Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 11:35
Static task
static1
General
-
Target
fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe
-
Size
3.2MB
-
MD5
5e1f79c85746f02bba8f07ddf1d40582
-
SHA1
e5121c356beeda93810ce5298cace9fb22ef8367
-
SHA256
fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3
-
SHA512
defbdd6351fc7bcc070894fa6d88939884163161cb5700c839a80a47c1e225456b25c372a1af7852417a22dc38ec7bd825e154ee589bca678b46fb6695ac513e
-
SSDEEP
98304:27iO49oaaHxetDYRA7/f2ws67CZYUErr8ozh:23XK2RYUCr8ozh
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
lumma
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ed087f6069.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ed087f6069.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ed087f6069.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ed087f6069.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ed087f6069.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ed087f6069.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ffcb45d026.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ed087f6069.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 614334195c.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2864 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ffcb45d026.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ed087f6069.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 614334195c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ffcb45d026.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ed087f6069.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 614334195c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe -
Executes dropped EXE 10 IoCs
pid Process 2228 skotes.exe 2340 W4KLQf7.exe 1956 53ab41ef12.exe 2016 76b038065c.exe 612 ffcb45d026.exe 1884 ed087f6069.exe 2612 614334195c.exe 3040 a087d46760.exe 2376 fa6c79db64.exe 2944 a087d46760.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 614334195c.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine ffcb45d026.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine ed087f6069.exe -
Loads dropped DLL 17 IoCs
pid Process 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 2228 skotes.exe 3040 a087d46760.exe 2612 614334195c.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features ed087f6069.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ed087f6069.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ffcb45d026.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014375001\\ffcb45d026.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed087f6069.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014376001\\ed087f6069.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\76b038065c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014374001\\76b038065c.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00050000000195bd-64.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 2228 skotes.exe 612 ffcb45d026.exe 1884 ed087f6069.exe 2612 614334195c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3040 set thread context of 2944 3040 a087d46760.exe 51 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a087d46760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76b038065c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed087f6069.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa6c79db64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffcb45d026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a087d46760.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53ab41ef12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 614334195c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 76b038065c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 76b038065c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language W4KLQf7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fa6c79db64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fa6c79db64.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3384 timeout.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3228 systeminfo.exe -
Kills process with taskkill 5 IoCs
