Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe
Resource
win7-20240708-en
General
-
Target
634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe
-
Size
3.1MB
-
MD5
1f3880629f4830ad6b109bec208f274a
-
SHA1
55e3d4d3536eb1620d635a6350db4709dcff0ce2
-
SHA256
634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
-
SHA512
3ba9d448fe0de299cfc0f83e902e8149fedff5e9dd3e3cdc3ac7fb153d54e7ab829a25ddd8794470c8e78fdc9178ca690dc3f69ecd2a7b2d61a38180004915e4
-
SSDEEP
98304:pPR9FCxdTCuiZARs+txszDbFuMtzKBbSN:pPR9HksgxcHFbm5
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
5.0
127.0.0.1:8080
101.99.92.189:8080
d5gQ6Zf7Tzih1Pi1
-
install_file
USB.exe
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
lumma
https://atten-supporse.biz/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/1444-98-0x0000000000210000-0x0000000000686000-memory.dmp family_xworm behavioral2/memory/1444-99-0x0000000000210000-0x0000000000686000-memory.dmp family_xworm -
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aea229849c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aea229849c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aea229849c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aea229849c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aea229849c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aea229849c.exe -
Stealc family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9feskIx.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9546b11933.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 013488b19e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3EUEYgl.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aea229849c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e7e1c68492.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9546b11933.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 013488b19e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aea229849c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9feskIx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9feskIx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aea229849c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e7e1c68492.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e7e1c68492.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 013488b19e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9546b11933.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 13 IoCs
pid Process 2868 skotes.exe 1572 skotes.exe 2112 yiklfON.exe 1928 3EUEYgl.exe 1444 9feskIx.exe 5064 6a87f6f99e.exe 4200 9546b11933.exe 4272 013488b19e.exe 3308 9a2fbd8942.exe 3496 skotes.exe 2704 aea229849c.exe 2948 e7e1c68492.exe 5804 skotes.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 013488b19e.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine aea229849c.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 3EUEYgl.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 9feskIx.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 9546b11933.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine e7e1c68492.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aea229849c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aea229849c.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aea229849c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013890001\\aea229849c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9546b11933.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013887001\\9546b11933.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\013488b19e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013888001\\013488b19e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9a2fbd8942.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013889001\\9a2fbd8942.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cb9-173.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 716 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe 2868 skotes.exe 1572 skotes.exe 1928 3EUEYgl.exe 1444 9feskIx.exe 4200 9546b11933.exe 4272 013488b19e.exe 3496 skotes.exe 2704 aea229849c.exe 2948 e7e1c68492.exe 5804 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4884 2112 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 013488b19e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7e1c68492.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3EUEYgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9546b11933.