Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 13:25
Static task
static1
General
-
Target
07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe
-
Size
5.4MB
-
MD5
631000ebd0942479d98f907b086800b0
-
SHA1
a4bfe1933cc4b44c126056b9abcbeb7263b6c5bd
-
SHA256
07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa
-
SHA512
783f04d8d1ceccc01f35f4c8db85ba9b9c758869d27e29d1deb70cbd92b7d06bb65e4574e32f38a662d4208727292b651ae41c0a10e69fb2915d14b742704641
-
SSDEEP
98304:C5VK9JtWcgeyvdazBRLYcZcQ+67MHyaC2shTjWYepo+3wH0ctxxpvtUlo1LkXrDg:Cq9JtW1YzjuQ37Mi6o+C0cbxT1kXr5
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
https://immureprech.biz/api
https://deafeninggeh.biz/api
https://wrathful-jammy.cyou/api
https://awake-weaves.cyou/api
https://sordid-snaked.cyou/api
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 311b4ffa60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 311b4ffa60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 311b4ffa60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 311b4ffa60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 311b4ffa60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 311b4ffa60.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1V47m0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2D8956.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7e9d1ed138.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 311b4ffa60.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3p73w.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 261b746318.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6196 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 261b746318.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 311b4ffa60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2D8956.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7e9d1ed138.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3p73w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3p73w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7e9d1ed138.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 311b4ffa60.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1V47m0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2D8956.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1V47m0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 261b746318.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1V47m0.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 8cb3ee7f4f.exe -
Executes dropped EXE 17 IoCs
pid Process 3368 o2T35.exe 4572 1V47m0.exe 5024 skotes.exe 2468 2D8956.exe 3544 3p73w.exe 4816 W4KLQf7.exe 4844 7e9d1ed138.exe 3924 skotes.exe 1524 bcf05e0982.exe 3208 bcf05e0982.exe 4684 8cb3ee7f4f.exe 3656 8b78dfe8d1.exe 320 ccedd9d82d.exe 4464 261b746318.exe 620 311b4ffa60.exe 5160 skotes.exe 1964 skotes.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 3p73w.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 7e9d1ed138.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 261b746318.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 1V47m0.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 2D8956.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 311b4ffa60.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 311b4ffa60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 311b4ffa60.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" o2T35.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccedd9d82d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014405001\\ccedd9d82d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\261b746318.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014406001\\261b746318.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\311b4ffa60.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014407001\\311b4ffa60.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0009000000023c00-171.