Analysis
-
max time kernel
299s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240404-fr -
resource tags
arch:x64arch:x86image:win10-20240404-frlocale:fr-fros:windows10-1703-x64systemwindows -
submitted
20-04-2024 17:21
General
-
Target
Auora.exe
-
Size
231KB
-
MD5
a96e98be73b7840e10e039d7b3b2a72a
-
SHA1
bde4c46b9a32ba14aafe652ebe14cb03ba2692a8
-
SHA256
886a78f6d4a3bb1667c7d8ba553487a9d42fc38188253d3604cfe5c0743b636b
-
SHA512
c4855010f4b9bf3c0d3f2b78447380d0f85ed440355ed0ed39f10727b44d555f1a7b9ae3a6d241f313d85fa8f052692c20149ecb5b4f6b841291a3f12651ced7
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4yr5ClW8e1mzi:DoZtL+EP8VCv
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3808-0-0x0000022B5F560000-0x0000022B5F5A0000-memory.dmp family_umbral -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\INF\netrasa.PNF svchost.exe File created C:\Windows\INF\netsstpa.PNF svchost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 612 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3808 Auora.exe Token: SeIncreaseQuotaPrivilege 916 wmic.exe Token: SeSecurityPrivilege 916 wmic.exe Token: SeTakeOwnershipPrivilege 916 wmic.exe Token: SeLoadDriverPrivilege 916 wmic.exe Token: SeSystemProfilePrivilege 916 wmic.exe Token: SeSystemtimePrivilege 916 wmic.exe Token: SeProfSingleProcessPrivilege 916 wmic.exe Token: SeIncBasePriorityPrivilege 916 wmic.exe Token: SeCreatePagefilePrivilege 916 wmic.exe Token: SeBackupPrivilege 916 wmic.exe Token: SeRestorePrivilege 916 wmic.exe Token: SeShutdownPrivilege 916 wmic.exe Token: SeDebugPrivilege 916 wmic.exe Token: SeSystemEnvironmentPrivilege 916 wmic.exe Token: SeRemoteShutdownPrivilege 916 wmic.exe Token: SeUndockPrivilege 916 wmic.exe Token: SeManageVolumePrivilege 916 wmic.exe Token: 33 916 wmic.exe Token: 34 916 wmic.exe Token: 35 916 wmic.exe Token: 36 916 wmic.exe Token: SeIncreaseQuotaPrivilege 916 wmic.exe Token: SeSecurityPrivilege 916 wmic.exe Token: SeTakeOwnershipPrivilege 916 wmic.exe Token: SeLoadDriverPrivilege 916 wmic.exe Token: SeSystemProfilePrivilege 916 wmic.exe Token: SeSystemtimePrivilege 916 wmic.exe Token: SeProfSingleProcessPrivilege 916 wmic.exe Token: SeIncBasePriorityPrivilege 916 wmic.exe Token: SeCreatePagefilePrivilege 916 wmic.exe Token: SeBackupPrivilege 916 wmic.exe Token: SeRestorePrivilege 916 wmic.exe Token: SeShutdownPrivilege 916 wmic.exe Token: SeDebugPrivilege 916 wmic.exe Token: SeSystemEnvironmentPrivilege 916 wmic.exe Token: SeRemoteShutdownPrivilege 916 wmic.exe Token: SeUndockPrivilege 916 wmic.exe Token: SeManageVolumePrivilege 916 wmic.exe Token: 33 916 wmic.exe Token: 34 916 wmic.exe Token: 35 916 wmic.exe Token: 36 916 wmic.exe Token: SeDebugPrivilege 3924 firefox.exe Token: SeDebugPrivilege 3924 firefox.exe Token: SeShutdownPrivilege 4348 svchost.exe Token: SeCreatePagefilePrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeLoadDriverPrivilege 4348 svchost.exe Token: SeDebugPrivilege 4064 firefox.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 4064 firefox.exe 4064 firefox.exe 4064 firefox.exe 4064 firefox.exe 4064 firefox.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 3924 firefox.exe 4064 firefox.exe 4064 firefox.exe 4064 firefox.exe 4064 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3924 firefox.exe 4064 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3808 wrote to memory of 916 3808 Auora.exe 73 PID 3808 wrote to memory of 916 3808 Auora.exe 73 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 484 wrote to memory of 3924 484 firefox.exe 78 PID 3924 wrote to memory of 4580 3924 firefox.exe 79 PID 3924 wrote to memory of 4580 3924 firefox.exe 79 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 3344 3924 firefox.exe 80 PID 3924 wrote to memory of 4332 3924 firefox.