pid Process 1880 taskkill.exe 3028 taskkill.exe 1816 taskkill.exe 2620 taskkill.exe 2116 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 fa6c79db64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a fa6c79db64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a fa6c79db64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 a087d46760.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a a087d46760.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 2228 skotes.exe 612 ffcb45d026.exe 1884 ed087f6069.exe 2016 76b038065c.exe 2612 614334195c.exe 1884 ed087f6069.exe 1884 ed087f6069.exe 2016 76b038065c.exe 2376 fa6c79db64.exe 2376 fa6c79db64.exe 2864 powershell.exe 2340 W4KLQf7.exe 2340 W4KLQf7.exe 2340 W4KLQf7.exe 2340 W4KLQf7.exe 2340 W4KLQf7.exe 2340 W4KLQf7.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1816 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 1884 ed087f6069.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 3028 taskkill.exe Token: SeDebugPrivilege 1612 firefox.exe Token: SeDebugPrivilege 1612 firefox.exe Token: SeDebugPrivilege 2864 powershell.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 1612 firefox.exe 1612 firefox.exe 1612 firefox.exe 1612 firefox.exe 2016 76b038065c.exe 2016 76b038065c.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 2016 76b038065c.exe 1612 firefox.exe 1612 firefox.exe 1612 firefox.exe 2016 76b038065c.exe 2016 76b038065c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2228 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 30 PID 2188 wrote to memory of 2228 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 30 PID 2188 wrote to memory of 2228 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 30 PID 2188 wrote to memory of 2228 2188 fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe 30 PID 2228 wrote to memory of 2340 2228 skotes.exe 33 PID 2228 wrote to memory of 2340 2228 skotes.exe 33 PID 2228 wrote to memory of 2340 2228 skotes.exe 33 PID 2228 wrote to memory of 2340 2228 skotes.exe 33 PID 2228 wrote to memory of 1956 2228 skotes.exe 34 PID 2228 wrote to memory of 1956 2228 skotes.exe 34 PID 2228 wrote to memory of 1956 2228 skotes.exe 34 PID 2228 wrote to memory of 1956 2228 skotes.exe 34 PID 2228 wrote to memory of 2016 2228 skotes.exe 35 PID 2228 wrote to memory of 2016 2228 skotes.exe 35 PID 2228 wrote to memory of 2016 2228 skotes.exe 35 PID 2228 wrote to memory of 2016 2228 skotes.exe 35 PID 2228 wrote to memory of 612 2228 skotes.exe 36 PID 2228 wrote to memory of 612 2228 skotes.exe 36 PID 2228 wrote to memory of 612 2228 skotes.exe 36 PID 2228 wrote to memory of 612 2228 skotes.exe 36 PID 2016 wrote to memory of 1816 2016 76b038065c.exe 37 PID 2016 wrote to memory of 1816 2016 76b038065c.exe 37 PID 2016 wrote to memory of 1816 2016 76b038065c.exe 37 PID 2016 wrote to memory of 1816 2016 76b038065c.exe 37 PID 2228 wrote to memory of 1884 2228 skotes.exe 40 PID 2228 wrote to memory of 1884 2228 skotes.exe 40 PID 2228 wrote to memory of 1884 2228 skotes.exe 40 PID 2228 wrote to memory of 1884 2228 skotes.exe 40 PID 2228 wrote to memory of 2612 2228 skotes.exe 41 PID 2228 wrote to memory of 2612 2228 skotes.exe 41 PID 2228 wrote to memory of 2612 2228 skotes.exe 41 PID 2228 wrote to memory of 2612 2228 skotes.exe 41 PID 2016 wrote to memory of 2620 2016 76b038065c.exe 42 PID 2016 wrote to memory of 2620 2016 76b038065c.exe 42 PID 2016 wrote to memory of 2620 2016 76b038065c.exe 42 PID 2016 wrote to memory of 2620 2016 76b038065c.exe 42 PID 2228 wrote to memory of 3040 2228 skotes.exe 44 PID 2228 wrote to memory of 3040 2228 skotes.exe 44 PID 2228 wrote to memory of 3040 2228 skotes.exe 44 PID 2228 wrote to memory of 3040 2228 skotes.exe 44 PID 2016 wrote to memory of 2116 2016 76b038065c.exe 46 PID 2016 wrote to memory of 2116 2016 76b038065c.exe 46 PID 2016 wrote to memory of 2116 2016 76b038065c.exe 46 PID 2016 wrote to memory of 2116 2016 76b038065c.exe 46 PID 2228 wrote to memory of 2376 2228 skotes.exe 48 PID 2228 wrote to memory of 2376 2228 skotes.exe 48 PID 2228 wrote to memory of 2376 2228 skotes.exe 48 PID 2228 wrote to memory of 2376 2228 skotes.exe 48 PID 2016 wrote to memory of 1880 2016 76b038065c.exe 49 PID 2016 wrote to memory of 1880 2016 76b038065c.exe 49 PID 2016 wrote to memory of 1880 2016 76b038065c.exe 49 PID 2016 wrote to memory of 1880 2016 76b038065c.exe 49 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 3040 wrote to memory of 2944 3040 a087d46760.exe 51 PID 2016 wrote to memory of 3028 2016 76b038065c.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe"C:\Users\Admin\AppData\Local\Temp\fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:3228