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 4572 1V47m0.exe 5024 skotes.exe 2468 2D8956.exe 3544 3p73w.exe 4844 7e9d1ed138.exe 3924 skotes.exe 4464 261b746318.exe 620 311b4ffa60.exe 5160 skotes.exe 1964 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1524 set thread context of 3208 1524 bcf05e0982.exe 99 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1V47m0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1080 4684 WerFault.exe 100 5820 4844 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1V47m0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2D8956.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3p73w.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcf05e0982.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccedd9d82d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language ccedd9d82d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o2T35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 311b4ffa60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e9d1ed138.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 261b746318.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language W4KLQf7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b78dfe8d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcf05e0982.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cb3ee7f4f.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage ccedd9d82d.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8cb3ee7f4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8cb3ee7f4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1256 timeout.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 6384 systeminfo.exe -
Kills process with taskkill 5 IoCs
pid Process 4376 taskkill.exe 4992 taskkill.exe 3288 taskkill.exe 1996 taskkill.exe 2512 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4572 1V47m0.exe 4572 1V47m0.exe 5024 skotes.exe 5024 skotes.exe 2468 2D8956.exe 2468 2D8956.exe 3544 3p73w.exe 3544 3p73w.exe 4844 7e9d1ed138.exe 4844 7e9d1ed138.exe 3924 skotes.exe 3924 skotes.exe 4684 8cb3ee7f4f.exe 4684 8cb3ee7f4f.exe 4464 261b746318.exe 4464 261b746318.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 620 311b4ffa60.exe 620 311b4ffa60.exe 620 311b4ffa60.exe 620 311b4ffa60.exe 620 311b4ffa60.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 6196 powershell.exe 6196 powershell.exe 6196 powershell.exe 4816 W4KLQf7.exe 4816 W4KLQf7.exe 5160 skotes.exe 5160 skotes.exe 1964 skotes.exe 1964 skotes.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2512 taskkill.exe Token: SeDebugPrivilege 4376 taskkill.exe Token: SeDebugPrivilege 4992 taskkill.exe Token: SeDebugPrivilege 3288 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 3992 firefox.exe Token: SeDebugPrivilege 3992 firefox.exe Token: SeDebugPrivilege 620 311b4ffa60.exe Token: SeDebugPrivilege 6196 powershell.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 4572 1V47m0.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 3992 firefox.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe 320 ccedd9d82d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3992 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 3368 1100 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe 82 PID 1100 wrote to memory of 3368 1100 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe 82 PID 1100 wrote to memory of 3368 1100 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe 82 PID 3368 wrote to memory of 4572 3368 o2T35.exe 83 PID 3368 wrote to memory of 4572 3368 o2T35.exe 83 PID 3368 wrote to memory of 4572 3368 o2T35.exe 83 PID 4572 wrote to memory of 5024 4572 1V47m0.exe 84 PID 4572 wrote to memory of 5024 4572 1V47m0.exe 84 PID 4572 wrote to memory of 5024 4572 1V47m0.exe 84 PID 3368 wrote to memory of 2468 3368 o2T35.exe 85 PID 3368 wrote to memory of 2468 3368 o2T35.exe 85 PID 3368 wrote to memory of 2468 3368 o2T35.exe 85 PID 1100 wrote to memory of 3544 1100 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe 88 PID 1100 wrote to memory of 3544 1100 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe 88 PID 1100 wrote to memory of 3544 1100 07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe 88 PID 5024 wrote to memory of 4816 5024 skotes.exe 92 PID 5024 wrote to memory of 4816 5024 skotes.exe 92 PID 5024 wrote to memory of 4816 5024 skotes.exe 92 PID 5024 wrote to memory of 4844 5024 skotes.exe 95 PID 5024 wrote to memory of 4844 5024 skotes.exe 95 PID 5024 wrote to memory of 4844 5024 skotes.exe 95 PID 5024 wrote to memory of 1524 5024 skotes.exe 97 PID 5024 wrote to memory of 1524 5024 skotes.exe 97 PID 5024 wrote to memory of 1524 5024 skotes.exe 97 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 1524 wrote to memory of 3208 1524 bcf05e0982.exe 99 PID 5024 wrote to memory of 4684 5024 skotes.exe 100 PID 5024 wrote to memory of 4684 5024 skotes.exe 100 PID 5024 wrote to memory of 4684 5024 skotes.exe 100 PID 4684 wrote to memory of 2224 4684 8cb3ee7f4f.exe 101 PID 4684 wrote to memory of 2224 4684 8cb3ee7f4f.exe 101 PID 4684 wrote to memory of 2224 4684 8cb3ee7f4f.exe 101 PID 2224 wrote to memory of 1256 2224 cmd.exe 105 PID 2224 wrote to memory of 1256 2224 cmd.exe 105 PID 2224 wrote to memory of 1256 2224 cmd.exe 105 PID 5024 wrote to memory of 3656 5024 skotes.exe 107 PID 5024 wrote to memory of 3656 5024 skotes.exe 107 PID 5024 wrote to memory of 3656 5024 skotes.exe 107 PID 5024 wrote to memory of 320 5024 skotes.exe 109 PID 5024 wrote to memory of 320 5024 skotes.exe 109 PID 5024 wrote to memory of 320 5024 skotes.exe 109 PID 320 wrote to memory of 2512 320 ccedd9d82d.exe 110 PID 320 wrote to memory of 2512 320 ccedd9d82d.exe 110 PID 320 wrote to memory of 2512 320 ccedd9d82d.exe 110 PID 5024 wrote to memory of 4464 5024 skotes.exe 112 PID 5024 wrote to memory of 4464 5024 skotes.exe 112 PID 5024 wrote to memory of 4464 5024 skotes.exe 112 PID 320 wrote to memory of 4376 320 ccedd9d82d.exe 114 PID 320 wrote to memory of 4376 320 ccedd9d82d.exe 114 PID 320 wrote to memory of 4376 320 ccedd9d82d.exe 114 PID 320 wrote to memory of 4992 320 ccedd9d82d.exe 116 PID 320 wrote to memory of 4992 320 ccedd9d82d.exe 116 PID 320 wrote to memory of 4992 320 ccedd9d82d.exe 116 PID 5024 wrote to memory of 620 5024 skotes.exe 118 PID 5024 wrote to memory of 620 5024 skotes.exe 118 PID 5024 wrote to memory of 620 5024 skotes.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe"C:\Users\Admin\AppData\Local\Temp\07ad8fdbcf84a6fc41716301052c96b9e307b104f32ad52fd734eb857c05b5fa.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o2T35.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o2T35.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1V47m0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1V47m0.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6196
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo6⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:6384
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014398001\7e9d1ed138.exe"C:\Users\Admin\AppData\Local\Temp\1014398001\7e9d1ed138.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 7806⤵
- Program crash
PID:5820
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014402001\bcf05e0982.exe"C:\Users\Admin\AppData\Local\Temp\1014402001\bcf05e0982.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\1014402001\bcf05e0982.exe"C:\Users\Admin\AppData\Local\Temp\1014402001\bcf05e0982.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3208
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014403001\8cb3ee7f4f.exe"C:\Users\Admin\AppData\Local\Temp\1014403001\8cb3ee7f4f.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014403001\8cb3ee7f4f.exe" & rd /s /q "C:\ProgramData\JM79RQ9Z58YM" & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1256
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 19526⤵
- Program crash
PID:1080
