Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3Stremio+4.4.168.exe
windows11-21h2-x64
QtQuick/Co...in.dll
windows11-21h2-x64
1QtQuick/Co...in.dll
windows11-21h2-x64
1QtQuick/Co...in.dll
windows11-21h2-x64
QtQuick/Co...dar.js
windows11-21h2-x64
QtQuick/Co...Box.js
windows11-21h2-x64
3QtQuick/Co...enu.js
windows11-21h2-x64
3QtQuick/Co...Bar.js
windows11-21h2-x64
3QtQuick/Co...iew.js
windows11-21h2-x64
QtQuick/Co...del.js
windows11-21h2-x64
3QtQuick/Co...ils.js
windows11-21h2-x64
3QtQuick/Co...ent.js
windows11-21h2-x64
3QtQuick/Co...tem.js
windows11-21h2-x64
3QtQuick/Co...nu.vbs
windows11-21h2-x64
1QtQuick/Co...se.vbs
windows11-21h2-x64
1QtQuick/Co...low.js
windows11-21h2-x64
3QtQuick/Co...tem.js
windows11-21h2-x64
3QtQuick/Co...ior.js
windows11-21h2-x64
3QtQuick/Co...Bar.js
windows11-21h2-x64
3QtQuick/Co...Bar.js
windows11-21h2-x64
3QtQuick/Co...ion.js
windows11-21h2-x64
3QtQuick/Co...dle.js
windows11-21h2-x64
3QtQuick/Co...les.js
windows11-21h2-x64
3QtQuick/Co...der.js
windows11-21h2-x64
QtQuick/Co...w.qmlc
windows11-21h2-x64
3QtQuick/Co...ox.qml
windows11-21h2-x64
3QtQuick/Co...w.qmlc
windows11-21h2-x64
3QtQuick/Co...on.qml
windows11-21h2-x64
3QtQuick/Co...le.qml
windows11-21h2-x64
3QtQuick/Co...le.qml
windows11-21h2-x64
3QtQuick/Co...yle.js
windows11-21h2-x64
3QtQuick/Co...yle.js
windows11-21h2-x64
Analysis
-
max time kernel
258s -
max time network
263s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/06/2024, 11:03
Static task
static1
Behavioral task
behavioral1
Sample
Stremio+4.4.168.exe
Resource
win11-20240419-en
Behavioral task
behavioral2
Sample
QtQuick/Controls.2/Fusion/qtquickcontrols2fusionstyleplugin.dll
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
QtQuick/Controls.2/Imagine/qtquickcontrols2imaginestyleplugin.dll
Resource
win11-20240611-en
Behavioral task
behavioral4
Sample
QtQuick/Controls.2/qtquickcontrols2plugin.dll
Resource
win11-20240611-en
Behavioral task
behavioral5
Sample
QtQuick/Controls/Calendar.js
Resource
win11-20240611-en
Behavioral task
behavioral6
Sample
QtQuick/Controls/ComboBox.js
Resource
win11-20240508-en
Behavioral task
behavioral7
Sample
QtQuick/Controls/Menu.js
Resource
win11-20240508-en
Behavioral task
behavioral8
Sample
QtQuick/Controls/MenuBar.js
Resource
win11-20240419-en
Behavioral task
behavioral9
Sample
QtQuick/Controls/Private/BasicTableView.js
Resource
win11-20240508-en
Behavioral task
behavioral10
Sample
QtQuick/Controls/Private/CalendarHeaderModel.js
Resource
win11-20240508-en
Behavioral task
behavioral11
Sample
QtQuick/Controls/Private/CalendarUtils.js
Resource
win11-20240508-en
Behavioral task
behavioral12
Sample
QtQuick/Controls/Private/ColumnMenuContent.js
Resource
win11-20240611-en
Behavioral task
behavioral13
Sample
QtQuick/Controls/Private/ContentItem.js
Resource
win11-20240611-en
Behavioral task
behavioral14
Sample
QtQuick/Controls/Private/EditMenu.vbs
Resource
win11-20240508-en
Behavioral task
behavioral15
Sample
QtQuick/Controls/Private/EditMenu_base.vbs
Resource
win11-20240611-en
Behavioral task
behavioral16
Sample
QtQuick/Controls/Private/FastGlow.js
Resource
win11-20240419-en
Behavioral task
behavioral17
Sample
QtQuick/Controls/Private/MenuContentItem.js
Resource
win11-20240611-en
Behavioral task
behavioral18
Sample
QtQuick/Controls/Private/ModalPopupBehavior.js
Resource
win11-20240611-en
Behavioral task
behavioral19
Sample
QtQuick/Controls/Private/ScrollBar.js
Resource
win11-20240508-en
Behavioral task
behavioral20
Sample
QtQuick/Controls/Private/TabBar.js
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
QtQuick/Controls/Private/TableViewSelection.js
Resource
win11-20240508-en
Behavioral task
behavioral22
Sample
QtQuick/Controls/Private/TextHandle.js
Resource
win11-20240611-en
Behavioral task
behavioral23
Sample
QtQuick/Controls/Private/TextInputWithHandles.js
Resource
win11-20240508-en