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Auora.exe"C:\Users\Admin\AppData\Local\Temp\Auora.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.0.1798644776\425096444" -parentBuildID 20221007134813 -prefsHandle 1724 -prefMapHandle 1712 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec127454-1608-48be-9e3d-29424bb8f45a} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 1668 18eb7c09058 gpu3⤵PID:4580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.1.1014102146\868706895" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f7c1594-da07-44f2-81ec-1302a268a59a} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 2152 18eb66fbc58 socket3⤵
- Checks processor information in registry
PID:3344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.2.210349594\895147626" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2856 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1a568c7-0a06-425d-a8f6-01d6f77676f0} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 2872 18ebaa9c958 tab3⤵PID:4332
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.3.1735592390\1469672163" -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3392 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cbfc21d-ba12-46bd-bc94-8d7c3b1520e5} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 3448 18ebaf11558 tab3⤵PID:4324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.4.673595299\160569524" -childID 3 -isForBrowser -prefsHandle 4112 -prefMapHandle 4108 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c537f83-671f-48f8-83df-0e5abb5083e0} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 4120 18ebbcbac58 tab3⤵PID:324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.5.1103788450\940194433" -childID 4 -isForBrowser -prefsHandle 4764 -prefMapHandle 4812 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8edf7532-fe18-4578-ade3-ec83fef31db3} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 4912 18ebbcb9758 tab3⤵PID:4904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.6.1922801099\2058043009" -childID 5 -isForBrowser -prefsHandle 4916 -prefMapHandle 4904 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7e76ff0-962a-4c23-a5f1-c73eb1ff657c} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 4936 18ebcdce158 tab3⤵PID:4488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3924.7.1261513494\2028359530" -childID 6 -isForBrowser -prefsHandle 5048 -prefMapHandle 4936 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c3f49ef-8394-4ec3-aa0d-b6c614e02769} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" 5156 18ebcdcf358 tab3⤵PID:3928
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4612
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:3944
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵PID:1104
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵PID:3796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3876
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:4564
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller1⤵PID:4548
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2264
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4064 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.0.867712453\1317427077" -parentBuildID 20221007134813 -prefsHandle 1588 -prefMapHandle 1580 -prefsLen 21012 -prefMapSize 233527 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b579143-6529-4f05-b15a-f36d07c4e66b} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 1684 24123cfb058 gpu3⤵PID:4732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.1.2147144493\19589516" -parentBuildID 20221007134813 -prefsHandle 1992 -prefMapHandle 1980 -prefsLen 21057 -prefMapSize 233527 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {580196aa-bf81-49f5-a24d-ac880d66bf97} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 2004 24118cd8b58 