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014404001\8b78dfe8d1.exe"C:\Users\Admin\AppData\Local\Temp\1014404001\8b78dfe8d1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3656
-
-
C:\Users\Admin\AppData\Local\Temp\1014405001\ccedd9d82d.exe"C:\Users\Admin\AppData\Local\Temp\1014405001\ccedd9d82d.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:1100
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3992 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b3edda4-396c-4f21-81be-605f1a714f99} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" gpu8⤵PID:4736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2488 -parentBuildID 20240401114208 -prefsHandle 2480 -prefMapHandle 2476 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c638bb-8ef0-446b-9492-8948119545cb} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" socket8⤵PID:4368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3244 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55a98661-7d52-4076-a02b-8823ccb1df1d} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" tab8⤵PID:1912
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3736 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db207c1d-1a88-48f6-ba29-bc56431d3ed1} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" tab8⤵PID:3068
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4388 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4288 -prefMapHandle 4252 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1624238f-2989-4615-aaa5-29298aabdf1f} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" utility8⤵
- Checks processor information in registry
PID:6596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5260 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9190f51-0804-42e4-bd06-8878ab918ff6} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" tab8⤵PID:1552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8be4bcf1-03e7-4c04-89f3-d39b0aa351dd} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" tab8⤵PID:4016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32fdaf6a-78bf-4a2c-aa05-3c3b9d2f2851} 3992 "\\.\pipe\gecko-crash-server-pipe.3992" tab8⤵PID:2556
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014406001\261b746318.exe"C:\Users\Admin\AppData\Local\Temp\1014406001\261b746318.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\1014407001\311b4ffa60.exe"C:\Users\Admin\AppData\Local\Temp\1014407001\311b4ffa60.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2D8956.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2D8956.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3p73w.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3p73w.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3544
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4684 -ip 46841⤵PID:1040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4844 -ip 48441⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5160
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json.tmp
Filesize19KB
MD53329d57275dce49bf3d738828101b90e
SHA1bfd373f0dc37150f6f5947ceee1a50cf2f1cd6f1
SHA256a88fae4a97d566cd1668f80e12c21cb79c8d0c23d44edd5d4884553e9ac3047e
SHA5129a8df3ef27a3494583e331c96eb2f0c886bef019e007db8a50b17b51485adf2d7f5943a275cde87106d143c5544bc18380f125daedebcd43f969425296edfcf1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD597c01d7b3f8b55aea9cdc0dfc3f96597
SHA1200d1f8d2532344c01f7b83d45ac53f0beeb7bc7
SHA25609cdba14db61aec284f0af422fd2dca6356d36b6220ff2db228d9a129efc2990
SHA512b6ad28a20e107188c5da1d65e19a8b49c27ee87dbe9f72f1b5b9f443b2c354907d7c80b22674c015feda3da4dee444628e96e204b2837476e61d7b94c8dbce85
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
3.7MB
MD512c766cab30c7a0ef110f0199beda18b
SHA1efdc8eb63df5aae563c7153c3bd607812debeba4
SHA2567b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA51232cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10
-
Filesize
1.9MB
MD5c270b2bd3dd5cbc4eca9a2337870d80f
SHA105215b2a48284f2025fd54e98ba89e60e1b825b8