Behavioral task
behavioral24
Sample
QtQuick/Controls/Private/TreeViewItemDelegateLoader.js
Resource
win11-20240611-en
Behavioral task
behavioral25
Sample
QtQuick/Controls/ScrollView.qmlc
Resource
win11-20240611-en
Behavioral task
behavioral26
Sample
QtQuick/Controls/SpinBox.qml
Resource
win11-20240508-en
Behavioral task
behavioral27
Sample
QtQuick/Controls/StackView.qmlc
Resource
win11-20240611-en
Behavioral task
behavioral28
Sample
QtQuick/Controls/StackViewTransition.qml
Resource
win11-20240419-en
Behavioral task
behavioral29
Sample
QtQuick/Controls/Styles/Base/ApplicationWindowStyle.qml
Resource
win11-20240508-en
Behavioral task
behavioral30
Sample
QtQuick/Controls/Styles/Base/BusyIndicatorStyle.qml
Resource
win11-20240508-en
Behavioral task
behavioral31
Sample
QtQuick/Controls/Styles/Base/CircularButtonStyle.js
Resource
win11-20240508-en
Behavioral task
behavioral32
Sample
QtQuick/Controls/Styles/Base/CircularGaugeStyle.js
Resource
win11-20240611-en
Errors
General
-
Target
Stremio+4.4.168.exe
-
Size
112.9MB
-
MD5
763b10b7a9293ccc9307b650a01db702
-
SHA1
b033764307a4df6cc81c654467630f2df67297ef
-
SHA256
44ecc6a7624b2fdf03cb9b419f111892515fb036fe23f88e51456dce69066046
-
SHA512
f6f8d0a78cfaa2c440567fc0e636ab6129c495991f679c93ae0b7e211d9e290e7d4628891fef35f0383662bc2237e21410dd849f1d6074a8994dfd8deeee5e0c
-
SSDEEP
3145728:XddpqKUfzM8/I/6Uj2jDxXz8sGd1TiDlSugSbc+cYOsNCO1JTN:tdoK18wiucDZxG7TOlS/SI+JNCO19N
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
pid Process 1224 stremio.exe 4528 stremio-runtime.exe 4264 QtWebEngineProcess.exe 1152 QtWebEngineProcess.exe 4516 ffprobe.exe 2284 stremio-runtime.exe 3376 ffprobe.exe 4948 stremio-runtime.exe 4596 ffprobe.exe 3180 stremio-runtime.exe 3044 ffprobe.exe 3452 stremio-runtime.exe 2772 ffprobe.exe 4136 stremio-runtime.exe 1392 ffprobe.exe 3616 stremio-runtime.exe 2488 ffprobe.exe 5032 stremio-runtime.exe 4824 ffprobe.exe 2672 stremio-runtime.exe 4292 ffprobe.exe 5368 stremio-runtime.exe 5452 ffprobe.exe 4320 stremio-runtime.exe -
Loads dropped DLL 64 IoCs
pid Process 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 3256 4528 WerFault.exe 100 2860 2284 WerFault.exe 109 3496 4948 WerFault.exe 114 1888 3180 WerFault.exe 119 2816 3452 WerFault.exe 124 1920 4136 WerFault.exe 134 4968 3616 WerFault.exe 139 1364 5032 WerFault.exe 144 2132 2672 WerFault.exe 151 5564 5368 WerFault.exe 166 -
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 25 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\"" Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\ = "URL:Stremio Protocol" Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\"" Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\URL Protocol Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1" Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\open Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\DefaultIcon Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\open Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1" Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\ = "open" Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\open\command Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\open\command Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\ = "URL:BitTorrent magnet" Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\URL Protocol Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\DefaultIcon Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio Stremio+4.4.168.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\ = "open" Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet Stremio+4.4.168.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 7 IoCs
