Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 18:06
Static task
static1
General
-
Target
54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe
-
Size
6.8MB
-
MD5
e79872f5a0f28f748704ff8ed119414d
-
SHA1
c24150e031ae75a03a4fdfef6d5763e990561919
-
SHA256
54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db
-
SHA512
86cdf6462291216b89985f26827bd028811334a52b32f94b46de2946c92a425b2119fadbcf10d727d0ccc188e5dd9b0390bf9636c00b010f17cbcfe45e7288d2
-
SSDEEP
196608:Z2nplst/rDSq1Gwrh4g3qCAro6/EbrQz6+77ddLnK:8fs1P1Gw1R3qHr7n2
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 332ae8b687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 332ae8b687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 332ae8b687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 332ae8b687.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 332ae8b687.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1V40B6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4v169N.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3EUEYgl.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2h1692.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3G21i.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 46ccb0074e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 61b7d3a0f4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 332ae8b687.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6c2ab27e2f.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3G21i.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 61b7d3a0f4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6c2ab27e2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1V40B6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2h1692.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4v169N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 46ccb0074e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1V40B6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 46ccb0074e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 61b7d3a0f4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 332ae8b687.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 332ae8b687.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6c2ab27e2f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3G21i.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2h1692.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4v169N.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 3EUEYgl.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 1V40B6.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 16 IoCs
pid Process 4852 I1h60.exe 752 M0K23.exe 228 1V40B6.exe 3932 skotes.exe 940 2h1692.exe 4932 3G21i.exe 3036 4v169N.exe 4476 skotes.exe 2196 yiklfON.exe 3888 3EUEYgl.exe 4584 46ccb0074e.exe 3348 61b7d3a0f4.exe 776 f04fb79d25.exe 4928 332ae8b687.exe 5280 6c2ab27e2f.exe 5212 skotes.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 3G21i.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 4v169N.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 46ccb0074e.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 61b7d3a0f4.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 6c2ab27e2f.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 1V40B6.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 2h1692.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 3EUEYgl.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 332ae8b687.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4v169N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 332ae8b687.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" M0K23.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46ccb0074e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013772001\\46ccb0074e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\61b7d3a0f4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013773001\\61b7d3a0f4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f04fb79d25.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013774001\\f04fb79d25.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\332ae8b687.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013775001\\332ae8b687.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" I1h60.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0012000000023cd9-144.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 228 1V40B6.exe 3932 skotes.exe 940 2h1692.exe 4932 3G21i.exe 3036 4v169N.exe 4476 skotes.exe 3888 3EUEYgl.exe 4584 46ccb0074e.exe 3348 61b7d3a0f4.exe 4928 332ae8b687.exe 5280 6c2ab27e2f.exe 5212 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1V40B6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5724 5280 WerFault.exe 141 -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f04fb79d25.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage f04fb79d25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2h1692.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46ccb0074e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language f04fb79d25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3G21i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4v169N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language M0K23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yiklfON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61b7d3a0f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 332ae8b687.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c2ab27e2f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language I1h60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1V40B6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3EUEYgl.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3EUEYgl.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3EUEYgl.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1828 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 3172 taskkill.exe 4664 taskkill.exe 1004 taskkill.exe 4380 taskkill.exe 1844 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 228 1V40B6.exe 228 1V40B6.exe 3932 skotes.exe 3932 skotes.exe 940 2h1692.exe 940 2h1692.exe 4932 3G21i.exe 4932 3G21i.exe 3036 4v169N.exe 3036 4v169N.exe 4476 skotes.exe 4476 skotes.exe 3036 4v169N.exe 3036 4v169N.exe 3888 3EUEYgl.exe 3888 3EUEYgl.exe 4584 46ccb0074e.exe 4584 46ccb0074e.exe 3888 3EUEYgl.exe 3888 3EUEYgl.exe 3348 61b7d3a0f4.exe 3348 61b7d3a0f4.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 4928 332ae8b687.exe 4928 332ae8b687.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 4928 332ae8b687.exe 4928 332ae8b687.exe 4928 332ae8b687.exe 5280 6c2ab27e2f.exe 5280 6c2ab27e2f.exe 5212 skotes.exe 5212 skotes.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3036 4v169N.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 1844 taskkill.exe Token: SeDebugPrivilege 4380 taskkill.exe Token: SeDebugPrivilege 3172 taskkill.exe Token: SeDebugPrivilege 4664 taskkill.exe Token: SeDebugPrivilege 3380 firefox.exe Token: SeDebugPrivilege 3380 firefox.exe Token: SeDebugPrivilege 4928 332ae8b687.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 228 1V40B6.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 3380 firefox.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe 776 f04fb79d25.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3380 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 4852 1996 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe 85 PID 1996 wrote to memory of 4852 1996 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe 85 PID 1996 wrote to memory of 4852 1996 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe 85 PID 4852 wrote to memory of 752 4852 I1h60.exe 86 PID 4852 wrote to memory of 752 4852 I1h60.exe 86 PID 4852 wrote to memory of 752 4852 I1h60.exe 86 PID 752 wrote to memory of 228 752 M0K23.exe 87 PID 752 wrote to memory of 228 752 M0K23.exe 87 PID 752 wrote to memory of 228 752 M0K23.exe 87 PID 228 wrote to memory of 3932 228 1V40B6.exe 88 PID 228 wrote to memory of 3932 228 1V40B6.exe 88 PID 228 wrote to memory of 3932 228 1V40B6.exe 88 PID 752 wrote to memory of 940 752 M0K23.exe 89 PID 752 wrote to memory of 940 752 M0K23.exe 89 PID 752 wrote to memory of 940 752 M0K23.exe 89 PID 4852 wrote to memory of 4932 4852 I1h60.exe 93 PID 4852 wrote to memory of 4932 4852 I1h60.exe 93 PID 4852 wrote to memory of 4932 4852 I1h60.exe 93 PID 1996 wrote to memory of 3036 1996 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe 97 PID 1996 wrote to memory of 3036 1996 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe 97 PID 1996 wrote to memory of 3036 1996 54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe 97 PID 3932 wrote to memory of 2196 3932 skotes.exe 102 PID 3932 wrote to memory of 2196 3932 skotes.exe 102 PID 3932 wrote to memory of 2196 3932 skotes.exe 102 PID 3932 wrote to memory of 3888 3932 skotes.exe 106 PID 3932 wrote to memory of 3888 3932 skotes.exe 106 PID 3932 wrote to memory of 3888 3932 skotes.exe 106 PID 3932 wrote to memory of 4584 3932 skotes.exe 108 PID 3932 wrote to memory of 4584 3932 skotes.exe 108 PID 3932 wrote to memory of 4584 3932 skotes.exe 108 PID 3888 wrote to memory of 4868 3888 3EUEYgl.exe 110 PID 3888 wrote to memory of 4868 3888 3EUEYgl.exe 110 PID 3888 wrote to memory of 4868 3888 3EUEYgl.exe 110 PID 4868 wrote to memory of 1828 4868 cmd.exe 112 PID 4868 wrote to memory of 1828 4868 cmd.exe 112 PID 4868 wrote to memory of 1828 4868 cmd.exe 112 PID 3932 wrote to memory of 3348 3932 skotes.exe 113 PID 3932 wrote to memory of 3348 3932 skotes.exe 113 PID 3932 wrote to memory of 3348 3932 skotes.exe 113 PID 3932 wrote to memory of 776 3932 skotes.exe 116 PID 3932 wrote to memory of 776 3932 skotes.exe 116 PID 3932 wrote to memory of 776 3932 skotes.exe 116 PID 776 wrote to memory of 1004 776 f04fb79d25.exe 118 PID 776 wrote to memory of 1004 776 f04fb79d25.exe 118 PID 776 wrote to memory of 1004 776 f04fb79d25.exe 118 PID 776 wrote to memory of 1844 776 f04fb79d25.exe 120 PID 776 wrote to memory of 1844 776 f04fb79d25.exe 120 PID 776 wrote to memory of 1844 776 f04fb79d25.exe 120 PID 776 wrote to memory of 4380 776 f04fb79d25.exe 122 PID 776 wrote to memory of 4380 776 f04fb79d25.exe 122 PID 776 wrote to memory of 4380 776 f04fb79d25.exe 122 PID 776 wrote to memory of 3172 776 f04fb79d25.exe 124 PID 776 wrote to memory of 3172 776 f04fb79d25.exe 124 PID 776 wrote to memory of 3172 776 f04fb79d25.exe 124 PID 776 wrote to memory of 4664 776 f04fb79d25.exe 126 PID 776 wrote to memory of 4664 776 f04fb79d25.exe 126 PID 776 wrote to memory of 4664 776 f04fb79d25.exe 126 PID 776 wrote to memory of 3768 776 f04fb79d25.exe 128 PID 776 wrote to memory of 3768 776 f04fb79d25.exe 128 PID 3768 wrote to memory of 3380 3768 firefox.exe 129 PID 3768 wrote to memory of 3380 3768 firefox.exe 129 PID 3768 wrote to memory of 3380 3768 firefox.exe 129 PID 3768 wrote to memory of 3380 3768 firefox.exe 129 PID 3768 wrote to memory of 3380 3768 firefox.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe"C:\Users\Admin\AppData\Local\Temp\54f0623647c76b20c798446f1775f425c4fa1e49b912bc630a99aaf5cad759db.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I1h60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I1h60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M0K23.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M0K23.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1V40B6.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1V40B6.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe" & rd /s /q "C:\ProgramData\UKFK6PZ58YM7" & exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013772001\46ccb0074e.exe"C:\Users\Admin\AppData\Local\Temp\1013772001\46ccb0074e.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\1013773001\61b7d3a0f4.exe"C:\Users\Admin\AppData\Local\Temp\1013773001\61b7d3a0f4.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\1013774001\f04fb79d25.exe"C:\Users\Admin\AppData\Local\Temp\1013774001\f04fb79d25.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3380 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28272204-cdce-4e89-ae4b-79c408e2a5df} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" gpu9⤵PID:4536
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2492 -parentBuildID 20240401114208 -prefsHandle 2484 -prefMapHandle 2472 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61837012-ec5f-496b-ba1d-2315f020f3a0} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" socket9⤵PID:1108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3188 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3024 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bff9ce88-6abf-497d-b7ed-4932a8787235} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" tab9⤵PID:4568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3772 -childID 2 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eacb22b-3a5c-4166-8962-facfdf5a4a5d} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" tab9⤵PID:4404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4360 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4324 -prefMapHandle 4332 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a457de-9f47-424a-9c2a-735eed717523} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" utility9⤵
- Checks processor information in registry
PID:5404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {095cc9df-38b5-4e9e-bd10-ccb270db00f0} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" tab9⤵PID:464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d61c53f-1136-4b0a-b50a-836f2d959183} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" tab9⤵PID:1004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5320 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44413785-8644-46d7-ab2f-4f74098f9149} 3380 "\\.\pipe\gecko-crash-server-pipe.3380" tab9⤵PID:684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013775001\332ae8b687.exe"C:\Users\Admin\AppData\Local\Temp\1013775001\332ae8b687.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
-
C:\Users\Admin\AppData\Local\Temp\1013776001\6c2ab27e2f.exe"C:\Users\Admin\AppData\Local\Temp\1013776001\6c2ab27e2f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 7807⤵
- Program crash
PID:5724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2h1692.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2h1692.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:940
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3G21i.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3G21i.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4v169N.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4v169N.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4476
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5280 -ip 52801⤵PID:5640
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5bae4a563111098a35ed03081f7835182
SHA1acfe7d89b48d4dfee38b42b69da099b8627d525c
SHA2565ec2503a61ad445f4a07e0e82db2b04c0cea94ab6c5ede901dbaefc29db85d4f
SHA5124980b28a0bb69e0de7d08883b511e8cd67e0f90571660efa3937f310ef2374e5367bc14e260f3d3d8ca0a1a443c282632d208ebbaaaa40957179e195618f26f7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD534e8a7a8e893f61693ffa6626520614a
SHA128dfcf57a567f8929cef1a2c92235d7620d89770
SHA256f20b3232cb8845aade929cc4a06c074d3ca0178884ef5b0569a3b7911e10311b
SHA5129562c68f7201cbabdea9c9a4c0f9db3c65f40e6421070e766644a0a8f4da2e982c6b847bac77cb6e0e714b956cdb9190f0464d6c77414e0a122ce1614a218b7f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
7.4MB
MD5d71d031f039f8fb153488c26fb7d410f
SHA15b15fd6f94bdbb35ecd02bf9aa51912d698ebf45
SHA25636541a0e062085fed175a4a5eae45aa9e3563fff4a816a1bffa1b2c6f8280e5b
SHA512d97c801c73f14ae20b11529d0b0f58afc3981d92bd00f88dda59881f24d89d3b325a8c61b88adc77753cebb1c320afc64af7522c61c34b2a4916b13bddc278cf
-
Filesize
1.8MB
MD53b8b3018e3283830627249d26305419d
SHA140fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA5122e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0
-
Filesize
1.8MB
MD5f311c4e019a62fb6a0151f10f30cc2bf
SHA133741cc7dbb6c8ab5661b01be59abc95bc2fe93b
SHA2567fe212bf16319044794c1dfae79a8c3c6d6f0f9752eb8682472b54c6b15c9381
SHA5129fef6e8e3c1dd403c906caa6d2afe7d401790260c5bea21992211406c28e43831529ed99ba03d5b2b149cc3e4c196c5bbbe0a822d4ed20bc28d6610c4ac85db7
-
Filesize
1.7MB
MD5b1389ec87bad100fad616612b0f8850c
SHA12893314486cb66c4454a83f21be67c536dcf0822
SHA25631b4f87080ce3e4bb1425ac640fdf884e0c54f27992177d9006174c9a662673b
SHA512cc16a98f23a91a30cf8042000c5db986c24c20b6cb72faebe94728815f73fa6c12a6a5f0625773a0f2aa46b08736fb4b4ef083192dc94e49fefcbcab3cc9e040
-
Filesize
946KB
MD56a8c39af3a76c1d0a21384cb2af3ea88
SHA1ce3c9fc0ba78b6bf25178dcd55aac1cfd4f9561d
SHA25632a9e0d7c38c38f02796e3280d0099f920aeb62b69122746d28a35226000de8c
SHA5128fa5daaf36fbbea12cbfaf68d3c4bb85e729b5afd52408bb0460236cb0048fe2bdfcfe8aed3a0a4fa3253142227f7a32a72b88409e118f6fced7639c675c49f8
-
Filesize
2.7MB
MD5208380dfdc7f14f216dcff3bfc6b89b1
SHA134b2e815fa63715775ac1164a157c49224f75196
SHA256cc525c548d50066182f348f4aa679522d171e2cad1e5a941e854c7e5045034fc
SHA5121616cdbc43826ab069b9894d8c17e7d345c8fbb50c861c4d67d2f4dd96645d48cb1923f5feda1c37a1ad787f7e267ad064b24e0d82095a09f36d745d6aaff996
-
Filesize
1.9MB
MD59ab589c46a5b8ecd08d59093e5748144
SHA175be11f83b2857167e2f4a48f67fdd95ca9ab4ae
SHA25616ed4315e25a900e8bd2ab5a55932fea00923040bb95133ce263e952131f3286
SHA512b6f594a2d278fe3d4fbf232952053aae327753abbcca5508c17ba7900a0e088ca11815333b507ed83b1010747b4654a5786f47e57e444983b5ac75c308c59af4
-
Filesize
2.7MB
MD53704912525af38055b4393518d7e6f64
SHA12570604c929f08f60eaaeafc74ce66ec11f43fdf
SHA2564d80a0d296baa65bc2b05b9f6c016666cddd537cd67aa83b796c5698c9f22542
SHA512f2e23b18dc475727786fe13116e9200c5192c22cfe77bd98621b02ebd98f6026e5b20684af9360c86dceaee9bc6b9d797cc1492e8b570ef2ee861cd1304f4851
-
Filesize
5.2MB
MD5579f69d831a36ce843c745a31f7394b8
SHA1540e585fc93a4851d8c062b3eac10552e6cd9ff3
SHA256fa75b9b69bc3e74d782e59232b7b2592832dd421e1dbcff22e54e5464aeb1ae8
SHA51230f26919bfce03f66984eb33452cf3c39d20f460d6c0a8f581a7a09dad6d53784f9b3014ae6182b04174bbabc833b0c9edd8976b0727f81ac2266e15eef0b9cd
-
Filesize
5.0MB
MD5a6e87b590446d6ebdf761a4f26f445bd
SHA16edcd5180d5577215b56587d6d6d7e36b4aa573d
SHA256bb9d7168bae1d0041794a500f9563cd573df355754fefba2f4c8521cbb207fa9
SHA512a1139753d8b3976b674b780cd914d9dc8935b9c373263a3f79552d837bb4cfb0b2266fc2cac8ed10dcd9ba05ab708cda673058a6d33a4741b28c44521aaf959d
-
Filesize
3.5MB
MD5fb3726f0ed9fcd3f41170eb3a1fd3004
SHA1247436479204f6065424fbf503c7e309df1aec1d
SHA256d6ce95f46bfa4450d9fb8dd0d05cd39a7ce3f6b5b8dc9fb801ea0cd8b009f613
SHA51205e46c8fceb3a0ae92ff01f906f6e85e1cd8228d05951a121382aa00033f48bf4bed632aa5ee7f5e2a9141bae64f076266a38a336c2a8825b38b3543638e6cfd
-
Filesize
3.1MB
MD590e5287ff4d2eb5f660f9a7b8d6542a5
SHA1d3e6afccd3a6d556bc8a59c17a6cbcd16623eee9
SHA2562c7c8d29916730603913b0872041192d295801c4a25592daea5ca8e8b6907702
SHA51215c78c9f91a99a853181636afc6c7c103d03bc8cd2476ba1d6dea9a6363b0cadd7c0af311148b1b9b0b3b6b938a760ed32369d887db1f2d6879eaaeff3ea4f08
-
Filesize
1.7MB
MD535283249dc6188e155499b23c73d61c2
SHA1ba58d2e8c57434b2544140ba1281538751580bdc
SHA2564679cee85e1ce14ceeb9a511c23d5f5d27d555a8c90c58aced77b8e8374522cf
SHA51206e0fc80a0e4c01e292c272307d4f2eb44ae837f1ee91d862922064fab6a2995b51255cc83894293019f284a8681a1d8984ef62787121d16f463d4c934ce7e79
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize6KB
MD563aa51c15d80e8b23177e7d701314f7b
SHA1bcc8dd01d5939013716e9461511535124438fee7
SHA25633c7bf08a41f50a8a5e696e5aec60884eeec9a65014fe359bc1ff6d831abe399
SHA512dfe5a3bf32463fb99766c74a0003dd38913cf46634c76ff8bea49603e28b21f3d4cd474e81ff3017ef7021e2be02b8e5944ad29ed9fc6d782c617c31ccd922a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize8KB
MD5adfb247b52184694e726d83362a801a3
SHA17e165b572970496536a7010b718a3ce136a6468f
SHA25659c5c7b3528c9d6ecdb1105c3840df679a8cca4ecd96877789ee11880297e6f8
SHA512f79a7d6c358e62021146bfa93f1dc92d1628a9b10fb7a591c0c0c2d854d1d0b0788837d5ea0ac174909035bae24b0673f4b412c5e2d8d6a6c10f3445e94dd125
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize10KB
MD52842138627c67b870f807e0ddebdbe93
SHA10efcdd0ca216a1aee5bfdc26996423e10abb11e9
SHA2562b4779dea2f5d07366fe2b949ca6335dea43fb736d8e0878fcd4607c868523a8
SHA512eae813a6b52b88b17b8dd7744ecb116e04a3eb41ac5d9803049269f297761f5f05611ea8abfd1415417f6acd1817f3570e02d534cb8de2725c6da652212fbe3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD5bebc0d753b5783a3ff9de0d634cca399
SHA142f4bb3f205cade89fec78a8fe8e32e99f0c5e96
SHA256fc2b05ca22a5d6c1aebf27d2f617a27455e925a6f2c104fbe7f6fda3abb8a5e4
SHA5129b8b25d1fd3a95a870ab2b4d1f8fec8e577c1058be08e62df34e35432a749b38363492f965cbeaf05f2497b4e988883bdfd904565fbb5f3e724f59e42193ffe6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5a76f1d3fcef6ee7c6f2f25488a3e74ad
SHA1e67e4bcdbf8f4bd10a8955e516ce2af21945cbab
SHA2566e0a433ffeaeddf5bde4ab7f60c9f08638d7fb739e8ff527a6e8f7c0314c0565
SHA5123eaf1801847eeaf1fc34a1e34c4887a2527a9866d8cc3083e6404a499a243f412b215a633cbff9d3f075a85d9c333a58c14899f8d1ff669f7db40f4f7261fc14
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5a6f0fe9ee50c54e44b2f3640174b63d2
SHA15efe3e9800f584dcd38a61831b0d6bfaf0a0c0e3
SHA2561f8784e79b448dc037a2c51bdb0c1cca581cda2592282b65df2478a73db571db
SHA51293656a353ef51ea7de587c2abbfe6ffc740e778eed1c66cbec99b0cb4ec6925d111851fe321504127576682e5cbc54bef300815a82de1c818e937e9aa6a42ddd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD594e846e638f205df43d3afe716823227
SHA1b5aab111f3ad649e5ca71497d991f7a31a80fb15
SHA256f868fdce0461c87e8f7085bea3649b4ceb3184f6d52326bf44da5a451a213051
SHA5120b1985f5b7381071b2fb3254e4bc75e14c392cbb3ede954d4c8090f004b608e9f2043b9f74ed2ea7b7fe6471df900f4107e472c2729535698e882d9880cc7d9a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5a3ecab0b447e1c31d775b9e9e611e312
SHA193392d53fa74b1b1de05ee1893a54300225d5a2d
SHA25628db8a4797d95cf46af2cdd03c62849c0d9b3581d3259d1fc2e90307908984dd
SHA512dbc9fc613d934fd8709472c017105b6c05c4acacb796801751f0934ed74ebee7475a64fa0bc53c30e6575eb11be1efd9d163ad8ae639b5666b98a8078c72516a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD58735e17b55f53c026fb5db361eaf701b
SHA1318b176b196c994bf4f30aed9cea7fca44dec724
SHA256f1c23cd1e895abd994ed9d64766200480030bdc4f6158736a600463edefe27f8
SHA5129b4e5ab92c72008aad6e61f1ecf825484ea137a15d2379a6803dec5277f4080b1495ff3c01a515ac5af5da3419400a4a8cdb0dc42ee30a1d3424bb23ddfc46d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD588bbc67b6137535771b2b908086e1a5a
SHA1037c958c9860911f695f9dc5f8368e685147e4ad
SHA256ce77fd120d1f397d98a894b5d17200eaa53cfabaa31953870d9004b83b9fc839
SHA512610c1f19d3d40914f1120dc4b55d5c32d6f624fe03eddf2e4d9b06614eaa69070a87272bc73bb15c3b34595262290a0460f8fb504990825b131f806cd03cbd09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD50d6473d893d5ec73b95920b928f39d83
SHA18f8f7250787e7cb599df62763e688f975eb506f0
SHA2560956dc6abe6f36a1251a372d23f91a6b0398c20ff45319eb2fa70e23dc80795d
SHA512f19dad4a5a6ab74587edd739a8c6365c7f7188b7c16790548ea354f6fbe8dd6142778ed9e1881e83c93f1832cefb7a2cf33aa8ccfd7cd504b5e0cad7a452a8e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5aef51d734423007145d8d57272f3aff9
SHA1cf8a8ea9dd8c43eff63797bf07051236dfc70bfe
SHA2560df64e8ab0b1414f8aa9745c058493e1718d4d55b14fec3dd4c71b15a9c2c960
SHA512f0b1d4940fd90d564060cda66690ce72601a6ca5b365ec090786173ae377f33dea4206eb785e1930d4ce4d5968053dcfc1bebe88cb3cded2de60a9009fd8bc36
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\0f97780a-2735-41b6-b736-4b79000df850
Filesize671B
MD57fb26ddcab37fcd5a319b4eb07f59f49
SHA1d6845e16ba565fe906d0e3d7544e278af406731f
SHA25648deca7da776bfb280d090f689fbc2fa57c5c28193c7cca90c1f44b68165c37e
SHA5121550dd16c9b009fcd81c6785786459db2f9374fcf5e1b17791c25e41e0a5d9e576b9168d050e375480a59a297b8dc8a076720f62b918c7ccdb7ab1a1784d1278
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\12b0c5e7-9d2a-4cde-9763-43de0bffabb8
Filesize982B
MD5dcee66e5da2f970e2e9817ec86fc25e6
SHA1d6f1701bc75a6aa4eb430c5d5bf72345ea4bd002
SHA25668adef542d5237e3efaa507923b87a3e38d61c9ce1e6a14fd71ec8fdac9cfa16
SHA5123a00da2e9b5f5b8d7d6563f14028359e984ae104dedb5a08562272736390caf4afb8eac8a7fd96012eb70074a0090e928adf6de466443a36301d7bec7f5ecafe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\71a3247a-0331-4291-a8ad-ecd167dcedf2
Filesize26KB
MD5c82e3259e3ffe47c042d927f0ecc209c
SHA180e8b54f5b5e4402e571187dcc8f6bda817cac8c
SHA2568a8a23c731f24db413f48966ea1f0f8678bf078ddc52efad69d5ec39a292cc33
SHA51283e4b29f7b471453350303f233900fc76bb33bb61b4e46966446cb67d490258b906a0c8649562c9a8b033b031652128190517e604c7a64a5d7f3ccc0911b20ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5fbc31cf0ac7de793ff78930d525b6a6c
SHA1304f2ce782be0aa06981133ce8451735d8fa6495
SHA25625ae6b660e36551debe693cb49408101cc59b2b36889927b6ed58d804261d4cd
SHA5122906bd580e0556e01ffc7f4e7df835f21ca3f387f468e1a7b91a438035211213decf9d212e8c70df985d30afb5edb9711d0548928693af3f19f0b7881394c84a
-
Filesize
15KB
MD50838844cd2b886c6f5d86fe6512db3bb
SHA179dad1b6c87c56b1043745223ef591977b3bc1ea
SHA2561776fc51da64e86d54b2072413226ebd2621cec4f4a4ed48808b19ad6e826b48
SHA512e69547e324180ec21b0e10e942c276987c8e773118871fa557f6cd55519e6dd6325c1591a6445ab14e837375edba9a448864752e226cb1842e1b57771f96f328
-
Filesize
10KB
MD55db6cd584cb47bc59834a5345b74b499
SHA1135cd2a3a70f4cb22f965a907657ccdd185c316c
SHA256a6f74ab93ff258b2874f86bc7b8112c6596f00b07790b5877e00dd8c7b6d7229
SHA512424a86db478e39c4bbf8ecfbe9300f6a2e17e6c2d1aa3be41742fe52d6d7912da68e664b952e0eef55d90a5087b2ebc2fa280d3e53312a2b1bb92c9f929e0214
-
Filesize
10KB
MD529c2c66067a76b512a04b4469393d1ee
SHA1d4d3a7c2db83ba5fc75e1f68ab4dd50f51adcb69
SHA256d937e06e62e484c3cd81f81f3027e68f42b262474a95bf6aa4a1e36da7561930
SHA512fde646556a42f734a5cb0fbebbe6f1890931abbb819812c8182388d33bfff3df6bd554ea5e6f295119eacefbb32c5c5263ee776dafa3e3bf4bf556456fed38e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.0MB
MD5724b4f2d1b1222981521c523a4b77b75
SHA1ade7a7fc026f5bfef4999b4f6cc75f12ac5db282
SHA2564d98a0a91c675177087e25f3c09743bcdda59e2172ad06f0efdf54c0ba6b626e
SHA512a8d63f48fdd33f1edc3fd59f7915eb6c5ebcaed51460aca97dcf0b37ff8f978a1a812ed45fdde877468e01c766593125140bf4080e98a37c36c7c81c2ada4ac9