SHA25631e2255304e6a0eb615cc93c582567c46e8e0aa948eaa8bd28db603730428004
SHA5122120b40c6cfae4e62150d726512ee940893b81963fec14d62fbe087d3baf15b97f729677a478113f3e5a6ac62b88324af95cb9d2a2ac9417c6ad1685bfee2615
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
943KB
MD54853be4f2bb74b706effcc60fc06446b
SHA1405666e3bfc16348677d5fe2224d7bd8b739d94f
SHA2561fff6fb9300916f4d128a5b2df8ca413f1d820660b8f61b54a203a9e0fd76372
SHA51202ffabd11493e0aec0d62fe5f980cb91e587e9dafe36fbf7ed67733bf3f68757f2a09ad53af6d610ba1125b486ebcb695a719b2dfa30ecca0c2950c2735f8ccf
-
Filesize
1.7MB
MD598c5024a596c5c548d36bc33ae113a73
SHA1b30aefb89057c1c6bab845df896777bc97230ae3
SHA25663f607b4cd4804876dd817163529180a18a30245aefc92e1ea79eaea6348a121
SHA512d6853305f9f26a09e98ad270498d57f52a604667984c754c3f7aab5d5f3270416e25e9c328981d63b2675c661da5f454c290cf291c932338593ae80f8e85fc9d
-
Filesize
2.7MB
MD548d72055c656230bed2ebc5831008349
SHA1158a1540a163a2e47eae9426e89b10febb86d7ec
SHA25628bbe25cec4284374cd34fcb0bc1b203a5663de1383927640cc6c9ed40788634
SHA512c72186e9deb21e811923f128da31c9053271826f9acdebe18c38d5730bb34eda9a9dc4cf0baf5926e071fb388272799a180c827c04a1b953523876dc7af04e3f
-
Filesize
1.7MB
MD51a0eded5ce6f8eb8e3511a33950d857d
SHA1cabc995ab1a44aa1d8a33689b3197dec2539ca90
SHA2561ccdd1cd66c2f81632a1ca01e966d71b7d7ef6e27ca73214319fd2d6303e1b1d
SHA512141704bc409b89089b8d5dd0d9e040f88060bad9736417fbe7c26ee860d3820d008d5a0621a374868a6a76cf049367b227ba6630789b3af1172f31f8f9d17863
-
Filesize
3.6MB
MD526a9e9281e6bf2b77230f2cedb6b1cda
SHA1fd5ed6f6f896e8424e7d294c18f3e3491dcf9135
SHA25666c4c30f1b94fd2d753cb03e46dc77de29eb57c9c96d3bae160c0f1686f1ee8c
SHA5129d54c5eb2c76755bd585098e98340a5bae3e47524b8b3d8dd1a51f43a39c61afeb328d1ee5cce0ed8d3ee91604a4cf30ef7251daeb2bd5cd71b4f1f2091ffa3f
-
Filesize
3.1MB
MD5783775b86ebd55c9b7d10b44728f6466
SHA10681604f097cf598de5e9bc267d33cf9854f4503
SHA256b620f8e504b494f5ca15470d095d913914703bd94ee5fbdb2cbab67f48d17283
SHA51233c9087c4150091f68aa9858d70f0419f8b02ba187951c2de4c2954d73b41585ace660d9eb797f0117a463adcf4983f2043253bfd6c7a447b2d2aefda076bfe5
-
Filesize
1.8MB
MD537acde403802cd8682bd73ebf7b4e303
SHA1bf2f2c75956275ff074ba520664ea71ad6c84686
SHA256f051c6f2297f96df69ce15387c419b7ff64615c3db57172075e564efaeaedc15
SHA512250a46d5003eb0faf4650b84eb76b51c6fd626a644b61d61069814ab3b0c420171483df3d442ef296976372a2b4c302afc36aa5f060017933deefd330b7250e8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize8KB
MD595854fe19ef52f98f7f5e72d458cc604
SHA1eeb91c09c7b9f6937e12a21459fd08d50d5af0bd
SHA2565371dab98170c34b17777f674e612d0ab48ee88c69b17532c78ae0725f81fec4
SHA51266adeee09cf881347ceca20eeaba0de49eff1e5962089df95d654b56779f8988c20024bf475908280315bf24b19804884e747310928e90522f131465f0e60b96
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize12KB
MD5b2860b80cc2b271ee10f7761204fa2c8
SHA1b1dd12a08f1776c78fa91bf317ab857daab5e5f4
SHA256c9b8613aae6a907d06e2643f1dfe78b41e86fd8a67ae50f2e7b71e5bc91f00d6
SHA51282e771b006d3379c826fd4ea82a6d05fc93fdf5ddb2c507e8c3605ab7748b0a6cb9ff33c748e114e3717e6dfe2c69d72ae3ae5c710311354bac9834fa23139b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize14KB
MD5720568ef6a944eb0ce94e6dc2d7c3139
SHA15feb30de6c86547a1f1698f5690c535cd2b1e65a
SHA2563c7a4ba65d9add01993551f032c6237e29b4a969f70b7d7a0db270b09fd4d128
SHA512989d3b283f2625a8a58936d223bd7177b3b5f0550d6daad0683214f8b2a3ee5a3b4ce13935914e9cea52e9e565ff152b99b4ebae7bf6f2d43514aaa929c3e658
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD50c800fe0fe6c4ce68c6efddc43f3bf1e
SHA1c7a168be2f38f50f377bb79bd978ae0919c863f9
SHA2563edbb375afa5119641735991d4db83bcde74d316dcc59b7fe88f02d5be533bee
SHA512d5bb890853314a7e003ed90b6979695c418db4d0622ca003ed1e62574a3afaaed492340b5112de281afc26a640e298b20cc97340ddca2f584a2a2dd845ae9295
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5bc760df12fff217a24135fd28deb3ff3
SHA14d3e37253c90020317469c3a4fb08553537329ab