socket3⤵PID:2928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.2.1953592117\554721822" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 21518 -prefMapSize 233527 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb73c2e0-698c-44c1-b3a4-33ecb81d46b8} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 2636 241275d9b58 tab3⤵PID:4892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.3.1207865520\818033059" -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3560 -prefsLen 26696 -prefMapSize 233527 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {763ca03d-7dc0-491e-b8a0-576f35a2e267} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 3576 24118c62b58 tab3⤵PID:4180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.4.1837121076\1068093690" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3628 -prefsLen 26696 -prefMapSize 233527 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba2def09-b1bb-423c-9c1d-5bf272f11297} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 3768 241288e7358 tab3⤵PID:4696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.5.1939360807\501407754" -childID 4 -isForBrowser -prefsHandle 4908 -prefMapHandle 4912 -prefsLen 26755 -prefMapSize 233527 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45a3a77c-65a5-43ae-826c-29d6cfe8af34} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 4900 24128882158 tab3⤵PID:4564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.6.2034699872\1332338341" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26755 -prefMapSize 233527 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {858704b0-8af7-4a1c-8c86-643f76ee948a} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 5060 2412a214658 tab3⤵PID:1576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4064.7.66445876\1467843342" -childID 6 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26755 -prefMapSize 233527 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0f6e04d-e061-4305-8241-8dfaee375a96} 4064 "\\.\pipe\gecko-crash-server-pipe.4064" 5244 2412b11a258 tab3⤵PID:992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD5cc49af0a15d27289df30d55ee29171f2
SHA1139aee20a58450f87d1479b5f28ca704636c80a8
SHA2560796e7e60777fb1895b6a99f391264de43eee286db048abfaf72acbd7ab18b72
SHA5125bd135f22b6ec9c69f5444c09c130e45e1f6984d6d4814adf3b73dad7db68eb2468d22af31e0b185dce131a818805ee4569ce06f5ceb740442d5fbeafdeeb1e2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize9KB
MD5b4a02ae14fb4cb9391859c7c162f7282
SHA1cd7e79e45a4d09903ad0a71575f94d2914de9acb
SHA256065dfb19e0f50d4937662e80dc2d3f05795c43f98941a61d9d5f3b9596590efe
SHA512e1f0197d02e64019789ee61644a6ff0af7560d8efc902c11a94cfa9cae615ef1f88b83068dd218c72976999b0b81041ddaa85563043c32ecbbc6432642943e31
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize13KB
MD591ed2424bf3311f9a6f8108d2d0ae15a
SHA1f9e5dcdea8f44b866fc887b21c03a4de08075c9f
SHA25631ad3a2c2efb29b0e9a5c7175d00e364be73ede48737d983fe1f12e55c790bc6
SHA5125a715810751965f50c6367d40e56fadb77d8233d6f3267135f7b60aca4f83148615c9509919789015dfdc870b5ea802baa86399c6045d8f526321efdbecd56ba
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize13KB
MD523f64ef91d9b1fb58c66f916567d2280
SHA1892cd513fd05b5e5db19ba6e77411c533cfc3539
SHA25642ed041497cbfb40f111e4366bbeafeb35e4d8efd93f202d2f1f596e9ce848c4
SHA512f523f442c2b6206c5fbe8250d9e367ba5996807c8376f8898e56ea0016e2064df1c1d6fb23f1a5ff428ea09d38f5c357e1b79bb574064fc08282c477cf0ee999
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\startupCache\urlCache.bin
Filesize2KB
MD5098f635d6d8d9b6eb167a2a3a832fc99
SHA112163efae3f650ab3d75b70c98887b5118dfbf62
SHA256b501582c8cb4a5f568df38be335c9b3d46f975562bd2785511861a2fd6445d48
SHA5125dbbc21a7a5f4fa14c67975e564dcfe19d5bad1475e0979a688576b8285ee2b7785747e7d19284bb33dae3ff1fe2fa46c71fba6bf0d4c66680f24aa0e89f98fc