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014373001\53ab41ef12.exe"C:\Users\Admin\AppData\Local\Temp\1014373001\53ab41ef12.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\1014374001\76b038065c.exe"C:\Users\Admin\AppData\Local\Temp\1014374001\76b038065c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:1552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.0.404991663\425742110" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1260 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42793583-7037-447e-a82e-a5f0553b1285} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 1368 102efb58 gpu6⤵PID:640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.1.55761472\341985915" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41f25a34-23bf-45be-9628-9db0a4a2f907} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 1532 f4eee58 socket6⤵PID:2432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.2.1472971530\1913017258" -childID 1 -isForBrowser -prefsHandle 2008 -prefMapHandle 2004 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18d11198-33d8-47dc-95bf-07012d4e947d} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 2020 182bba58 tab6⤵PID:2948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.3.1027455391\1617428730" -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a5dc5ef-e2df-4096-bfd5-d8e0c90ac4b5} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 2904 e5e458 tab6⤵PID:1772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.4.44512805\933412459" -childID 3 -isForBrowser -prefsHandle 3816 -prefMapHandle 3812 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {daca1cce-142c-4d28-a5d6-337849199d93} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 3828 e62d58 tab6⤵PID:1972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.5.318340931\1049423398" -childID 4 -isForBrowser -prefsHandle 3840 -prefMapHandle 3836 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ce4735-4daf-4367-b301-5334ba1993f3} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 3660 1ebc3958 tab6⤵PID:1604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.6.1661346227\131014624" -childID 5 -isForBrowser -prefsHandle 4056 -prefMapHandle 4068 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0490a229-7b35-4516-8225-a3bf89b75503} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 3816 1edd3258 tab6⤵PID:2752
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014375001\ffcb45d026.exe"C:\Users\Admin\AppData\Local\Temp\1014375001\ffcb45d026.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\1014376001\ed087f6069.exe"C:\Users\Admin\AppData\Local\Temp\1014376001\ed087f6069.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\1014377001\614334195c.exe"C:\Users\Admin\AppData\Local\Temp\1014377001\614334195c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\1014378001\a087d46760.exe"C:\Users\Admin\AppData\Local\Temp\1014378001\a087d46760.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\1014378001\a087d46760.exe"C:\Users\Admin\AppData\Local\Temp\1014378001\a087d46760.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014379001\fa6c79db64.exe"C:\Users\Admin\AppData\Local\Temp\1014379001\fa6c79db64.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014379001\fa6c79db64.exe" & rd /s /q "C:\ProgramData\GLXT00RQQ9RI" & exit4⤵
- System Location Discovery: System Language Discovery
PID:3352 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3384
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:3028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5388f9e40d60671fcc4fae3cc03df9877
SHA1e149c2fa2deb8f7ee305e6e17c9c8937c9f0aa78
SHA256d85132f75f07fbc42b08e8a3fb7c8c5567ae3142bb83e21c4e3672067acf0128
SHA512b99bc8c7abbc7d5757b0513832ad22c2323dbfc68c6949f3286b04255da8e9d467b74f939cfc3303f5e43442ed1802b9e2f388a3714a5642af1b1df18f27e094
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
3.7MB
MD512c766cab30c7a0ef110f0199beda18b
SHA1efdc8eb63df5aae563c7153c3bd607812debeba4
SHA2567b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA51232cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
