Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 19:10
Static task
static1
General
-
Target
0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe
-
Size
3.1MB
-
MD5
22bf111e0ffbce40da98521c8ac390ac
-
SHA1
86c47f8fc939e81d7ceba37f1824e22ce4ef1f43
-
SHA256
0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
-
SHA512
a9d529513d988c20380432d0ce1f10b6286a949442f6964ba455d14f51d308810b495d6e04ec375c9a990230f04a1444e7a9647c205a38275aae08b34408d30e
-
SSDEEP
98304:pLPTyc5Jt2SKP64GsNe+WPvvFmuY6/JsYk:xTyc7me+W3v9Y6
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://covery-mover.biz/api
https://atten-supporse.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 709c792d5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 709c792d5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 709c792d5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 709c792d5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 709c792d5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 709c792d5b.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3EUEYgl.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a65b36928b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e21b998112.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 709c792d5b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1a5c3c456e.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e21b998112.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 709c792d5b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a65b36928b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1a5c3c456e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e21b998112.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 709c792d5b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a65b36928b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1a5c3c456e.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 3EUEYgl.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 10 IoCs
pid Process 3984 skotes.exe 3236 3EUEYgl.exe 1340 70fb9edd5e.exe 2052 skotes.exe 2512 a65b36928b.exe 3008 1a5c3c456e.exe 5092 e21b998112.exe 3396 f5cdedc3d1.exe 1812 skotes.exe 3692 709c792d5b.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine a65b36928b.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 3EUEYgl.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 1a5c3c456e.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine e21b998112.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine 709c792d5b.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 709c792d5b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 709c792d5b.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1a5c3c456e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013789001\\1a5c3c456e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e21b998112.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013790001\\e21b998112.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f5cdedc3d1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013791001\\f5cdedc3d1.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\709c792d5b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013792001\\709c792d5b.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000800000001d9ec-185.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 2312 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 3984 skotes.exe 3236 3EUEYgl.exe 2052 skotes.exe 2512 a65b36928b.exe 3008 1a5c3c456e.exe 5092 e21b998112.exe 1812 skotes.exe 3692 709c792d5b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3092 2512 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e21b998112.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5cdedc3d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70fb9edd5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language f5cdedc3d1.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage f5cdedc3d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3EUEYgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a65b36928b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a5c3c456e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 709c792d5b.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3EUEYgl.