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 9a2fbd8942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aea229849c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9feskIx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a2fbd8942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 9a2fbd8942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a87f6f99e.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3EUEYgl.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 4664 taskkill.exe 3152 taskkill.exe 3496 taskkill.exe 3636 taskkill.exe 3916 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1444 9feskIx.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 716 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe 716 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe 2868 skotes.exe 2868 skotes.exe 1572 skotes.exe 1572 skotes.exe 1928 3EUEYgl.exe 1928 3EUEYgl.exe 1444 9feskIx.exe 1444 9feskIx.exe 4200 9546b11933.exe 4200 9546b11933.exe 4272 013488b19e.exe 4272 013488b19e.exe 1444 9feskIx.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3496 skotes.exe 3496 skotes.exe 2704 aea229849c.exe 2704 aea229849c.exe 2704 aea229849c.exe 2704 aea229849c.exe 2704 aea229849c.exe 2948 e7e1c68492.exe 2948 e7e1c68492.exe 5804 skotes.exe 5804 skotes.exe 1928 3EUEYgl.exe 1928 3EUEYgl.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1444 9feskIx.exe Token: SeDebugPrivilege 3152 taskkill.exe Token: SeDebugPrivilege 3496 taskkill.exe Token: SeDebugPrivilege 3636 taskkill.exe Token: SeDebugPrivilege 3916 taskkill.exe Token: SeDebugPrivilege 4664 taskkill.exe Token: SeDebugPrivilege 1620 firefox.exe Token: SeDebugPrivilege 1620 firefox.exe Token: SeDebugPrivilege 2704 aea229849c.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 716 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 1620 firefox.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe 3308 9a2fbd8942.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1444 9feskIx.exe 1620 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 716 wrote to memory of 2868 716 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe 83 PID 716 wrote to memory of 2868 716 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe 83 PID 716 wrote to memory of 2868 716 634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe 83 PID 2868 wrote to memory of 2112 2868 skotes.exe 86 PID 2868 wrote to memory of 2112 2868 skotes.exe 86 PID 2868 wrote to memory of 2112 2868 skotes.exe 86 PID 2868 wrote to memory of 1928 2868 skotes.exe 88 PID 2868 wrote to memory of 1928 2868 skotes.exe 88 PID 2868 wrote to memory of 1928 2868 skotes.exe 88 PID 2868 wrote to memory of 1444 2868 skotes.exe 97 PID 2868 wrote to memory of 1444 2868 skotes.exe 97 PID 2868 wrote to memory of 1444 2868 skotes.exe 97 PID 2868 wrote to memory of 5064 2868 skotes.exe 98 PID 2868 wrote to memory of 5064 2868 skotes.exe 98 PID 2868 wrote to memory of 5064 2868 skotes.exe 98 PID 2868 wrote to memory of 4200 2868 skotes.exe 99 PID 2868 wrote to memory of 4200 2868 skotes.exe 99 PID 2868 wrote to memory of 4200 2868 skotes.exe 99 PID 2868 wrote to memory of 4272 2868 skotes.exe 101 PID 2868 wrote to memory of 4272 2868 skotes.exe 101 PID 2868 wrote to memory of 4272 2868 skotes.exe 101 PID 2868 wrote to memory of 3308 2868 skotes.exe 102 PID 2868 wrote to memory of 3308 2868 skotes.exe 102 PID 2868 wrote to memory of 3308 2868 skotes.exe 102 PID 3308 wrote to memory of 3152 3308 9a2fbd8942.exe 104 PID 3308 wrote to memory of 3152 3308 9a2fbd8942.exe 104 PID 3308 wrote to memory of 3152 3308 9a2fbd8942.exe 104 PID 3308 wrote to memory of 3496 3308 9a2fbd8942.exe 107 PID 3308 wrote to memory of 3496 3308 9a2fbd8942.exe 107 PID 3308 wrote to memory of 3496 3308 9a2fbd8942.exe 107 PID 3308 wrote to memory of 3636 3308 9a2fbd8942.exe 109 PID 3308 wrote to memory of 3636 3308 9a2fbd8942.exe 109 PID 3308 wrote to memory of 3636 3308 9a2fbd8942.exe 109 PID 3308 wrote to memory of 3916 3308 9a2fbd8942.exe 111 PID 3308 wrote to memory of 3916 3308 9a2fbd8942.exe 111 PID 3308 wrote to memory of 3916 3308 9a2fbd8942.exe 111 PID 3308 wrote to memory of 4664 3308 9a2fbd8942.exe 113 PID 3308 wrote to memory of 4664 3308 9a2fbd8942.exe 113 PID 3308 wrote to memory of 4664 3308 9a2fbd8942.exe 113 PID 3308 wrote to memory of 4432 3308 9a2fbd8942.exe 115 PID 3308 wrote to memory of 4432 3308 9a2fbd8942.exe 115 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 4432 wrote to memory of 1620 4432 firefox.exe 116 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 PID 1620 wrote to memory of 4160 1620 firefox.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe"C:\Users\Admin\AppData\Local\Temp\634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"3⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 2244⤵