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\SiteSecurityServiceState.txt
Filesize324B
MD5d1dff950ac503480f840cfb34a20d3f4
SHA1f8e5e02270d2f90360212c3f93dd4184e6bbcf6d
SHA256e30cfdcf43e5604e9d286455b37d43b11b366a44335205004f9ee24447b69c1b
SHA5128558be9b993b406cd0be21563c0ca883fcb17b266fb124af379fa41cadae554d1c14f9c65f7ca00af33704899e63ae4fcde1b3301a3aab220ac2204522e865a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\crashes\store.json.mozlz4
Filesize66B
MD5a6338865eb252d0ef8fcf11fa9af3f0d
SHA1cecdd4c4dcae10c2ffc8eb938121b6231de48cd3
SHA256078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965
SHA512d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize11KB
MD5717b66f5d5b462247f84727595cc9244
SHA1ae9697982e5c91896668212a8b0354928b1c2d94
SHA256628a7aced00e901e25ca18fcdf5ebcf2c3fc972500d814266f289b90c104968a
SHA512c31e1c3f3774f461844727463dd52651725fc26f14c1e7f021d21b0b27ad41c5d53aa28297565d97f237b60c73e0219a0c3b8b8c95a795b58c13f02addb243f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD53e04fb267b019c206673b04d8d94703e
SHA1bdd57c6e8bf46f523dc3d6f1e2f8a663260a0d3c
SHA25639b11e47723fc003ff45e7f3e9ae9f8e89305698dfa324bcbfc940363997df83
SHA512a96351f200568d4d496149191d73d9edbe20920c1772d4b5588e83f1b8c0bf4e897a3c393dde4b9368c07b2e27fc40b721050605a4fbd632ef5e1e958eb2ce01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\12e19e4d-bc40-459f-85c4-8d8760711a0e
Filesize657B
MD531ff8cecabe2de130ee6612ca51ddda0
SHA197f7addca873201f8f3cad3f7f56e4a1bd491414
SHA256f7bf7b8763257caadbac2700a82df3133f7f9d9286043c6d4381471ef8143256
SHA512b87d65d0d83e3199e272226f112a8f18ce82c63f49a9c2f2d5fe83d4d45a85105922f86b823e65887ecabe9e53ac8f47107be336d8df49a06001e9851d21a3ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\31f7e5f6-51d9-4b26-907a-d2785fe1158e
Filesize10KB
MD5108ff5a86ab4239eb00aef97d5e77868
SHA1f370d6f0ca1d48a2bfa418486e2db12c93caf7cb
SHA256129cf83b1f387f5d30274237efce9da4df21b6834a8805c1955824259530a3ee
SHA512716e3a38d9fe7a34d6cc617b6d4a80266cfa0463f548ac5415a80c11312ecffe866010c4b88da96fd828a28a51ce5afac8d2e4078312953ed76af6c5165e1b86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\dcb049f1-d868-4850-8bba-56311f217020
Filesize746B
MD56d5eb88e48dc9f9333bee3a0e6041762
SHA1846c844d7a47a45f73e3f12a11ab8c7f66d127bd
SHA2562ece9dd11f3e5149ce951a57f8a56e99e9969755a4ad1b0915a3e8d4fd631861
SHA512016b9c3d7ef879705431e72bc9fbbcc1ed59baabd72d905b144a14c8603f437d2bee64cc34d38d90e7030b77235a5bbbbbd801368138f841c91e7bf05067083a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5050311136f74f3b48fcc43728f07a579
SHA13be400b18c1156d21f9650af6c7eee6a34836583
SHA2568891c3d1fb23851d2f4c17d9a496061b9488f2aedfcbba8fa2f9a2f9bf58b03e
SHA51209d5601d60c60316b416af611b4ec29d85a2c44dc8ac2d49c903d17d80aadafc9182235f970153b0f0fed7ae6e56fa2792f2d1bedc80dd48817e0b39160d395e
-
Filesize
6KB
MD57f0598dc2005b79ca91db3696fbc692c
SHA17ce3536db341a42fb969e49b948f78e813ee2ade
SHA2564cb7f84e645d2e3b6b024eec6ddef2df8c8f158cbf2768e3cdeae51356978cf8
SHA512b422a73952451423e8251bf3fcef49708fa4b0f03832573258681a4037e0091c1f0078a8bdd43d5a13d7551519b632db4b7e16db8f821622646595747ba2a1f3
-
Filesize
6KB
MD5448bc176e58cc44df7860fe9a69ced17
SHA18c7c9c9b9722a3c84963532ec7e5b0f3b9bd6542
SHA2567d026459b6c82ad2a73491076869d65e5fa507994642a74bbb46fb65e8d541ec
SHA5122d565235a4cf626e3dc9d6dcfea8da1c03d4d9dac3c0f35282b1a3f1a1bf5e708326c2d80a5730238d6369a696f040484d3a89f0e9c6dfab0c9eb3d2d1539de2
-
Filesize
6KB
MD5f538d528cd927b7f0b43c263c32f9096
SHA176a28d4b2c26a152618ef69d905092bdd2ad21af
SHA256efd61cfb55c9f48e7ba1790decf38270dcd1ee95bdb8e28ccf532b14e1815afc
SHA512ac8373e83364398390222c888a775d4b2c5ba3e1e306f9260a30e6f63e682bbac7b708e0bf2af3537e9944a9a41924451bb84a8115034f765387e11720c7e367
-
Filesize
6KB
MD5fff8d9d924f3385a3e31e371c4e095c6
SHA14c98dd32813532f344d7d233e1cdb73e97440fe4