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3476 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 4640 taskkill.exe 4876 taskkill.exe 776 taskkill.exe 2200 taskkill.exe 628 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2312 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 2312 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 3984 skotes.exe 3984 skotes.exe 3236 3EUEYgl.exe 3236 3EUEYgl.exe 3236 3EUEYgl.exe 3236 3EUEYgl.exe 2052 skotes.exe 2052 skotes.exe 2512 a65b36928b.exe 2512 a65b36928b.exe 3008 1a5c3c456e.exe 3008 1a5c3c456e.exe 5092 e21b998112.exe 5092 e21b998112.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 1812 skotes.exe 1812 skotes.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3692 709c792d5b.exe 3692 709c792d5b.exe 3692 709c792d5b.exe 3692 709c792d5b.exe 3692 709c792d5b.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4640 taskkill.exe Token: SeDebugPrivilege 4876 taskkill.exe Token: SeDebugPrivilege 776 taskkill.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 628 taskkill.exe Token: SeDebugPrivilege 1392 firefox.exe Token: SeDebugPrivilege 1392 firefox.exe Token: SeDebugPrivilege 3692 709c792d5b.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2312 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 3396 f5cdedc3d1.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 3396 f5cdedc3d1.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 1392 firefox.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe 3396 f5cdedc3d1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1392 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 3984 2312 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 81 PID 2312 wrote to memory of 3984 2312 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 81 PID 2312 wrote to memory of 3984 2312 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 81 PID 3984 wrote to memory of 3236 3984 skotes.exe 83 PID 3984 wrote to memory of 3236 3984 skotes.exe 83 PID 3984 wrote to memory of 3236 3984 skotes.exe 83 PID 3236 wrote to memory of 64 3236 3EUEYgl.exe 91 PID 3236 wrote to memory of 64 3236 3EUEYgl.exe 91 PID 3236 wrote to memory of 64 3236 3EUEYgl.exe 91 PID 64 wrote to memory of 3476 64 cmd.exe 93 PID 64 wrote to memory of 3476 64 cmd.exe 93 PID 64 wrote to memory of 3476 64 cmd.exe 93 PID 3984 wrote to memory of 1340 3984 skotes.exe 95 PID 3984 wrote to memory of 1340 3984 skotes.exe 95 PID 3984 wrote to memory of 1340 3984 skotes.exe 95 PID 3984 wrote to memory of 2512 3984 skotes.exe 98 PID 3984 wrote to memory of 2512 3984 skotes.exe 98 PID 3984 wrote to memory of 2512 3984 skotes.exe 98 PID 3984 wrote to memory of 3008 3984 skotes.exe 99 PID 3984 wrote to memory of 3008 3984 skotes.exe 99 PID 3984 wrote to memory of 3008 3984 skotes.exe 99 PID 3984 wrote to memory of 5092 3984 skotes.exe 104 PID 3984 wrote to memory of 5092 3984 skotes.exe 104 PID 3984 wrote to memory of 5092 3984 skotes.exe 104 PID 3984 wrote to memory of 3396 3984 skotes.exe 105 PID 3984 wrote to memory of 3396 3984 skotes.exe 105 PID 3984 wrote to memory of 3396 3984 skotes.exe 105 PID 3396 wrote to memory of 4640 3396 f5cdedc3d1.exe 106 PID 3396 wrote to memory of 4640 3396 f5cdedc3d1.exe 106 PID 3396 wrote to memory of 4640 3396 f5cdedc3d1.exe 106 PID 3396 wrote to memory of 4876 3396 f5cdedc3d1.exe 108 PID 3396 wrote to memory of 4876 3396 f5cdedc3d1.exe 108 PID 3396 wrote to memory of 4876 3396 f5cdedc3d1.exe 108 PID 3396 wrote to memory of 776 3396 f5cdedc3d1.exe 110 PID 3396 wrote to memory of 776 3396 f5cdedc3d1.exe 110 PID 3396 wrote to memory of 776 3396 f5cdedc3d1.exe 110 PID 3396 wrote to memory of 2200 3396 f5cdedc3d1.exe 112 PID 3396 wrote to memory of 2200 3396 f5cdedc3d1.exe 112 PID 3396 wrote to memory of 2200 3396 f5cdedc3d1.exe 112 PID 3396 wrote to memory of 628 3396 f5cdedc3d1.exe 114 PID 3396 wrote to memory of 628 3396 f5cdedc3d1.exe 114 PID 3396 wrote to memory of 628 3396 f5cdedc3d1.exe 114 PID 3396 wrote to memory of 1068 3396 f5cdedc3d1.exe 116 PID 3396 wrote to memory of 1068 3396 f5cdedc3d1.exe 116 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1068 wrote to memory of 1392 1068 firefox.exe 117 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 PID 1392 wrote to memory of 2640 1392 firefox.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe"C:\Users\Admin\AppData\Local\Temp\0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe" & rd /s /q "C:\ProgramData\2D2DBIWLXBIE" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3476
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013783001\70fb9edd5e.exe"C:\Users\Admin\AppData\Local\Temp\1013783001\70fb9edd5e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\1013788001\a65b36928b.exe"C:\Users\Admin\AppData\Local\Temp\1013788001\a65b36928b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 14244⤵
- Program crash
PID:3092
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013789001\1a5c3c456e.exe"C:\Users\Admin\AppData\Local\Temp\1013789001\1a5c3c456e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\1013790001\e21b998112.exe"C:\Users\Admin\AppData\Local\Temp\1013790001\e21b998112.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Users\Admin\AppData\Local\Temp\1013791001\f5cdedc3d1.exe"C:\Users\Admin\AppData\Local\Temp\1013791001\f5cdedc3d1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {973a2168-9d22-4899-ab3d-87af6adcec64} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" gpu6⤵PID:2640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45a9e746-ae49-473e-865d-e70af65020cd} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" socket6⤵PID:4636
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3244 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {444e38d9-3ab6-4253-b0e0-efe5838bc8b2} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab6⤵PID:1820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -childID 2 -isForBrowser -prefsHandle 3856 -prefMapHandle 2760 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1de2285-f045-4acf-8715-cb10270bd359} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab6⤵PID:4172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4796 -prefMapHandle 4812 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {566b3958-fa13-4d53-a0a8-64418df539fc} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" utility6⤵
- Checks processor information in registry
PID:5200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5284 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e947181a-47bb-4344-80fe-b35ff14a4b6b} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab6⤵PID:5708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3863a551-69c6-472b-b95f-f039c20c146a} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab6⤵PID:5724
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5672 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2eb95e2-258a-4d8c-b3c4-9110893967e5} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab6⤵PID:5736
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013792001\709c792d5b.exe"C:\Users\Admin\AppData\Local\Temp\1013792001\709c792d5b.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2512 -ip 25121⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5244b9cb942125bc1108c7bb2d46ffb40
SHA137cfa7bb248e757501e0759d20a183ac1d9aa81b
SHA2562e10ff5fb3cb1fea619d5726cb8a67b99b361df63159df2887fd407c23002133
SHA512fa74cab437b1d946ed0b1259e2bff94e84e01d19a0198f1b33a97e170b623f6c085b1abb166b1fb16e9c2146e3889445961745af00815396bc4eb92936ce4401
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD53b8b3018e3283830627249d26305419d
SHA140fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA5122e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.9MB
MD59ab589c46a5b8ecd08d59093e5748144
SHA175be11f83b2857167e2f4a48f67fdd95ca9ab4ae
SHA25616ed4315e25a900e8bd2ab5a55932fea00923040bb95133ce263e952131f3286
SHA512b6f594a2d278fe3d4fbf232952053aae327753abbcca5508c17ba7900a0e088ca11815333b507ed83b1010747b4654a5786f47e57e444983b5ac75c308c59af4
-
Filesize
1.8MB
MD580e0d854dd91586d55b9fa20f3b1b120
SHA16f782acc39892cb21b99a82018aaeb497e78bb8a
SHA25695a2832b06a89c1301e8203874a883510f99e809362945c67a3acfdc567759ad
SHA512e8f4be7f8418d9bfda495d646309c02a58a3ec007906066a129ed9c4dab45339e7801af3084c9afaa4557bee3217cdea51d21dc6c4369418f0b27b3b9ce8ae2b
-
Filesize
1.7MB
MD5093eddd8a84eb5d27962c656e91682c2
SHA199d406e047b7ba3b65b4ede1750ab2b658cf3b65
SHA256ab4dbd5c9ff9c061d4e6523100d63fd51069075d1187fe327a89ac4dad472cbd
SHA51235c6086dbea9753540f4a9b9f8e99d7d9b312d6662e0eaee9515e706f77df18cc09b934c328114f4617723b7d6b450e87de357fec08649b990c62ca555505ba4
-
Filesize
950KB
MD51bc110dbf8f9443ee17a36a3ec9e61d9
SHA176c43e76605589b446d7e1e9062098198fe8a35d
SHA256ff4cff14832d70e6f6d09b99de046b0865bd4ad140a168f30bdf669a3406a557
SHA512ea8910b1a946a3a55cea6ee467fc03cb05577cc69890c28e26588fe29ffa4f9c1e30d86a244fd057eb733b17cc3787073cfc1a535b0f8063145928f6e2dffe55
-
Filesize
2.6MB
MD522adb344ca82e6925184d9f389a1e32d
SHA10038f6bcd64af1858df60c6c2e22d34d9e54b592
SHA256f565ace4902023d935933bf9e131816d0f2c4576ca7e1acaacb66727dfad2207
SHA512b1c99c247a7d1b1acb373fb7a75e1385fd6ea3af49a8e48fcb29dd0a21e1f090aa8f630c03555920f44e03528d2d0753c8df677fcaa4254281ecc01863374b1c
-
Filesize
3.1MB
MD522bf111e0ffbce40da98521c8ac390ac
SHA186c47f8fc939e81d7ceba37f1824e22ce4ef1f43
SHA2560536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
SHA512a9d529513d988c20380432d0ce1f10b6286a949442f6964ba455d14f51d308810b495d6e04ec375c9a990230f04a1444e7a9647c205a38275aae08b34408d30e
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
Filesize10KB
MD55ae1df4001230c460066cab8aea4e9fc
SHA1b1af6b43615e557367b339baae9f4908332543af
SHA25607ab49c4e55bf32af69099fc4a27eed3723f487f20104d6f61d7bafbffcfc5ca
SHA51237423cf3d32e164861a5d0e4bdddbea1207b881285086ff1bce2e9c002c06e3ff4b0c93e1f50d33ef8f2e3c1470e6932d815f537a4c996ca66d299148e3560aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57faf032626ea616a3fabd0f089426ab2
SHA1d519c783c4e14ea16e269db5736446d331529518
SHA2562782cc5f10b25e9e35c1697e826756cbdbca0b98487bb7b1e60d27544bade549
SHA512556cd854b4ab583d18c3f276a91df0d0f371d006551d0ff08b848e8b7f78e399088cae9f153bc66d5256279d0422f59142c7c678e68344bfc55cb7c10ee14f2c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD57ddfd6cd92acbc960d1447f4d6f09aa3
SHA17b0c815772d17a6991bcedf6bd783cf2910cb2ac
SHA25620fd64697d55574dc6d7f87ce5ec3186ad2b22b320d02db1fe3e4158423e024e
SHA5123c1aae0a05f7af73e868f76326e8d97dccf0ef4c7b6c3bcb242284b7405d84171626681ab6cff3fa68303e8b2d5829031c1482e7dbc87932933f5d44fabd2280
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5b6134c45b09c83735016c35e5d3f9ad1
SHA1baa8ac305bbaa3b8b97cc21aa559fb8a5a53fc9b
SHA256a8429d8638b78bf65e1d1537654351b7b4b5045470ff14faf5399c6fd88f128e
SHA5127794e42c2f3841b40a6deb3b29421f4bf7222ecb6b8220a4fb630db0640b6f7e39753c506565566459123b49bc5299afc7e4ff1a78e8b3520dc8e09342843a8f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\01ff6ee7-4e12-4d0c-8b69-82a38d7d1bc6
Filesize982B
MD510afc6a3a294ad5526c7251354a9ed02
SHA13c63507a97961ea6cc4a1c0614138de81df593de
SHA256fee9d4a492ccefa1c5f475abd75416758a0416db06c6d99c8b9f97a2fc9034ee
SHA512656a1a9d9c1646536f3582006045ea095455822097341f9facd13bb92818a0e75cf4eaa4f83f5d033d608e4c4f595a3a4389b815af382395fd0c38de8a0831cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\7ba89048-8b25-45ba-988c-dda340545214
Filesize671B
MD50c54526b197e63a8ac1b62423bf25a66
SHA12a014b5e44c830397eac521bdfb5785628266205
SHA256fc050173708b02734fcf21e102f1a184e7e34da36893c1aafc20f46908bd20ac
SHA512d6e0f5f4f4f500dd2ce29f2794f904b8609bca7906f5c4d8e9b622fe53ac2432112fc5172f768551381352e833e8179f0295e92e1472d67951616c133201b407
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\7d9fbbdf-5eec-4605-be89-809822a0768f
Filesize28KB
MD54bc07089414b4ea984507a57bf6cea4f
SHA1aa4d1eb8fe7c7835bc4a031b63e000b96779c996
SHA25671cd3e8c199cd2cdc0b1e6934eda44ef16749573fb2e73a5fb943ed4e4e6d5d9
SHA512e5f8d057cf94388df015e4d87ac5deac2584108ff4a56c7aa16c93809147bb238a51026634e5e60583985bef95a287a24dd037199084fe09b6cafc3cf37134c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5d2c4bb0b79ed11ec57d91a458ea4d1f9
SHA1381b4efd54f9e4b4a102a3089155ec925dd67f24
SHA2560ac76df56f69702b67cc6e2de8db110d4d280ee72af05ab35dcadc62af1507e7
SHA512fa11ac65dcf474ac3dea75e7f9109a515e104bf74370db9e04c7123582dccdf5aa2ab55a3e2d84f9a89e23f71663de51755925149f18192b0c3a707bbdd04952
-
Filesize
15KB
MD5582455f8cc9a91662f6abece4d4b6473
SHA1161e0b88c43e067672777ef42a13f7f515bf92b4
SHA256bac0e21d455f854979b6213c6a5b674c7d6a286e1571709c394f32501a1f2e14
SHA512cbfb2e4ddf1958f9acb996865fa5fb7165c7b03a37db4b8a03d0a3c602fc656fd5d5e4817aebb1f8b23d98410d6499b4b4e7575694901d82f7d6b9afa92ff54b