- Program crash
PID:4884
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe"C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
C:\Users\Admin\AppData\Local\Temp\1013886001\6a87f6f99e.exe"C:\Users\Admin\AppData\Local\Temp\1013886001\6a87f6f99e.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\1013887001\9546b11933.exe"C:\Users\Admin\AppData\Local\Temp\1013887001\9546b11933.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\1013888001\013488b19e.exe"C:\Users\Admin\AppData\Local\Temp\1013888001\013488b19e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\1013889001\9a2fbd8942.exe"C:\Users\Admin\AppData\Local\Temp\1013889001\9a2fbd8942.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1100bfe0-5165-4e3f-a301-3f6077c196f6} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" gpu6⤵PID:4160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7520ebaa-c7b3-4859-8266-311beea9bf38} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" socket6⤵PID:3920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 3344 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2268da2a-98b2-4512-b70e-5d37e5f877a1} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" tab6⤵PID:4496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3880 -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 2788 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c922354e-d8ba-4f67-b5ec-592f5d9a12b9} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" tab6⤵PID:3044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4420 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4652 -prefMapHandle 4684 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dcd20aa-f6f9-4c3b-8507-57c6161893a1} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" utility6⤵
- Checks processor information in registry
PID:5248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71701c7c-4681-4480-a6ab-5422190ccd70} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" tab6⤵PID:5812
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 4888 -prefMapHandle 4840 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06eb6458-4797-4c6e-9735-5336694d80f3} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" tab6⤵PID:5820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5744 -prefMapHandle 5740 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {182af1be-1c20-4963-bf12-0e1c1b082090} 1620 "\\.\pipe\gecko-crash-server-pipe.1620" tab6⤵PID:5836
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013890001\aea229849c.exe"C:\Users\Admin\AppData\Local\Temp\1013890001\aea229849c.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\1013891001\e7e1c68492.exe"C:\Users\Admin\AppData\Local\Temp\1013891001\e7e1c68492.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2112 -ip 21121⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD51f9f8e180d75fd6a83e1126c104e6ee7
SHA10d492caf6465b873535fcbd5ad049c56280a8b41
SHA256a5aeb98efa5b83e47927c0dcc2918a16ef5dfd66967d26ff81703df1ec3ba127
SHA5127b1dfe44cddbb46834852982804ac8aa9d914cdcce0e65134189557b249b4fff6a2176445f42e8daa64ac9bfdd79a0abe0e1d30935b7dc2a2df208177ccf6266
-
Filesize
16KB
MD5262219f92f5ecf137b39cfed4384f499
SHA15dd8194cfd07d39dbb5d66f12de5df32903d44e9
SHA256e76a730e009f7034bddce2da76403ca0510c43bfbc9b0db789da4f26cb2a9906
SHA512f9eb4e2420aa7b50f4c8aa6b806f80c506414ce816b957cfc740d4967e20a9fdf7e9948abbfb9d9020cea99dab27f1d12e961b140aa4fb1e0d98ac1b229dc87a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
7.4MB
MD5d71d031f039f8fb153488c26fb7d410f
SHA15b15fd6f94bdbb35ecd02bf9aa51912d698ebf45
SHA25636541a0e062085fed175a4a5eae45aa9e3563fff4a816a1bffa1b2c6f8280e5b
SHA512d97c801c73f14ae20b11529d0b0f58afc3981d92bd00f88dda59881f24d89d3b325a8c61b88adc77753cebb1c320afc64af7522c61c34b2a4916b13bddc278cf
-
Filesize
1.8MB
MD53b8b3018e3283830627249d26305419d
SHA140fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA5122e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0
-
Filesize
1.8MB
MD558f824a8f6a71da8e9a1acc97fc26d52
SHA1b0e199e6f85626edebbecd13609a011cf953df69
SHA2565e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA5127d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.8MB
MD58acdb762884b5b158baa97ef82092801
SHA15f0e9409918f923e51e7c5443bd595fa3191aa37
SHA256cebd39057210ff489a2ce3bec47d182efdb42d1a44c6be80919bb7f15a653d8c
SHA51281a49ca000c783a3c1f86d23ad2d8572f0598a40cbf5feca9e467ca5d544c753a773f8ce481dcab0147711e5eeab743c86db1545a52d7ded51eff82f2690e736
-
Filesize
1.8MB
MD537b82918f398b44c105c640bfd4b4ae8