pid Process 3564 POWERPNT.EXE 1868 POWERPNT.EXE 1224 stremio.exe 5736 vlc.exe 3924 vlc.exe 6000 vlc.exe 5416 vlc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 1472 Stremio+4.4.168.exe 4264 QtWebEngineProcess.exe 1152 QtWebEngineProcess.exe 1152 QtWebEngineProcess.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 1224 stremio.exe 2860 OpenWith.exe 2376 OpenWith.exe 5600 OpenWith.exe 5736 vlc.exe 3924 vlc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTcbPrivilege 3484 svchost.exe Token: SeRestorePrivilege 3484 svchost.exe Token: SeDebugPrivilege 4676 firefox.exe Token: SeDebugPrivilege 4676 firefox.exe Token: SeDebugPrivilege 6012 firefox.exe Token: SeDebugPrivilege 6012 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 4676 firefox.exe 6012 firefox.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe 5736 vlc.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3564 POWERPNT.EXE 3564 POWERPNT.EXE 3564 POWERPNT.EXE 3564 POWERPNT.EXE 1868 POWERPNT.EXE 1868 POWERPNT.EXE 1868 POWERPNT.EXE 1868 POWERPNT.EXE 1868 POWERPNT.EXE 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 1224 stremio.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2860 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe 2376 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1224 1472 Stremio+4.4.168.exe 98 PID 1472 wrote to memory of 1224 1472 Stremio+4.4.168.exe 98 PID 1472 wrote to memory of 1224 1472 Stremio+4.4.168.exe 98 PID 1224 wrote to memory of 4528 1224 stremio.exe 100 PID 1224 wrote to memory of 4528 1224 stremio.exe 100 PID 1224 wrote to memory of 4528 1224 stremio.exe 100 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 4264 1224 stremio.exe 102 PID 1224 wrote to memory of 1152 1224 stremio.exe 103 PID 1224 wrote to memory of 1152 1224 stremio.exe 103 PID 1224 wrote to memory of 1152 1224 stremio.exe 103 PID 4528 wrote to memory of 4516 4528 stremio-runtime.exe 104 PID 4528 wrote to memory of 4516 4528 stremio-runtime.exe 104 PID 1224 wrote to memory of 2284 1224 stremio.exe 109 PID 1224 wrote to memory of 2284 1224 stremio.exe 109 PID 1224 wrote to memory of 2284 1224 stremio.exe 109 PID 2284 wrote to memory of 3376 2284 stremio-runtime.exe 111 PID 2284 wrote to memory of 3376 2284 stremio-runtime.exe 111 PID 1224 wrote to memory of 4948 1224 stremio.exe 114 PID 1224 wrote to memory of 4948 1224 stremio.exe 114 PID 1224 wrote to memory of 4948 1224 stremio.exe 114 PID 4948 wrote to memory of 4596 4948 stremio-runtime.exe 116 PID 4948 wrote to memory of 4596 4948 stremio-runtime.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.168.exe"C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.168.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe"C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:4516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 11924⤵
- Program crash
PID:3256
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe"C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=renderer --autoplay-policy=no-user-gesture-required --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=2 --mojo-platform-channel-handle=3056 /prefetch:13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4264
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe"C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --application-name=Stremio --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=3212 /prefetch:83⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:3376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 11084⤵
- Program crash
PID:2860
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 11804⤵
- Program crash
PID:3496
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:3180 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:3044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 11244⤵
- Program crash
PID:1888
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:3452 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:2772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 11164⤵
- Program crash
PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:4136 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 11084⤵
- Program crash
PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:3616 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:2488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 11164⤵
- Program crash
PID:4968
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:5032 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:4824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 11164⤵
- Program crash
PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:2672 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 11164⤵
- Program crash
PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:5368 -
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv4⤵
- Executes dropped EXE
PID:5452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 11244⤵
- Program crash
PID:5564
-
-
-
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exeC:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js3⤵
- Executes dropped EXE
PID:4320
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:244
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:1996
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:2948
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\WaitRead.pptx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3564
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\WaitRead.pptx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4528 -ip 45281⤵PID:3632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2284 -ip 22841⤵PID:4772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4948 -ip 49481⤵PID:4536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3180 -ip 31801⤵PID:2892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3452 -ip 34521⤵PID:4988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Windows\system32\dashost.exedashost.exe {6f946054-18b5-4fcb-b82aae9505a9d268}2⤵PID:3000
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4136 -ip 41361⤵PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3616 -ip 36161⤵PID:4764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5032 -ip 50321⤵PID:1888
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2376 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\ExportHide.png"2⤵PID:3864
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\ExportHide.png3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4676 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7c76d5-8a3d-4b37-aafe-afd4cb910ace} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" gpu4⤵PID:3936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 26379 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83c83011-c6ab-4ad6-a290-81caf03c7105} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" socket4⤵
- Checks processor information in registry
PID:540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3040 -prefsLen 26520 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9728694d-bcbe-4a26-9023-509421eb12a5} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab4⤵PID:880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3472 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3656 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44e0ccb9-a9c8-4df7-bbef-6df08da2e4c4} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab4⤵PID:3512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4436 -prefMapHandle 4432 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {582ab3bd-319f-4ca6-918c-d2b6cbe5ca73} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" utility4⤵
- Checks processor information in registry
PID:5724
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e2bc5e0-bb43-485c-8bcd-e6cbcef7e802} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab4⤵PID:6072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d698b17f-d4e1-43ca-84a1-31790930dd10} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab4⤵PID:6084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5f9828-4f37-428d-b81b-08d80f90668d} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab4⤵PID:6096
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2672 -ip 26721⤵PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5368 -ip 53681⤵PID:5532
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5600 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\SetSearch.png"2⤵PID:5844
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\SetSearch.png3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6012 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3094919c-1ea1-4850-a79b-229d5f1b6bca} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" gpu4⤵PID:5992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 26379 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca480436-180d-4d85-922f-58a53ad6a049} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" socket4⤵
- Checks processor information in registry
PID:5652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 2976 -prefsLen 26520 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de2e9886-5fcf-487b-bddf-942743d49495} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab4⤵PID:2008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3620 -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb5798e-bb4c-4bb3-bbe5-5e7cddce1031} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab4⤵PID:3424
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4588 -prefMapHandle 4564 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b18c103b-c604-4066-9904-5eeb0fbf3964} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" utility4⤵
- Checks processor information in registry
PID:5544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4560 -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 5180 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f98eb86-75d6-4ad8-b144-d4dc44cfd9c5} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab4⤵PID:1168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d72c9e0-4a44-40da-95d7-216892c717cf} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab4⤵PID:5232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63b044fc-7497-4093-8239-2736cc17dabe} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab4⤵PID:1392
-
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CloseUnlock.au"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5736
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RequestWait.wvx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:3924
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"1⤵PID:4384
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"1⤵PID:5784
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6000
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5416
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39de055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5b6006c7751dfc5a1b2855352beb950c8
SHA1902bbebd3ad43b5f6e31fca3dcf021afa7625ebe
SHA256dc94f44811c4899d00bb7004ba2560f78f2cbf6739513e97affbe6352ba30797
SHA512b63a0b6665ee940fc4f239615255736e4b2f62da01c910dd81fa1ea39dd3a37de92eacf419e0c34fcf89e91e548a34cebc87e37e1cd735c87dc530e0c6cd5e1d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\startupCache\webext.sc.lz4
Filesize108KB
MD5e9b786067bdddda67a5a025f2348dfdc
SHA1ff0cddbb44f0128ec6d00cc1b6ac7ecd97879219
SHA256d02c52536523d8bafbe20018909b6c69ffe009c924a2cdd2eb1cadc3826fc463
SHA5126ab0d0d6192cb4f2beff4a18ee9587056e47f6d435a65fbd2884f2f635f4e2f924bca1aaeecd39a27bf8ece07dd1bec86a78aebc665c73245499a38861b3b750
-
Filesize
49.1MB
MD558a451f04d8da2f547edf753fbe03fdf
SHA1dfe60e0de8f4f892fdd5719d7b9657ad232f7414
SHA2562a9d34c190c8c639c2817a371cd8ab6e5d8c8f5d0c45b8c72fbb1d9d4c1e9227
SHA5120580068222d415ac6cb1f48a236ce425a57cf860cd802bfd31e76a296d269b8d4b9dd174d5d88552616ed7c99c1e758b23c4f69fa5f23c522f1f312f1a8d3ca6
-
Filesize
300KB
MD5c0fbaeea5372c54a2f39716fcbc6afec
SHA1e54790d82d0abdc75607fa0384bb886fc9b8027b
SHA256cc7b6317d48368cb5791a1e95de5306b6152777b09758d14666d82f4b315dabd
SHA512002aa47f5223eb113d3b2bfe1c88eb0ba588b1fc79465340b06c69dde1b897fef73c1f2540712ff22a658a6fe7b8bca4d2b6d4ec9c3d643838ff70275ebd8816
-
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\0b86b658-fb6f-4252-aeba-48d0f51b3375.tmp
Filesize111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Network Persistent State~RFe5aa1b0.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Session Storage\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e20772979f2708ff0551cabea5592955
SHA199981cb5c1520642adf578f2a98ed1f9fda35a62
SHA256418aadf942dd7437f5d6a41b1553549a00aa3d8b3677e2a7d5b50e087259a770
SHA5128aace1ea276c5440727319b7c8ad6f9e2458a59dfc409eb33b2486ac334f87f279a909750742d04ff376a174eec6ce14caf32325394c98e76ad5cf0055dd9778
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5586bc706fb75d3ad6acf6793c4f14f75
SHA188e5a8c832f948ffc724c0d88bc28105dc6e448f
SHA2566b48f7b97672861609a3fd167ef112268a8b8a55e49175c1158cee4105b1c1d8
SHA512b9ffef4e5a79916e1846482c7fbc46ea4fe54bafb20a3667e048eac14995e2bfd526018c9c926e0e3cb91098f62517ffe5bfeaa013241fe016ff1b435987a1db
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD58c1b0dd04f0571d37f9bd934eb696cd5
SHA12b0448fecd566814ad336e9e87fd828bace42bd5
SHA2566834a04c8371d4fb1abf6eb6ebd07f2fe202718eceac0453595819d20d841617
SHA5122467fc5b2297a222591cb278c2ef4da526c4f3bc0157e19e266e423a579a8d5d1416aa75bbd5c6948b6d5e935611afe0861b9d8936dae1f49082bc72e7859594
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD56d0b2e86a1747cf8980e4c148acf0f1c
SHA14d351715b440e516817f2f95747cdb1724652c0f
SHA2565cfc17fee6b493c6f50cee87af459ec26016b3ecf61112a964c3c62bd0dd34a8
SHA512fd8c0812c395464427a26d5bfd96aafc0a84649e8cdbfaa8ce35c8060f95352d1cb400b487b8e7108a0c70e8a9b815431d44f183a0af18a2dffdf374e219893e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5aa50806818d7cb74026461964ce55ca0
SHA150bbd2ed1c40dde726eb7efee4b4a4b217db6312
SHA256a139fc8538f69e3376eb8e596ba6353639776b3f2508dc1bd61b67cfa58a0934
SHA512e58dfd9315c51d63f54a4bfeb0293794f77d3a885d87df82c9521fcb22a5aaee6d39224dfdd97b41f3ff6b3f8272d09088910ca4c06fdf615642f07f47e517b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5416295985bc4d7d07e498802e345eb29
SHA19dfa1d4c5b27b2901ab23f79f1385d2a23e05c24
SHA256d398e644cc01371a3138e063f84175e01516e1369028b3f5c8d86c9a1ced01db
SHA51229c1a5661e4fa88a82e59c0ce53329790d79ac5518c05729be377270b2481bbfc9dd5bdba5f2bf285733b45432c80cd74bb10a13eb424cf04afd177d313458a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD569969d83722e797fd7c622ae4389f064
SHA141c4fa96ed992154c5a6ebe1a9cbd0a933ae815d
SHA25674107d93865ec373b5d2face0453ae834c3739a8c1901249482da6d00c98ebdd
SHA512120f05f55638e347194b6d21e3b1bf0f329b8b6d816249dc86e09dc02b30a6d0551b2fddfb478b7cb34a6e27403b19ac03567ba5b3805d98b5608746f6ef399d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\2d961c17-fe75-4813-aaba-b6ad695410e0
Filesize671B
MD58e17da5fc3fca970c1c02bc2b9117d56
SHA13083ed668b76c5ba8ea5e3deac8dd40eb522617c
SHA256ba9d6685960c04673e56e492dd4b1c84a861b89374daed9bd10a1136e942310e
SHA512a0284a26e0e1a709369d348daf2c2b85be8e3d4059109e461f7557b40b41c8d3ab08415ec1dcd7db3d74c5ac7ce19580da74bbaddaba547f3854d93726f6054e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\8e3345f6-9e5f-4837-a463-34c666b28ed4
Filesize905B
MD55300b02ab990a0299d8ac9eb1016fbc1
SHA16deb2097519518f0909053b07ce41d18fe383fda
SHA2563d18e97bc97b4a585bc69ee54d798f2a5124f13da866a223c5be865fd9cbfca0