SHA2569f9d6f6cf5c8db931c27ea5312843f6aec88c60518f792fa69ca1b2b3bc7329a
SHA5127bb2749b942642e44688684825e55a6a3e893d735ec4d3f90432da9f9a800dd3341c1f9c7428a39599cbbcb9a1f7d5f641d9cd16650dae253598db76d51d710f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD51b62ed89010327f6cc28765bf5eeac29
SHA1742cce3c0fd4d9f5eaeb7fd18e43468364d7cefb
SHA2562f57cc3e108015681e0999b5a155c6e54f00c0239d7cb37d40910913fdd9e439
SHA5129577ec674cf659f85b446e20afdf3157c08e5ab93ac5311672a5ce5d6f7ee5a459972424d83ecefba95398840d7a48926728e8879f1a95736cde8f5390a155f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD58a727484b4e5d0213b8d2f1ef56e72e8
SHA107a47adb48c911049fb9a311fa6ab68edb4c8e55
SHA256afed1c177f712f7437d7050ad6ba2264452c79d33ffd864d632eb34691f51b61
SHA5129803112fe6041cb651bc2b5e339686ba3adb46edca196ddd1b39ea9c74e1169741e8fc5851c7def0657b57bfab2572f6ea42950f569a53d03f6ad58f980756ae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\334a7ecb-6756-424e-ace8-bebcc7f0c7da
Filesize671B
MD5ec9abea01661345c987ca6ff68630a35
SHA1d2ac6c1fa44b3e4e67de4b8fcc40995a84f678a1
SHA2565e4b657dd473e949ea44e64e466e8c202e5cd20b9e0c0fd9ae3ceb857809cc2e
SHA5129e6a37f8c577fb02fa763628e5b3adbe75dc42ed805a6a66e59928ca72a0312737b2c38110516a2a38cfcc0887ee383afef885ffef607dd0df95490144dc7a21
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\582a3184-a9f3-4ba4-9a36-ac223ebaa012
Filesize27KB
MD5fcddbd0de5689261fb1c6c894986dbbb
SHA18763b376c6f9d7e0db9ed08f8ad8fb2abbd5c44a
SHA2560e7f1408d053ade24c3a8f0ac299de8ed1830a008bb6166dad110772b67bbaba
SHA5127e042332e03d2c5f71908d4a42f45cc8085b374ba5d3e3d6a82a4b34cfe39fa3a5c0031be091f3f9d5ec6baf3154bf81a92665cab28634c6e1bcefb3ddc6a327
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\6d10b73b-8488-4c5e-a834-86ccb171d320
Filesize982B
MD564290a23180c10d5f5460ee8502f3661
SHA176745a691929b258f8097e446166723612c8e122
SHA2564a33dd64f298cb89ed8ef01b0d69b7cbdc8e5d08c5c11651f8bcbd6cab4ac63e
SHA5122e84766ae4f3e82f5a08e9d94053babb609f9768a77af66cfaccbdb7aa83669efb35b413118b6b9ddd720c40fcc99d3dd57cf582a15b405bde9d21e35ca45885
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5d10eeb490381254fdc2bce0ac3300805
SHA14a653ef02dbc4a3b7c34e161add946ac7b9e5e91
SHA25624b7ca3ca4bb8d9df4d8b7ffb4847137b80ea978a0661a9ead69c7085509b275
SHA512400f55d247db317ddd0fc2e29cb0c7bdcca124edf3f895e62d518b4b385b82d6fc93a52c625d80d08b9a9386ed1d245a441a917f8885969a3bc9d1671a94e722
-
Filesize
12KB
MD5da9d10023fef4004b3a8eec2391e7fc2
SHA14ea351834717236030f0b5d79910f48f3c41713c
SHA2567b57cbaa86d970673bd41ffd50e949ea678a640926e9a76f0ded49a502eff38f
SHA51233061a35c4d5825ee28fa223c67505ce38c8fe4589e9ffffaec5d520d0fef6809aaf52de9011c5a478da4d478731a2cc0a9f316d15930e3053959864fde12343
-
Filesize
15KB
MD527087a74b74dd00cc44a2f77a4329c91
SHA165f51de06742a8f75a4e3747035067f317997cc8
SHA2564a851d72fe7606daa4ae163400c644ce1733d36c7d47d9540af534f5733844f1
SHA5120a0121a8b861a08fc0242311f1ed171c52caafb65c8c8cb190740d7c4a190c4bf2fe7ab2658ad8ce4d68202dc13cc84d66a80801fb898f37bd55341012338c39
-
Filesize
10KB
MD57365da68cd6493caf9f5fc2f52f7d90f
SHA12e8fb693c61ef019e31133801930aa7464e1e7b7
SHA256245a575151822ac66230e3b3cd412a49f99b2820223b17787c42a0a568dd46e9
SHA5126c0d5a8a044ffd9c6063bcb3d280a407adf734443076d2790a61ff15f41fc8093bfc592e2ebb47d2049666564462a30947a9073d3920e3cf09d66820c9bd7789
-
Filesize
10KB
MD5fb1d7ce5cb9c8864f2ff68cef7df5aa7
SHA1b84d45125c68513111b8f43cc55af384c44e1c1e
SHA2563c0128d11f7a418f053b2fad7cb44ec4382cfe96adc0142a6862899fd7ac4837
SHA51289592f5e4ac088cd41f2c0de6bd7b74905d1e188ca34c62160f3a3b06161496d35f977b6ef921c1b9605cf141e1d93eb2705900d5f437aa7ba37bd8682de174a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.3MB
MD57bd88b5b4e43c7f92853ee37b072af2f
SHA1134c56abf467cff4678028ca2008036db13595c6
SHA2569d33de5eb344e71e08eb3a6b2714e27e6e6171e1a4f31adef9bad16b3343311c
SHA51280bf1df62d044095bf53e182b4d78590caf3ced9b9d5182d51b45615cf3a0c60d6a4591f4269f0e61d5ba4c3b90ae138a719035cc8ce778b240eb2dc145e5be8