SHA17d3deaf1a4edda230934ef983cc9463bd71e5ac4
SHA2566383cde311a862695e4beb993b5a2942001d55cac0b5ee80ca604ebde00956b7
SHA5126fc57c3c156ca660fc5d5b7ac82f74c8ce10e5d73d60c83d7e41b98ddce9232c5c9e1f38dceafbdbdb34a4f11c311be43606fe2b4370272056eaa568081adb0a
-
Filesize
946KB
MD5fc26bdbe9ddeeed584ca0edf20262ab8
SHA1c8a690c697b674e7cd5b8bcebab365d743fd474b
SHA2567bc7da7d6376541a7b3579417c4d163d849387a7b6b5439b0c920a5cc2a26b79
SHA512ad7dfcd10809cf214d9c34ac8014425ff1b8d5075584d13ebe390c32df1635dc1b5505e1d056d6109d8eae7f9365bed4e1b27820239a2c0d58c859ce65c1a560
-
Filesize
2.6MB
MD5d8b1beccc9e24118b2900e055c0f140e
SHA13eb9bc1f9d257299978b859953deca573633eec5
SHA256bb4131b0ad63b9af95fef195a3dea480169d45d3237f4ecdb1cd47dd383bcdfa
SHA512e74d011a01e3e56cf7ddace6c25704930e5762a3352e81fddd54e440177540b812ce4a6e24a8bab4e78e6bafcf3324e6b0b1b4d631e027d27fee356bf3c90444
-
Filesize
1.9MB
MD56bdc7e5e568df98f51a6944d9f0249a9
SHA18178919986a2a8d9bd1f5870304d31e48abf10db
SHA256154cf5f9fd1654e63454e3a01100fb0f4b7bb846d17ea315c649700ab942fcd2
SHA5120c2f871b89b4c4792518db4d273714db193e6cd10463cdff8db3baf7f49256ae491eaaf5c39e5033b5f1767b227011a6f8a95f4685da892c35b1c2d23d28946d
-
Filesize
3.1MB
MD51f3880629f4830ad6b109bec208f274a
SHA155e3d4d3536eb1620d635a6350db4709dcff0ce2
SHA256634574bd010e80e3d6e50ef2483c5c74b9cf9685e0e8349159a1be862b8d7321
SHA5123ba9d448fe0de299cfc0f83e902e8149fedff5e9dd3e3cdc3ac7fb153d54e7ab829a25ddd8794470c8e78fdc9178ca690dc3f69ecd2a7b2d61a38180004915e4
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize6KB
MD5e37cd8312db130be2c400ccc2be0b623
SHA1d1d6d59b412d0c1569f45ab111898b73a83a3bef
SHA256d15d447f5c1bc75e66690d98fc9ac87459ff576aec698c979a6ca7742cb7a83d
SHA51295a976a2b8d0049457e4e1055a313254545f7d22fec8084aeab1d9230576ccb0a848ee0d006cc5f1c41c78535d19702b695f8d04a25baba399b94870567d2aa6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD582f2e517766cb3f624bc855db38e0e2f
SHA15a9d9b358a28107ddfe2dad293ee02bb811410c0
SHA2563655fa2df022f96fb1055d94abfa85d80518f900941a6ef7ab9ed995efe463bb
SHA51238bcf662fb5eed8ff258b71abaeba1d35c409af4bd2edbed20ec6dc96fe260fc03ef85ec08d893f181f92c6f0d3d217b188c8d27ad6fd4b31b178f9c6cc2c3b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5a5b77dfd8b06d0e26848faf9be280f5e
SHA14970dd88a68756e0a867dd9fe662f4cab18e53a1
SHA2564980b337189bf4da2d26434b7e6c69e99b43b26adc51b0285f152c5fcba77b48
SHA51268f30e6f81d63e7a0c07445ba4592b8180ed6b31a1b3213386f766f46ceec8b74cccf0902a8c280177510a5b8c5b40e51660bada054a2b5788b8dbf3c7feb2d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD533168430106a0a3685b94b6f134f7fe4
SHA120b19d0589876acc95559686d51ca37163c38f76
SHA2569687d75d9c2ad7b71d99217828117b1c361e3a969e8f489880b61b7bea0ac895
SHA512c02e0b99b493ed90669b74285826da840be2965b2dd033dec689871025d4627a5c2d0d4f0b6f1cf32e2e416969c148f981172ec70d0911e701a60626cfb8c6fc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\0d49843d-a40d-4670-9487-5017a673890c
Filesize659B
MD51a3310ff551b56b12196bdac58c03a15
SHA15e73e182f0bba7575372c868d866cecd28e4eb75
SHA2562eb7125789a7cf833a4beba246fe1354449056d916c020c56909f85e7a43c82f
SHA512869769ffe9bb162275ea1d352578715d491eab6a5360de7d34464cbaaf3267070590e384cdaa0291e8543ca0ad62ae1e14d043d3348572d6eadd2152ac9f6c47
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\7a859372-9f99-47cf-af80-aeee2c0ce726
Filesize982B
MD50723fae841ada453cec4f85fb987a9bd
SHA136e4b2330bea8013fb31f8c9d24092ae2df9ac00
SHA256b51f42a3b8134a5ff66dc603b471239022d047ecd6614dffc5a9262a9b843594
SHA512fab9b75dd585c62efb5a665b3e148a12d94cab4b5534b1e1ed4bb60b44f93ce03ff2216d2fbac16fdf8bc1b114b0ffd7911b608cf96aa17ca892e006abfe3a7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
11KB
MD5408f5ecf56d22a5385adaf548ecbaaf9
SHA1d27dca87c9f3dad2fdb5e1579d52562e5cdb5bd2
SHA256584a2312b7bebcea8f488c4ef26bc1b948e932cbe12ba4599f020c9bc565a94d
SHA512216a974cb9bfbcd8b104a6353ce2b3a946b1fa0bcf18f305c5402c12c0a1e790f0023d3d2cd513694d28de0abf87a1d70711b0a9d17ce1cfbf49b46f2d51d844
-
Filesize
11KB
MD51d99b696b141492a3614681fb4f00418
SHA14284ca46799963de8f3e39a06adb104cc8934853
SHA256c42e53497537ce37244179787763b8c1e94f8593dccaf91a7db4b55acd44f772
SHA512818e5bd21df5d952152b16f63bfc3ce993dbfe859225e3e887e5661bd6f6aab9e605b04f789d27c85ce09ce3f96c9c15af60f0598771936fb8e58295210b282a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD545d9464e6518950f28189dd3b7591d03
SHA17e3ef0df26a8dbcada8c01d86291e4fb979406c6
SHA25630606b3599ea86c6d08b240ad0f3550ee82dd43b9b1dffbef99100e7aad6f489
SHA512a3e279bc2718ee3f1e4af75446a0c04c46d6dccd7af37b0693efc5de0d6b690989ce8958960f9ff76c5ca97684fd26cf31cebc318108c319168635e87b481f6f