SHA5122904da4d2a8f380beaebb27c1d3aa8707bdf4384ef132506941974c6817427ade39743da792df5af191f5ef84e01a690ab0942c94f55c439e9b3f28c55d44b35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\dfac5030-d5ab-47be-9b02-40ea5dbc4df6
Filesize676B
MD5c4439b0a6ec1964eae779f78a65930bd
SHA1b02dc2deae5dd1751a71b2d29355bf704469df88
SHA256a81e3774bc803d645493b4fad8ab792c929a7ad514d9b64cfe7ba0a9daa02dd6
SHA51292fc0292a0b642b1fe7f19c23e44b12fcc5eb6595c8da11448883dc98c4ab3ecb112ba28bfe590f5ca1d92e0677e6be18b06dca09fae55aa6827e4fead8bf565
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\e44946c8-b526-4e3b-97a0-594591e45c31
Filesize26KB
MD5bcb37a2fbe43bd5ab68568ed7d786e7e
SHA1b46f8fdb73e30d4306e7a6e9f184e3e92dcf47a9
SHA256cf3ccad29fb13e5fbf85a2d215c5661daa2e5429b18a9ed08c8227d0a3eb2b0b
SHA5120b228f4d018875737cd38cc5ef0762fcc9095b72351c3b4aad61c91f74085a357621c6358b47b53593700c27019cc10551de7b48dc545c70306171bdbed65173
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\e48d15a7-5c2c-47b6-ab81-a9807a6082f4
Filesize982B
MD506f7769322a21cdb17cad26dceba46b6
SHA1eab955fea0308cd4bb1e5371f81f6274e035e8f1
SHA256a91cef2dc69daa663030b73ca7946ec08e8fae5b548b42d7555aa11d5bc92cc7
SHA512ef48584830297e7311411890369bf9a4b73071ef9b6d8afe2ff1bcb88823444fba265c3244c608fe71e8d3ec9b154b019cf7e7916346e683ec7ef6832ea6042f
-
Filesize
8KB
MD5ac7e5984a81829ba216576506cb5d6be
SHA1929321b2605b31aadf8dd278009837bdc0b7fb72
SHA25684ca16a20175cc0a69430757cf43d8427da8d616732f50100f367ce47aca8c2d
SHA512d8b9513f7c2a6dd982a2d93ff296bfd56cc904cc83c5cea8c831dc22f8008b9e0f2d4558d90e4e00f5e69f7e925a92ff7193f04aacb898ac976213d6c54c853d
-
Filesize
8KB
MD54872f30b4fe39f92594501a2453c8b90
SHA197cfd39049cd99e376dc7432c217e31af0836952
SHA25605fac99a58f7bb0e7238d8d1999aa8c902cb3b77b5e4a78a8988b47daf26184e
SHA512ccffe216f93e4f79fdf309d28e56467f81a8d31c0de0e1df5efa904a94cfca7e13521a10f7ef028b596c7cf11d38a8edff3327d8a37a61fa654ad83c3e52f58c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json
Filesize122B
MD599601438ae1349b653fcd00278943f90
SHA18958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA25672d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json
Filesize146B
MD565690c43c42921410ec8043e34f09079
SHA1362add4dbd0c978ae222a354a4e8d35563da14b4
SHA2567343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d
SHA512c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61
-
Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
Filesize
76B
MD537fb7e03c63be8f86d63a66bf06a658c
SHA1ff6e0767805e16239c717a4b6142f91fdf69ae14
SHA2565e6bf1b5af6336bb3b317b40b028f5c79e1368a10178c27aebe98d29ee7e0d0f
SHA51216e80773682d4d5e62fd972a25bcdfa2a3ebb09df75602bc65415497d0820063b1ff5521dc5dfba0eb0e320a8bf212b8488e22464613cc3c94dc8d6ed62bf333
-
Filesize
852B
MD5b2de0a7e310b64804c6e06b132423ef2
SHA17787fd4ef98c70a7ddf6b150b8ad95c378de23ea
SHA256738a04f7b1fbc837b0a955b03337095cbab608ecdbf503fbc3e5f215893f8b41
SHA512a525fe01f6371046379f44c7651c04597181f8b1d0237f6e0f80db5a5354d0bfead5b5318f9fb975a5630113859a5c8a06d92ee0395d6bc38ec61bf4d713be0a
-
Filesize
75B
MD5ee73342c7bdf2d78a7c2022e73f027b4
SHA14d245bcaf94202b9b932beb636187fa6b318a7b2
SHA256fd35184a7754cd10ce329401afd4aefb1ff6f9f99816ae4630dfc759ad41be76
SHA5121b8bc26105bc3f0a7eea49055c3b4d1eedcc2e17b00fb2b42e8965494190c1b5e309a5334b1f0fb384d1cac49498b9712cc381e46cbddfa4522ac464022b48af
-
Filesize
18B
MD5636945f887927ff6b3bfd48803d14f6b
SHA1dcaff7b2d044907733557ec8e1b11b6f9663b3cf
SHA2560cb97d23e4ab09be62ea9eb541b9fa6052910e0275ecf8c99ed7d564141a51a1
SHA512d546fb487c09309d11d5d203a42ca3152043fef5819bf5bcd10733ba16c6ef7c53b1c0cc78cd1dc670c762cbe66cd8c903a020b231b91f56829cab10bf324098
-
Filesize
18B
MD573ad437ddde2e3e99f136544783479fe
SHA1d1cd5bf795d6c1739d5c7b7825c6c1d4eb1884bf
SHA256da51d0f3e8165b72c7794b550e84abc9e0a29c58436adb04d552906346ac2a88
SHA512fe383add519389cc6d12d438f3f7f13be33d396747752ab88469428b3025c9a87136e5d460d1b442f495c7dcfbddc10d72d75d83329eee1bed26cc203520e4f7