SHA256353c338b35d0d22da44ee287ed50445dfe63fa4cb90279105fe87242df0d39a8
SHA512f1865af57c65cf2c689c1b9f4fc9d0b1ec5a519261d768ab2ff0405c6266434334f6a0b1de85e7c4d2c49b1813bcf640adad1a00c9fa7ce7a5fb903b0759c7aa
-
Filesize
1.7MB
MD548ef533281a49ffec30c76b2a6bc0554
SHA13f2c71d635b8835920a841bb98138bb31a5d2e8a
SHA256420d505f8c86aed008a9dfa888a3acecae32e95bc26a470d7fb756bdcd74a8d1
SHA5128307a02057a649dbd5137d60c7d4ce7719e1b7ef28c776cf27410621d4b5416e5d1d38246d3529fde7a229439994ca6a3fa7ee90e3c498d84ef764a3994e0a6e
-
Filesize
3.5MB
MD53bd261701fd065349845caa0c3d29d77
SHA132ffa36f4e61d1e836ec6fc27f730f5d634a35eb
SHA256ddc7ad51c4fc32f90df334da520979deb6fe90d77650aa6d9f18788477402aaa
SHA512bd016feec7d6acc3f70589076ab4daaf887649cc7bca8a79181e04ba505e42da4780efc454ca18a62e1d512c8fc35ddf6fb4843ced433d63e41d7e84f6dc2cb6
-
Filesize
3.0MB
MD59c5d114ce9d0008f2f10b8065b0f3bcd
SHA1bb55eae46c7c5df146693981498e0c4bf22ee9e5
SHA2561658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d
SHA5128dfe5e1369fc5b9f9518c50b9e64b460127905ac1eb81ddd592af4e3891a3f41c39057323fff965f8039464acd55da632d354d252ab25bd8d9377b5535623a30
-
Filesize
1.8MB
MD5ed7caab0d405cb303792e6a21a63cade
SHA1baa8c5cadec598fa3f71073bdf305b05eeab1d20
SHA256fbe36ec46358b7284655cb7872bce650ec230cf1e57b2a507cce14b4242ca23d
SHA5122a5ca0ec8986cc2ac2945971aff0057967c3046fc390f6b87e7d966d03f4ca2f7a8e7aab0b3ebef6598904a831a1d6a5e05c43d550c39e6d9f7cb3cab974f0a7
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize6KB
MD52ec4066f23b4cb1b0b24493f678c2132
SHA17b247b247abe473f4c69778e3ed8d57e286ffa14
SHA256a82b50aff8414b571366759b8ed4e7f0e64b58ecd5810fd8d0c86d0549e31e63
SHA5125d240604633378c0e0814fe191593b305d4baa02017c1335889d9360d786c80e40323ff4c45bd94d880b59a6bd8cb6a024fa2013edb5b0e11994e1825e5a5dbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize8KB
MD506ee77d0703a9c50c65002f6586a8f87
SHA1e3d66297b0a33e3c18457839665ee23e443b585a
SHA256c111ec33302d2c35be273b4120829b651261092bd220d099638f1bb247122811
SHA5121710ab3ff035afad8867e746731564a9fc9c333dd7b0777ab88425a9532e241b0802d5f3acae73b4559e74b393a3a4aed105cbea2e1b544735114309d130623a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5cd3532c49ae8558bca31bc6bb6fc8ef2
SHA16a0fed9a0fce855f82551857fd8cace40bcd58ff
SHA25648e6d353e076d8e22372ba70796bea255d7ac2aaf28f5f020a4007c5ca2d258c
SHA51254885ab892a6717081751d333ade8bd436b5c413a2d294c2ccd44da8cd6580fe42f029e2c823dce5cf5cf67e133854cc3a4129670d7166274b27350474c3e941
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD557a7f68aa161b8ca7c5d90940f8a9ea9
SHA14300ec4131ad48e529b093b7787ab169aa4f894e
SHA256e2fe1604c8fb0366c8aa5d825828f1087d44909c6e97c3ff80eabe0fb5b36c4b
SHA512c16d98a4962ccf648201d1bdac59772159a66ae278b19f952a9da6ee967e20af46c40b85dc527c7b97416393c176fe53f29870ebed6cbb9f6a3d461f42428551
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD537e744362ec506b14cdbe99639a52ab3
SHA165470e1091a57143a394c01e0216e9072c241e94
SHA256e4df99aa18f8255568d7e1884c1248cb778b27d8c8e1fecbcb17e6d10ba6e6ba
SHA51206a3d1e86c1021609d6fe242438b7986758286fe43195ac7863bae9951928c1754ec1bba28e48aff68a149b6ce11f4829d8b4e5a4924acad1d0ce05e5d1a440d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD51b787890c676ad22511e14ca00569ce7
SHA1ea18f89f063e1dd6e3a95f371464ec929258c202
SHA256bb482ddcbf1dabd220e9dec6d09791cc08d29ca240a0a27a8b02b62f5fb0b129
SHA512c6b434e63a267866fac7080095a95b85768c9fb4c19f8ed8633e30b81a97efe0747e6278d393ef050d6ae695d50f7df036752f5c1c72b4aa34d0f9609fe8134b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5ece6da795d8fe49d11791b3d1f7e5d23
SHA165d2af09da505999e7ea201a7386471dca106461
SHA256ce450a902b805fa8517dffdc4b8f5feb940c225a2c35d9d5a059410e497ca637
SHA512b85b9214aa4b43ddc3a9f5f2b15ae63d3d882e8ff1b7809a67afab9a662762861a62b08f42dfba8585d7fc6200b41332c807e1894cb213b6ec08bec45acda9c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD59dcd163511ed9d9e6f38b3dfd4bfb2c2
SHA115304f95e36c7c2c9d038b3f7ed646998936b6c3
SHA25620315778ef40e0dabeb1d251591965342c30b2189069596c12e6b6a109d34b7d
SHA51241184fa6466653ed8f81941db99a4e3d3a70e0b778b1eced06a5367dfdf155bb47809df889642db508424a7d280a0e1510f20a8e5ad7174c530a00cb1b69cfd6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e431234c71c43889afcbadace282ecd6
SHA14b0b68dda931a5135d76a1227fdb2a7289521b6b
SHA25618ce96c85b959c617177d4e16de67c3cb127d38fc1d1fcd0b0dc712380d9ce63
SHA5127f003fe12709d1b609c1949a016774924ee3607674b42c2c0ab0aec81204b0c3f473ac4193e6a6869fc17708bdad5dfecb9b4b9e103943517327c14185c7e244
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD57e431a50f33ba82be905886c3941377c
SHA14da1e39e709e3bd089674fe90c34d8acc8dc6f0d
SHA256f68b8e3a4c988e99fdfe109649832983507dec8ff45907fbfb7a874d5ad76cba
SHA5127bcb13c96881e46b8857d9268caf9c3af49f12a5f100ed3f56f19f330ca6182c4f4e32b659d25ed84abfa66a82f24570f3d4800f0020727534bf54e7f0b91436
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5981caa1ec2f9c50695e37e4b62ef0022
SHA141b27ad5c4b7deff2234fa1892709949f363a563
SHA2569dd256e9d8b2de3573d54f9a136e8ffc5df49fa9cd234c002458bad4432e6aee
SHA512d4c87d60cf7ec6f4c9c704866449820a2819efe3f0344c9f9fa513f3d6a4b7f72954fbc3b93eab16e1e3fcd0538c99578c11df60953197525c44ed903ac35a98
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c28d2b2d57c2852be9d163c8489b8e3c
SHA12b226b1060365ddc41e8e7c3796a272dd14bb626
SHA2566f41c54c27505fdc054aafb61d4985ef3181000441f0f7c7fbe43995fdf8d9ec
SHA51247cd6587d2bf865712f2c9c9b6ca184af24bdaa6f8d917f2ee39bda36b4383ac76dd0a64d230ef44eec3502f3aa9656eb4696f9a052bd353e07726cee35f1359
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\1b1b477e-5e0f-484f-b2f8-cf3b9ee51c72
Filesize28KB
MD5bf69a70be40223d6f039260ea5d52810
SHA1518d2d9532be1fd0949f3158f7fa08ba49ce557d
SHA25676179cd89f3584e9df79a86fe59e96c1e89b398fc330fd76505599665b2334e1
SHA512cb51019a5128227ab76ded84d2f9d5c3a4759dfc2948fc812c4d6056b333632b2ff531a37c81d35e8f182dde38a0b66c65586213d085b813e561328bb3e19243
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\4c7b857d-5952-4ad5-9bd8-60ad79931c7a
Filesize982B
MD5efc4692a59a530104435eaed8b2feaeb
SHA1dd67c08f3e38e2dc7ff7ff9ff1a9e16c06351aed
SHA256131157d976767ebc0047fd93acaab38b3f701a34e11add1f6ee6110792399784
SHA5121f300824d99aec971499b961598f6a5bfdef461f20a848d43a8600af7338ca4ac5c28adb083210a57d66c6ffc03aeede4f1a38912f4a95db8c6fb3f719fdada8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\feec2d1c-b367-47e6-b1c4-f2afd6ba0415
Filesize671B
MD5000549a7b720736bd0f6007af1799452
SHA1ec13cf28b96e21d6697ade0a01690f20c8214dd6
SHA25684b4a520306c64910d21822ac66939c7064aa43123d0484e030e89474d33436c
SHA5121861a854f3816108bee0ed14c6adec0c19da8d875c11aff24ec15985e8d19ca88749bb4f494d640c60566d1eda67ef74143013dea9a2f3311eca4f8ab1b9b77b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD597eadb4b4979ac40853ef748e5fc3f67
SHA13a33d1873204ffa190872041538f7eadcaa79f50
SHA256ad582f82b60868883415d15b0eaeee2afe832b058b587d9ec9be3ac4950e8838
SHA51236455e293eec0370ac68a8aefe86d5f7bde0b50e48b4c30c768dfa5f122ad7a75dd95eaff29773603d25c1b2120f392fe682950e3953ebb6b59bd83660e56f4e
-
Filesize
10KB
MD5e4a6609ddfd7306b5caad854a54d2a19
SHA1f394714aab461bee948f450fe56a61939a72b493
SHA25688334fa23ddc9eb6e07d3df1c1969ce0cbeda609cd3853fe457e05c09368f96f
SHA512000d9a8fdc9b07b4c34a2f1c0cd21c71f8dce1c60d56d076cc6ce3c72460cfa31c21b26f3e982681a9677ea075a7c8398ce703bb68515f18be46e767860882ab
-
Filesize
15KB
MD5c6478bd08432df802c3f0a65a7cabaf4
SHA1c3f7f255c109e98af437d5408251d96276290fd3
SHA25618fac62f848c4a4a8791a5639f9ba19b3d0d7d83f5ec345026352f48ed1836de
SHA5121f669b67925e93b46c6892ae93710bedc72f6f2070ef1377e81d3370844ef75ee9bfcb117a9d619cddba21fb72a582272fa6c6897d143636ed10a935c191a257
-
Filesize
10KB
MD5dcdf92621c0b4d0d068285a18767f5f7
SHA18ab4a12f95be7a49dedb7519e41cc9522a9459ca
SHA256004b9e79fc40cd20893d1b2f27978b2131d1d4afbdd93383aee6e0b30de3445d
SHA5128094451b065824299b1b6679f94f80a36f231809be8dcdb06dde2e229cfc62f2f7c58669d97987338ef248cc76f613c7bdd296a1e0bd9b3f4fa9ab1bbde3d6b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\security_state\data.safe.bin
Filesize2.9MB
MD5c0597ed96427f46beb322dbcd288a5b6
SHA11a5160f66eac6be9a456cc02c13975a86fa18749
SHA256f97fc9e368872225e67780be4580b0f71c03b55a2f293e3128b8ea7cade3c32c
SHA51287f959dc2aceb655700408c2cfb2436439b52f7e468fbf893b25092de47398980812379a8491e2975c54b7789f6f168718fe2d08d9f194984863aae46ccced62