947KB
MD582371c46d624ba7ee9047f7008ba2e3c
SHA1f9855774f6db73dce92e733a0cfb2d4fd70e5422
SHA256bd7497cac83a386d4b21f84fe94e9df74603230d46507582f7de4c6a2fe760d4
SHA512d8f8e060de3c39f28bf2269273e26d2f9101d0b05de18ffa2c535ad628775321d696aa3ee82f9a546c44e8b74bec72938a6a40faaecfcda60324f3cceb68d402
-
Filesize
1.7MB
MD5656562cca191b9d58ce38dd8b98b7879
SHA129133dce961cadbfa01da2581dc43cd6b2c2a745
SHA25661b227734b42abc0b52830af310f124bf668f033aaeec5cf5c58b001261a2ca3
SHA512e7675dad6a82442ff43347de725fb0d223fc264205951494e35144e9c9ecea77042cc5e25fbc9bc5191897a126adbb6abc88c233f88a067a01efea6a0c10ce03
-
Filesize
2.7MB
MD5a64f923cacadf2e7020d0e9b7383276c
SHA159146faef7928db615b58a1eb9757ff8b2ad0337
SHA2562f7d1a912f1c224867bffc00e2ce664df0b131abdf1128d7f50cfd373f9196f5
SHA512a8f9f8ad1bc2aa54a0092e4dcc77e020151a0137bc9b28dcc494f27c0c45fd124801b064400b813c7aee76d4337c1239a5da96bf99e9ffbbe47231b0597f5bef
-
Filesize
1.9MB
MD56b388916c9f72353cbd4799ed242d4f4
SHA164b382ca1909b0ae89f26d49652f19fceaf33a48
SHA25683cc25a9b6c72190cd8886758cc9afa6625be19579a7532faa97f3feb5e6a7fd
SHA51290e42d22d3c2f87daa6703312dab91c00f6026f17325434f75520852d96d31969c4ebca0f94947626c372b18b57cc7e8af11d637cda68c2526d3971d44f7e85a
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD51ef0753854f8059458f5377740e0fbcf
SHA1e78c980d41e8b82d6d8f7184ef158601616c080d
SHA256876f571aec6e996403e74581da7ed3320cc335a722556fc8dca6e4523ee426ca
SHA5127b19045c1b78bd93cf35795a5aa77c53ef011b69c6a33dd9fe060f42cbfa3c688428894be8ec7800d87a7e9c6d84f7af2aeb2c03989d540edb09855e4228d5f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\955c35dc-ad36-4abf-89a0-ba3fb9403c25
Filesize12KB
MD532de63916978ae21396c05204fab00bc
SHA1482667bc4cdd6baf54500043ff74e825f4e6088c
SHA256217d52b44a737a6bc68205a4f78ad309564cc12a7a93e02812869bb62eb6e52f
SHA512b2bdb1d7126911069dfe0de5c56496d69106b7cabc2dd67f8034eb802b1fd0a3718867065eaff342fbfba50710f6a624eb879044379e554258c38104eb57b93f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\d9e2f514-ecde-4d3c-aed7-21e6b85d8b62
Filesize745B
MD518ad9c5008e1989a89e42caf052e79ea
SHA1245f8576dba608e3a2ad77b3ba416ab34b2039d5
SHA25627b8e48e5b03305ddef4022a71041233c2f929e11e9c6e9f500c2f9be91520a5
SHA512839ce887a7df1c85ec595c64dc31f0630a2d01c80072d0a0d3800a31627e7bbee003f0fdec2370718fdc6f8a53ef29f2cc8d32a2dc62fc37f2b3789a4b671c39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD51def40d6a4acb4df8132cab93f3ff3a0
SHA18e2a7853f12c082255f8a7389c13dc9b5b235d51
SHA256b76455bd40a9f3917aff77d0850a8b9afe579716777272d6b3110ad4b31f84c9
SHA512ce2cb41a29d27383b1fe4054e6da6043916d9ffcf67aa583663ccf600aa0a16c12f604d06ec7791f0ce304785d94d0c922fb61aba3394eae6470eaa50601e21f
-
Filesize
7KB
MD58e75b34dff5e627ce456bbb6aca2fd48
SHA148f4fed34e442c853151ae7a7effdcf31d0cbb63
SHA2566be03d6cb10b98e15650e400d19f8b245e2101e5d05b5d9df69c300046806afd
SHA51201bd23b5a2c87283e55eb0935462e55488e73513686120fdd6285e588eebc0ea8e500c725b42479335f2d529832920192ec9a0b6ac920567fc1e09c75968127f
-
Filesize
6KB
MD5e8ab5280ea409c69113e747a05ae4e92
SHA1d4f769e6e56d91514762fd1a7329276cf108f321
SHA2563c257acddf504bb94591e47bd759ee87c7738af4901a53b3e4dd3f52b383e344
SHA512d9225dd2d8c8f7081265197e5d05daff519b988915f116e2318317fe2f2d4e4dee4c56132f85b8ffef4d6ee304560dc0fd29d97368f52d2cdb3f834c613e915c
-
Filesize
6KB
MD5364f47ddf9286d8192a5ed9249076050
SHA1425dce155b4059c797df8ab322a912fa27d9d5b7
SHA256997bf51d0a21446d70ef914e2cef7103ff5eb858432999bb9700f2c878bc7245
SHA512dfb1d9e29d115a09c0c1531af73a2af02ee03b8cb4c01c53828de6444f0061b16418f6a6b7be9da26db1db4d45869947c1810a62dbad123aafde0d6389199be1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5d2de1a115674d435252e7d29df0f9e01
SHA19a995eeb2a3eeaeb738f7e35810055df9b0d1571
SHA25671fee1c7b539764ab34407cef2be12eea06593d3cd10f2f4a9e8e0197f2e3609
SHA512742289bee6c763f85dc2b84fb44c936545ae6414ce3736d17adf6f6e0b39348316e4bda445eb3e13b148ebc9992a9231125656e97a0bee808e361280c69279ae
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
Filesize
3.2MB
MD55e1f79c85746f02bba8f07ddf1d40582
SHA1e5121c356beeda93810ce5298cace9fb22ef8367
SHA256fb9ca04eb63973f5badd7bae3dd967f942ac21eb7b3853b76b00e480e32c6ef3
SHA512defbdd6351fc7bcc070894fa6d88939884163161cb5700c839a80a47c1e225456b25c372a1af7852417a22dc38ec7bd825e154ee589bca678b46fb6695ac513e