SHA256a993331d2d24528283ea459008ab4846c7367e6ddd20a933914ebafbd67ffa33
SHA512e52a3f4f06ecdf7451a9b0139f24df19320b9b14cb71ef9e17b3b662f1b9d55c9730024693ea2510e12c99b3587af34078a08e13bde57cf92adec795005f2436
-
Filesize
6KB
MD5b8bcc55ecaca73b30e4ee7537b666902
SHA13ee1809966d2df4281e669f9372ea541ffff94c0
SHA256723452b67341fd777b744e7be7d75e199983b857bd5f3d84c576ff08bb269292
SHA512d2b6fa8f0b0294da65f57d5d5311d22add7bf92afa2baddea85f6d953c0cd2f28f6ba6f38022fca5e8fc0fcbf9607fa4bac4ad3fc17247f5f12e8230d4de77b8
-
Filesize
6KB
MD5ec9952a457679feb9a197d9ec9a95324
SHA11a92df52a2ce0dfc55854f238d3ac30268cdec0b
SHA2565aa21e7fd476c1c3eb57921693ec5eedcd5327cd7c6cc781bc84707eb585343f
SHA5120c03bb7579d80cda3b914c216d790885f4ec801228395c4151918bdb2f2a39f12102e9a9a5d996ee35b347b3923bd46ef5fbcfaff361eca1aa90e4284984b31d
-
Filesize
6KB
MD5cb9f27ccdb52bcb56f37fbb9c5adae07
SHA19f623f7597752566ffdc9ec9ffb0b60c58a2aa97
SHA256b360ad8691b3fa6ab7ce014042dfdfb92e3011674c69d7517935d54db63a5bc9
SHA512d2e8136a156dea6a87b86e90c4a5038631892eba9b3a4cd0ee5ffd3cb78609fd464ca110f16c88959867d16d7dde6989756c971aca52f002818470cfb4669ee2
-
Filesize
64KB
MD549397db0486dc59d607907a086f40c9b
SHA108742ce9db9569062def08e99eea8470702feb7d
SHA256890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4
SHA512fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json.tmp
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5b316370802fa0209aac6f72367ba7f70
SHA1e15d57817d2daaa5e32d29ca5642491f13331f0d
SHA256c28351736006ac302ceabdda94f5a9eb40bff7752caa2d691b33a3a51d71fed2
SHA512fdb26c80357a67aa01828cd1c3fb18d543577b4b99a2ebf4c26c1559e7f8bcbeabcd62eae1beb2744e84a2c988c387868b03a406fc42e25e0230edbf6b5b415c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5cff097ba29c62a031f289799f93db517
SHA15d21fd9c751bdb659774c370491bac1341d45692
SHA256d5fd8d3a265b98169aedf8a486f2c156883349678c8da0808653fe01c3020de7
SHA5120917abde9bad0ed5579babaa52682839968b2b1d776662bb505e57932ba8c3e363f6133597c294560913d88b0fd90735186cf1be88e93cf4375fed614c9adede
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
Filesize892B
MD56c565ec596f92de75df3f7ceecc121d0
SHA127736b2f19500813dc5470839fd8d4e688fbe08e
SHA2566431e7aea9fd5399b4df0791ae13a2b221c6d4be2070240120ba259d127102d0
SHA512daeb62c5c7458ab794a809606ed62fc9401f09e9d905017f94ef63ea9d82583a20b513860dca7ab976a78754a037a9efb6fc730986c3af13f4fd4c0af3ec17a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize48KB
MD5a1b018b995a794a2ff173bce8f66a01c
SHA1f40b62b1547cc2c098d6d81b808dab5c55e81c51
SHA25624e057dba85d77f5cad4c95091a9e675e85703460678a0daeed97c205aea2d35
SHA512d85732c19718b59986e3417a174bb86f94f640ed3e3c23940e2d29482c1a2c970d59354fb8372ea94fb938767c1ad00836ae0a143ff16230c813dc184c88d3b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5f5e3b1c35b1609da6de4ef2655e53a5c
SHA1b448f910edf75883b0a0cd91c97de2fc85275f49
SHA2563a98227effb3b87b626aac5fd26231872fdbcc3536058698a3755e9ae7a2ece1
SHA51299251865f1d6dfbd186a06f7f3567557535fee14d3cd141d12f579f88f59f256113c51e864694671309d7a932a96727fcf509e6e773fe03ae36883285be1b3c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize7.7MB
MD5d118efb8b0504ee97842add97e665a82
SHA11f69c7f866472b958e4a82a911004af1e47ce31a
SHA2569786e76e4aec34388f4ecadf560e5711b1af054c291c961da51d2f979acd9ce7
SHA512e9a9094671eae15dd4f86c9a98a960b9ade4936ae09eee0c5fbc15c7b5a8c0e685e11cb528150045aff748cad6dea115524612482274e7e17f687895467d63a4
-
Filesize
217B
MD558e240288763218d12bf235d34e5aee2
SHA189135494b57f590011c09668dec3b90d2c5ee9ae
SHA256615f80e71dfde24711e7fefc1b7959f7592c5e5cf9ad0f3aecb4235b93187176
SHA512caed2638902987aead199e73cffb90881bf245bbb616cb38c46b281d4aaaa54dc20a54e9bfe17a8d6e68847394c113fb7606e94b64f44ab0b52bf7846f26e936
-
Filesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
Filesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec