Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-06-2024 00:40
Static task
static1
General
-
Target
ModStickInjectorV1.exe
-
Size
748KB
-
MD5
457143901d9ca2f0bc836c1dd1faefe3
-
SHA1
11e554dcfca0dd51c5bfe92d35b9c13b21b81691
-
SHA256
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
-
SHA512
0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
-
SSDEEP
12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT
Malware Config
Extracted
xworm
head-experimental.gl.at.ply.gg:46178
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part1.exe family_xworm behavioral1/memory/5088-10-0x0000000000020000-0x0000000000038000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\Part 1.exe family_xworm behavioral1/memory/2588-27-0x00000000002A0000-0x00000000002B8000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\Part 4.exe family_xworm behavioral1/memory/212-44-0x0000000000CC0000-0x0000000000CDA000-memory.dmp family_xworm behavioral1/memory/2588-320-0x000000001BD90000-0x000000001BD9E000-memory.dmp family_xworm -
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part 2.exe family_quasar behavioral1/memory/1892-45-0x00000000002D0000-0x000000000033C000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part 3.exe family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3556 powershell.exe 1612 powershell.exe 3836 powershell.exe 2808 powershell.exe 216 powershell.exe 764 powershell.exe -
Executes dropped EXE 7 IoCs
Processes:
Part1.exePart2.exePart 1.exePart 2.exePart 3.exePart 4.exeWindows PowerShell.exepid process 5088 Part1.exe 768 Part2.exe 2588 Part 1.exe 1892 Part 2.exe 648 Part 3.exe 212 Part 4.exe 864 Windows PowerShell.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exedescription ioc process File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows PowerShell.exepid process 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe 864 Windows PowerShell.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
Part1.exePart 4.exePart 1.exePart 2.exepid process 5088 Part1.exe 212 Part 4.exe 2588 Part 1.exe 1892 Part 2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Windows PowerShell.exePart 3.exePart 1.exePart 2.exePart1.exepowershell.exepowershell.exePart 4.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 864 Windows PowerShell.exe Token: SeDebugPrivilege 648 Part 3.exe Token: SeDebugPrivilege 2588 Part 1.exe Token: SeDebugPrivilege 1892 Part 2.exe Token: SeDebugPrivilege 5088 Part1.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 212 Part 4.exe Token: SeIncreaseQuotaPrivilege 3556 powershell.exe Token: SeSecurityPrivilege 3556 powershell.exe Token: SeTakeOwnershipPrivilege 3556 powershell.exe Token: SeLoadDriverPrivilege 3556 powershell.exe Token: SeSystemProfilePrivilege 3556 powershell.exe Token: SeSystemtimePrivilege 3556 powershell.exe Token: SeProfSingleProcessPrivilege 3556 powershell.exe Token: SeIncBasePriorityPrivilege 3556 powershell.exe Token: SeCreatePagefilePrivilege 3556 powershell.exe Token: SeBackupPrivilege 3556 powershell.exe Token: SeRestorePrivilege 3556 powershell.exe Token: SeShutdownPrivilege 3556 powershell.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeSystemEnvironmentPrivilege 3556 powershell.exe Token: SeRemoteShutdownPrivilege 3556 powershell.exe Token: SeUndockPrivilege 3556 powershell.exe Token: SeManageVolumePrivilege 3556 powershell.exe Token: 33 3556 powershell.exe Token: 34 3556 powershell.exe Token: 35 3556 powershell.exe Token: 36 3556 powershell.exe Token: SeIncreaseQuotaPrivilege 1612 powershell.exe Token: SeSecurityPrivilege 1612 powershell.exe Token: SeTakeOwnershipPrivilege 1612 powershell.exe Token: SeLoadDriverPrivilege 1612 powershell.exe Token: SeSystemProfilePrivilege 1612 powershell.exe Token: SeSystemtimePrivilege 1612 powershell.exe Token: SeProfSingleProcessPrivilege 1612 powershell.exe Token: SeIncBasePriorityPrivilege 1612 powershell.exe Token: SeCreatePagefilePrivilege 1612 powershell.exe Token: SeBackupPrivilege 1612 powershell.exe Token: SeRestorePrivilege 1612 powershell.exe Token: SeShutdownPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeSystemEnvironmentPrivilege 1612 powershell.exe Token: SeRemoteShutdownPrivilege 1612 powershell.exe Token: SeUndockPrivilege 1612 powershell.exe Token: SeManageVolumePrivilege 1612 powershell.exe Token: 33 1612 powershell.exe Token: 34 1612 powershell.exe Token: 35 1612 powershell.exe Token: 36 1612 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeIncreaseQuotaPrivilege 2808 powershell.exe Token: SeSecurityPrivilege 2808 powershell.exe Token: SeTakeOwnershipPrivilege 2808 powershell.exe Token: SeLoadDriverPrivilege 2808 powershell.exe Token: SeSystemProfilePrivilege 2808 powershell.exe Token: SeSystemtimePrivilege 2808 powershell.exe Token: SeProfSingleProcessPrivilege 2808 powershell.exe Token: SeIncBasePriorityPrivilege 2808 powershell.exe Token: SeCreatePagefilePrivilege 2808 powershell.exe Token: SeBackupPrivilege 2808 powershell.exe Token: SeRestorePrivilege 2808 powershell.exe Token: SeShutdownPrivilege 2808 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 1132 firefox.exe 1132 firefox.exe 1132 firefox.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
Part 2.exePart 1.exePart 4.exePart1.exefirefox.exepid process 1892 Part 2.exe 2588 Part 1.exe 212 Part 4.exe 5088 Part1.exe 1132 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ModStickInjectorV1.exePart2.exePart 1.exePart 2.exePart1.exePart 4.exewmplayer.exeunregmp2.exefirefox.exefirefox.exedescription pid process target process PID 5068 wrote to memory of 5088 5068 ModStickInjectorV1.exe Part1.exe PID 5068 wrote to memory of 5088 5068 ModStickInjectorV1.exe Part1.exe PID 5068 wrote to memory of 768 5068 ModStickInjectorV1.exe Part2.exe PID 5068 wrote to memory of 768 5068 ModStickInjectorV1.exe Part2.exe PID 768 wrote to memory of 2588 768 Part2.exe Part 1.exe PID 768 wrote to memory of 2588 768 Part2.exe Part 1.exe PID 768 wrote to memory of 1892 768 Part2.exe Part 2.exe PID 768 wrote to memory of 1892 768 Part2.exe Part 2.exe PID 768 wrote to memory of 1892 768 Part2.exe Part 2.exe PID 768 wrote to memory of 648 768 Part2.exe Part 3.exe PID 768 wrote to memory of 648 768 Part2.exe Part 3.exe PID 768 wrote to memory of 212 768 Part2.exe Part 4.exe PID 768 wrote to memory of 212 768 Part2.exe Part 4.exe PID 768 wrote to memory of 864 768 Part2.exe Windows PowerShell.exe PID 768 wrote to memory of 864 768 Part2.exe Windows PowerShell.exe PID 768 wrote to memory of 864 768 Part2.exe Windows PowerShell.exe PID 2588 wrote to memory of 3556 2588 Part 1.exe powershell.exe PID 2588 wrote to memory of 3556 2588 Part 1.exe powershell.exe PID 1892 wrote to memory of 344 1892 Part 2.exe schtasks.exe PID 1892 wrote to memory of 344 1892 Part 2.exe schtasks.exe PID 1892 wrote to memory of 344 1892 Part 2.exe schtasks.exe PID 5088 wrote to memory of 1612 5088 Part1.exe powershell.exe PID 5088 wrote to memory of 1612 5088 Part1.exe powershell.exe PID 212 wrote to memory of 3836 212 Part 4.exe powershell.exe PID 212 wrote to memory of 3836 212 Part 4.exe powershell.exe PID 2588 wrote to memory of 2808 2588 Part 1.exe powershell.exe PID 2588 wrote to memory of 2808 2588 Part 1.exe powershell.exe PID 5088 wrote to memory of 216 5088 Part1.exe powershell.exe PID 5088 wrote to memory of 216 5088 Part1.exe powershell.exe PID 212 wrote to memory of 764 212 Part 4.exe powershell.exe PID 212 wrote to memory of 764 212 Part 4.exe powershell.exe PID 3852 wrote to memory of 3728 3852 wmplayer.exe setup_wm.exe PID 3852 wrote to memory of 3728 3852 wmplayer.exe setup_wm.exe PID 3852 wrote to memory of 3728 3852 wmplayer.exe setup_wm.exe PID 3852 wrote to memory of 3008 3852 wmplayer.exe unregmp2.exe PID 3852 wrote to memory of 3008 3852 wmplayer.exe unregmp2.exe PID 3852 wrote to memory of 3008 3852 wmplayer.exe unregmp2.exe PID 3008 wrote to memory of 2944 3008 unregmp2.exe unregmp2.exe PID 3008 wrote to memory of 2944 3008 unregmp2.exe unregmp2.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 200 wrote to memory of 1132 200 firefox.exe firefox.exe PID 1132 wrote to memory of 2780 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 2780 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe PID 1132 wrote to memory of 4728 1132 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe"C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\Part1.exe"C:\Users\Admin\AppData\Local\Temp\Part1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
PID:216 -
C:\Users\Admin\AppData\Local\Temp\Part2.exe"C:\Users\Admin\AppData\Local\Temp\Part2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\Part 1.exe"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\Part 2.exe"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:344 -
C:\Users\Admin\AppData\Local\Temp\Part 3.exe"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Users\Admin\AppData\Local\Temp\Part 4.exe"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:764 -
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:4820
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:3728
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
PID:2944
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:200 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.121896678\353775410" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e77e6e-78fd-43f3-b68c-4af30dbe84e8} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1812 1d9708f4b58 gpu3⤵PID:2780
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.69972961\1932005376" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f784eff1-78a8-49b3-b156-ab0946ac3871} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2168 1d965872e58 socket3⤵PID:4728
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.1214060070\2002426679" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2828 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e89bae5-2101-4d94-94ce-46856a296386} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3044 1d9748ae758 tab3⤵PID:3852
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.1457478902\643697522" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66aa583b-2d70-4024-b5dc-895111665620} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3540 1d965862858 tab3⤵PID:620
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.1945322316\795949869" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4164 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {622bc04a-02af-4510-97eb-7d9776160947} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4184 1d976bb4158 tab3⤵PID:3764
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.467935924\739925453" -childID 4 -isForBrowser -prefsHandle 4844 -prefMapHandle 4876 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1b96359-ea16-4bfd-b27f-afa81e145801} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4884 1d96582d258 tab3⤵PID:1612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.6.991326892\915362930" -childID 5 -isForBrowser -prefsHandle 5020 -prefMapHandle 5024 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f79544b-ca84-4c1a-9f16-4fdb131b380b} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5104 1d976bb6b58 tab3⤵PID:4412
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.7.359580583\1088516435" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {937bd292-4176-4947-a4e3-9c38dcb44e66} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5212 1d9770e9158 tab3⤵PID:992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.8.61771887\54006143" -childID 7 -isForBrowser -prefsHandle 2768 -prefMapHandle 2636 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aa4a44b-94d0-42f5-9988-66c7c863b69d} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2772 1d971fc5858 tab3⤵PID:5984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD519c389cb300bdb3f72043eacb6f7064b
SHA192f71b9aa2547c81c7bdadac0bf2b4842f6c5c97
SHA25698c2c44cd678ab133d44615d9f4826e7b4d8411cf1c81cd1691d1caba158f009
SHA5121713858584838acf0900fa5ead3ae935f59242d05d28250c26e6c87c9314fb0f9205ce34e1ad063bfa5ecab233951c9bc31b6d67a851b7983e66e9b454b27b2f
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
256KB
MD5f19cbc0fe6f95513f453d8c1d0bc0a43
SHA1fe40eec93c9f2bbae036667757c786583a028592
SHA2564360d972da47246e9f52a016a2f2c1a43e101cb10f7203f9ab489de34c50011f
SHA5126ff6fe4cc24f6bf89c4ba432abe506c0c3ea54eda519ce5f8ba94ecf01148e5f6c05924a5fee483af043e7acde745b20f851f991f5d1fd291c715e7ccdf88541
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD53d72db63dec8b8e84e8a1155e8e0ca96
SHA1b4728a0fc4a47592806b3da1d30eb0291c4d05d1
SHA256a1e91ce3b1f6b419c88a0b371225a6fac03881b39c8184bf2ff65129a00ed6d2
SHA5125aef675942f6157ab2d678c7ce800360488c0948be42577574afec0486c5ce903802e4971b80ede2fddb131b8ac8c81b022233f88b0210cdc7835739465f1c1c
-
Filesize
1KB
MD5268e3ab5bd6ea508c0515ab314df0fb1
SHA174e8cdac4f575c6ff03b47598ed7609e087b58cb
SHA2560888e55e56347f87915971d29b90df893972939d619226cee38f7e9e6ec9d07a
SHA512d404df608ae5cdf96c76550a14705373fe2de095f2d443298d86021fc79d9cbefee7b25de60f7fa1b9fe248da2b0e2fef12e4af2a36324d7cb932400c60946bf
-
Filesize
1KB
MD5c701107fcb3e97641ef7688d38e59e66
SHA1a532643c6e2bf7d61518374c5f4c1c54aef450e9
SHA256333d5421332259853961845e3a1c4fa3b47997254ed6e60c4de5be7dae9a34cb
SHA512983c3ec067cc63b7c79092193b5af3bf99c71347e66c6c8108482e045e43dffdd5d71c658197e54084b520f2d123746d7fbdd93d88850b58b44b66899f973b04
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\56A184BE013E192214E1133FBD0398E445432333
Filesize152KB
MD54a96cd919035c3d6f7cb4c7361d11682
SHA108cc0b662bcecdd170e0bd509f00a64fa148f32e
SHA2567105ca034f946522e61ded48a6e99e8cc42919bfdc8d40a3928adbfdfa15f83c
SHA512c383ce3cbceba7cc7bf4d2381940b17681f6acb2e3c768d3e63a0900a56f8d9d1716b021dc9139f18f2c583aa79565a2ceb3b7992ca6bc735ee34f56a909734e
-
Filesize
24B
MD580603f6028189884e24b8a780976d181
SHA10d47668b6977f8c3feaf20e18654fbd513196061
SHA25669ee9cd6ce6ff16f4009615297bde6b881845867777b6fc333e112e9e0a9fbea
SHA51213ae1ff9bb572ed0be1c6ef3f13aa22b03beadd831509f7c0215e25eda4404099062b6ef6e45565914a1e5b4e1af0f25d1a925e083ed58b3c8f6dfb7edb9eca7
-
Filesize
48B
MD5a6c4aa8987b07b1b28bba7617cc1199f
SHA190c0bb0ca13be76776104d9ba2d85e9c44d8a76d
SHA256c6de2f0efdc81b58e0570ebe061ad37ff0f0c3a50d8e5c1a777a9bb5ca74b522
SHA512e35902547cae6497f215fee7defe20c325642552ba50dcce0628a083eba0aea11decf097a380cf3e0349a36247ac6ff119c9655388c63daa8e00b5daa6d18034
-
Filesize
75B
MD566dafe9a82f5220ae53e4a7114a13fe9
SHA18f6b1835b7761d6168a5c46ad3482dc0f4babd47
SHA2566d85de2b5746a7232e34b06a447333bb945122fef63ee2d886ed1d7b29908f80
SHA512502d0b26b0b016b260ed63558b24b69728fab15ba290cdefdf721b45b3f233c86481432be07e55836de1cba09b81f1ef692c1d918ced06c581a5646c959c4a85
-
Filesize
78B
MD5e262a4367ebe8550bd9f9c2f9588f310
SHA1bbab8b7e8866407907d6848fbe0bd013581b938d
SHA256bf08aba948eeda47184bba079d6ca5df51b0a24bd3c3f957a5df6068f1769ea5
SHA5124572a8ce18b51cd3e91455ef3565be3e373d8ff30783f511ae3dec1c0a4a491a2a8cba92a8545f1142904542fefadcaaaf5aa99aef3bdd775076ba27573f5f3f
-
Filesize
129B
MD52e4fa44dca42b1e252e5a7e5afde259b
SHA11cca88a30ba22b05083d2827086cdd405811fb21
SHA256728f015a739f65deb112abea5274d2a4bcf87ee4f21165a5772d7904503b0a3a
SHA512b04b680062398f39ff1e0487457c547ad744ebca293cb2a7561f4d76b60e415bc3b1af9e7b7cdb08746be5b6f1552b7304b4a2e84b9ad34d35015972be99b776
-
Filesize
180B
MD589cc97f18aba3c5e2209bb0d2f176f7a
SHA10c63f5692ce172493b573c1a7dcb27fe4d742f27
SHA256e73a5bf8b5cd1c513d487e95d0cb9250f62a39f8613f476acad93764dfac319c
SHA512840982bd9acf6ff7fa757f8ab145c56b2af4210a486a84c83ac0aea0ac7f75fa2d1d06d1a2c9f4b2901973dddbc1b0aa7a84d6ab7f23a0b2dee8cc2d0c130cd2
-
Filesize
231B
MD5636ee902a912fdfef013329686cccc27
SHA1b892e2f49bef0b24b358c2f85a00546cec4e92f6
SHA2569a718a26a5bcf9b75808cf5efb19e53f2cbea2c8b5dca6e6fb49e69d2f0c66ca
SHA51280b9cd2d9ab573a86c33b00254e9fb3ed6c648d08455dcd32e6e61b2e580ee43041819edf0a8d278763a18825a343f74a380bfe686b884087371ad33a55e50db
-
Filesize
232B
MD59d1a59e637ca3025226a983174d5b3e3
SHA1818c8d59ecd163c3baffd262a38c541f89c0461c
SHA2562a4b5339a8fedd6a5373ee429a07bc60cae4e3137a1a8a7f588dccabbc92c6b9
SHA51218d8562a58c31360f938cabb8f9651e044d32d8c4743c5b723e6650288e7f61b9944a45e5a9dcd8950555580dbb2804fddca516eb988b04fa7ec02af3c79c561
-
Filesize
234B
MD53dd2004b13c17c38f04918246a90253e
SHA144847e82707fccd97e1f60e1a119aaced3647f1b
SHA2569f0f28763007b0384bfddb35e1e4e5be7da7a47bf71bf891a2bef932a12ea5a8
SHA512c16e8bf63d56b754fc5742aa7508371652f5ab91c97ae2bcf4eed6e531c277a9e302754028bf654918afa5026dfd5bfb7fad4d79c7e9d763eb5f8c3dd50c7b62
-
Filesize
235B
MD54bd89a23fdb960e9b8aea31f233728dd
SHA14a954c2d28d8d446e96b6f329a4865e5e30f1589
SHA2560cb9758f66131e0b89276f7b53ccdbb7be8db51aa8b3253cd94cbd6fb3765a34
SHA512c6af1b621986e4a10a57248b518a7319aee705533cba4ba9822d40e743676d6e55efcc18ae9b16dcd675dc5e31b184aef8c581900675dd1f4c47a8562176cc0a
-
Filesize
236B
MD5443dd412f47970d43cba217c1aefd6e5
SHA199e0a5a3e42d2182e3b8042266be7a7c321b0bf5
SHA2566d143e3a58fad17d58f59e958a95df0d90de92f11c517cda01d83f9fa69d018b
SHA51261d0cf0e1a512a111d86d5d35a10e4e81080a49cd3d3817df19028b6e8e4cb9b8f3fd3399ac6a8642d7a0d5c489b61eb5d3180286343052d2c520d27998ca3e2
-
Filesize
238B
MD5668974009c5c913ae156669c98cb612d
SHA1c8cf27e94d09c8f20e32e472b802196b44927717
SHA256203d76a9235a44903617a7fcabd0dc9a91bdf805caf0e23495f99a8f6dbbb2fd
SHA5126df3818119955b0a9b30287160dea5fcbc19d171e04ce0e8c63f1e991020d4358dddfa03597de1133a3ab10cdad8d2ab4c5e27646d0fef2fd508fa0dd2fa9bbc
-
Filesize
239B
MD5beb7a3ab23f136e83b9c82ce0a920b78
SHA13bba9c1f9f30b36503505ac99687a19b81167b19
SHA256745be143f694f538d814c525f3c7d28f11782ccf3af5a7f38323c93383977b4a
SHA5125cf489b78478e79d8511b794cb9f5034d3f28c23046f1c0350bd9beb92d1f4695a885aca4b46624d896506aa4be1235a54f67f4367fc64d5b972d9c854d4d2f1
-
Filesize
240B
MD58b7501fe745eea511cf62c277c9a28f0
SHA1dfbbc7cbcf6f667489632626e0356dd0fca79fa3
SHA256386eaea70b96e722c7da499213d7f3deb755df1e9bc1d5df89c2078996f54fd7
SHA5126e8e76ef54bb6c2501be7f2e62dadd2a13e56d01cbe710336c33645024cbd8a0b14a827e0d171afca04e52ae79c28110f046faeb6c16b11215030952aa731a7a
-
Filesize
241B
MD5412f389bf26aa7132febd4818fcceaba
SHA17cc8939dd5eefe9d9ecde5e09e063016dec444db
SHA2562285c7335ff791173aff1d33cfc72bc4223e7f91bb6980decc5e799bffd02d64
SHA512816ca33b620aac6cfcc378882f3cf3dc09ae66e42e9419cdc7878b390bb3f3df10389cc312de22c0c02c6cab43e25ceccb627bbcbac4716938027fe1e4e1b57c
-
Filesize
242B
MD5026f6f10afb83e24cd9a36dbfb2d0caf
SHA12714f7b7a5630eee55b9c0663a12347d26328386
SHA2566f0294667dc744cfe441180739957ae8b54ec6afd992fdd74fda846959a63eb4
SHA5126aa11095a1a4f89687f7bddfe55b60bfb62b5303931438a41f5f223c35d4c0cf82d67154a70fe06cb109bd34dba9607316bdffadc2c3859b6b03270c35bfddbd
-
Filesize
243B
MD5ae2a016b9fac85ff2bb57aed029d16c8
SHA19b3f2c34a4a81553493aa478dfbf423f0b07077d
SHA256e24ab01e442054c58aafa041441b154acc302ad8385e9df8b6049097caffb946
SHA512be894136ac6183f6f8aafafbc0facf1c5aa96511d35538c8ed43f4206e922d983b23c580d73dcada4b327ab23fe05795bfac0c0912a881df1f4c2691325dfaa9
-
Filesize
244B
MD5fadc2bcca56ec2e5610118553e50c37c
SHA1833bb55c2197385fef71020b2cc2a9cad1a54d41
SHA256561e4edc0ab98121a15e88f3b5ecf9e53b6b9165a288b25f4572627eff52c048
SHA512c95a71194ca9e8d1cd05b2f48673873f930d7cad4e19772a42f070c264db173ea28585c9370dadc73257a1d5662efd61036810019bd23850ee43f561d13763f4
-
Filesize
245B
MD54c6ab6c175d5731f044644a3c340c3ce
SHA16ca370da3f884ed6ea1ce314423e64a6673fb228
SHA256a31a08d485f5b4b80d1df448587c81bb8f7bb079434bcc5bf66d1dfdda8148cd
SHA5123a43442901e82d510d8a627fd5d610e77de092f4b385507fe117abeac93baeab9d342e1cb0acdf5ba125979d34354a5517513908bbea56aaa7810d117d851372
-
Filesize
246B
MD5b54b09b8f35071c2e1ba4ebf2f3375c8
SHA12f61ef91f4500a058e0d454f2e6eb6a7e3410cf9
SHA25607731800bc30e5d81c5e4a2cf80db962d9494530b3975f4bd49a9051061ad1a1
SHA512edd6e3f815b366a534853ed96b57e9417a6c24bea8a321d6e2817bcc1fd30f155f8a9671d52b5801aed7bf1084b5cd1ce838f53c08010bbf53eca33bcd22de98
-
Filesize
248B
MD5794dde7091fd7883ace4fb676916c7b2
SHA17a77806f431cb5ee5dd9d101e8ae5aa0de78faf1
SHA25613f6991bdcfb3e550aaafb65480880187b68e4a96da7b9864cd51ef14c4536cc
SHA5127448ed0ab51120b464356d417b8910cc94522522023e8751ba207eb98ae794a8d32e9bdd103e8e1a8dceabe6a6de072d9c3d3456f1091382267bda04c44b82d6
-
Filesize
249B
MD57f04d6abcb679702ce1f488651307c87
SHA10ee0d61fe4fa31963bb5cbd409c4737a582f4de7
SHA2565c2828cb2dc75f010660ef77766c51d9b7b688a6a2b6cd7270bd1e5841e34cdf
SHA5127969f7e65a3f2fcd4305b7e2828bd47333403192c927aa8e2aaee8e9504c8b300dd9a3846a70da96c3022af4ebede9fa124364f69aa6082deb99b9b94998d777
-
Filesize
256B
MD50a79efb183c62bdfed4a593250ad12e9
SHA11b6b0654be552e1cc8a572e88072281fe5f66542
SHA256aa84d1404aa9d336aa6b53313e6d4e3aecde774f50f39e612c2ba3720303ee84
SHA5126ef509435a29a879ba2991bb7c4cc407595ed62c00ed9eeb9edcffe5a41b265f87557eb93a2db1b110a1a5a6aa9c0417ea6d2ebb40347b118599acbdfab65b42
-
Filesize
263B
MD5d20c85ee331b2ba521b7db52ce048040
SHA1b8feed1d304b862d3274f1246e7bb00947bed581
SHA256a46c83bf8a6af2c98411e6bae87547999acef63a095e7e925c21aa5536227c05
SHA5129c1bba85880d376d9b1ce4f97bc9bb6a8045ea78de396a0d58781dfb9b8133191e81ae152bc66803d1f7c4c493bc4cf6fe923411d02f60631631216a68d91f13
-
Filesize
270B
MD52e81bf98663b56fe60b8ecd3e38d20cc
SHA1ebd0b247420ef3d8c95d9422ab0f6db923aeaf08
SHA2561b9aeb663df380c530d97bed9792910ea1d287fd494b88d9994cca992efb96d2
SHA5126dabe0bc1be0000c86ec62729309b2862fca0e34eabd0bd06af4dbf2feaf98d349ad1d649b06095307798d64bf05a0e0becc986fc6db904f2944cdda5fd36f08
-
Filesize
272B
MD5ca9b5b1360104824ee66df10c2a7abc8
SHA1740abc84a16f831619427610cc6f84bab13e560a
SHA256223a88a12eb8478b38297de8ad120dbbdbc11cfff178b243828be3eb9bf53865
SHA512148f6b1171e789525606da620402ca8a992ba20b7480c02608bb0ec3ab214beb391128f0cca4c298f37110794647664aacf122294e9301452cdc00ddb590ff31
-
Filesize
273B
MD5605902f1fe603fb15ab7696868ed6d53
SHA11e9251f82805bd5b70cf2f13e12815b40e1796f8
SHA256fde3790325262b8a9bd8a8b523108016b98e2ca823324672d5bdf71bd3765c45
SHA5123b5b14c67c3b0d7298972830f5c79ef73ed1bb2837a87389bb84817172be948c0dce9666a2c96a07f709f3a9499b8cf22e2c3ec0af8d3c4841485c420f713581
-
Filesize
274B
MD56e5d2eb00a50ac066f4ea49d0d17a97e
SHA18ce6461cde079b2f60fa706a0902dbd08c301d5d
SHA256052d258e395232d3a564a0f883fcbb2956754252ae2c93a58a5d0649e5f18524
SHA512dcd5abfd1f29603bc32d99da484783603e77f7a2da5ac6800da167b59def342a0389e309ee510da4fcbd2ed99a9bf5b141056e58ab691b44ebba1fedf18fc1de
-
Filesize
275B
MD585dcd329c581b20a3d80ceed065ce3a0
SHA1cce17c0f5cbcae1df96425ab7294d388d0fdd57e
SHA2563432cd3bf0c0381948016d6f0f0c9cc2b9fcf061e74d21ef59ec85161dc3064c
SHA512470b83cdfdb662c05e054f859e6f09cf0df0a1707fa1ddad98bd8ee38fc7c495fc00d04fc8c62bb4ef3eee1c0ba005d5886bf078122e4320c5cf94528b315634
-
Filesize
276B
MD5a7824625fa3d66411af5a7a981a18f60
SHA1297ae7a870d03e1e99d8ad43659b973d39500678
SHA2562e29dbf12c2ca08f279103045173b0d97819fa755e3fa0ec191a46b92f0d1ea2
SHA51208ace6b857a48b183b3d8cb1cbaf7c4d95f6d7f3c1235ba8df7353910ba36864c0f49e05f56608c3ec6ef0c0e645b52f81d1747e7f0910fbbec98eaed617265c
-
Filesize
290B
MD54046b4b93f27a9aeb15973f05f869f78
SHA19c8e8d3edfa3100ffc342e5779bbf41158f8cd5d
SHA25687fbf01c0fe68bb1dfac429734568041778ac161316da647b39745b39d064b9b
SHA5125100d049fdbb652543f3912143886e853cd07d15ea68d2babdd85f296b1bb4ad682a7cd52d609e57726f3c7c2cffe8f41dd4cfd7f55178f0a913c75e7238d83e
-
Filesize
297B
MD53b35f04823a2b037e9674c6e4835eb32
SHA16323bd7d02bdfbe0e99fab801d640436fd7c824b
SHA256abac3ed9ff2de50fa1f4299d5b13d9a2ac2a2a70da16bf757b227678c317251e
SHA512c28932932523f63bcc512c7765385bb983615ffa4649dff6812f98a16e890c958d47b183c0adc64a94a1334f005a4193363d81d80adbe40e047918ed567a51fa
-
Filesize
299B
MD52bce3cd60d6a15d3f322c02886a8b545
SHA1bbc52c0b405e54e8a1235589b835ee33e9c8d54c
SHA256c9149a5cecd2dbf328b3ab2f8a5c4172292b03f759349de709482282f163bca2
SHA5126a5a19f8c086277daefae325188910a6b39a1b7960de8a5a2cb658e3be46709cc152d2d0b6e62c54fd6ddf42b2bc9ee8a60f23dbc31bc2da67436a94705f8713
-
Filesize
67KB
MD5092a0c6fe885844fd74947e64e7fc11e
SHA1bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA25691431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0
-
Filesize
409KB
MD5e10c7425705b2bd3214fa96247ee21c4
SHA17603536b97ab6337fa023bafcf80579c2b4059e6
SHA256021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA51247e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d
-
Filesize
63KB
MD527fe9341167a34f606b800303ac54b1f
SHA186373d218b48361bff1c23ddd08b6ab1803a51d0
SHA25629e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA51205b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0
-
Filesize
79KB
MD51f1b23752df3d29e7604ba52aea85862
SHA1bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA2564834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde
-
Filesize
74KB
MD5e35a7249966beef31a45272c53e06727
SHA1cc54648f9c9423f7a625e96256c608791b1ab275
SHA256ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998
SHA5121dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114
-
Filesize
661KB
MD5c47c0d681b491091209c54147c33da81
SHA158cb51be41aa576ce56d4c16c9c443e70e648f62
SHA256429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720
SHA512f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c
-
Filesize
27KB
MD54daae2de5a31125d02b057c1ff18d58f
SHA1e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA25625510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA5127cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5407d57da8a85c6b13fd84573c338f448
SHA129ba91f6bb4e0b7543dd28f0011ce13f744154d5
SHA2562596dab7cf948b3696175d019530ce2198dc536b026f2c20e2a6e47679b2836e
SHA51224e3845a35c550ab9a2b05ca1ecf7527fb16c78afef731861a4844fdca10ba0ffd9b9ff4846cdd0974d4109398fb1413b13a6683937e81883670dcb602d959e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\2a93fed9-53a0-43a8-ab51-83979c1666ff
Filesize734B
MD5eab5e66d19753c4cb3cd14fbf9056af8
SHA18f937ae76f71d5b3fa1268860223d0d66e781744
SHA25695ddb4e3e2eaad8250fb741d887c2343aafb11e7dd19c5b441b59eb323da34eb
SHA512d024d1f8296891b473cd8a452b2f7dcd468f9557d1436f879963580f42ed411ac688d33eacfce7c3e52583644d437a0f403b972d878959551a0a389c9af5992f
-
Filesize
6KB
MD546b2623b1ce3c1ec958cef0ee76c5149
SHA19158b259a88c87171e565fc12af2b22b7ade0744
SHA25619a70aca7c5ee7e244eff55793f86d608e215cfab34e9d57bb7bacdea821abe5
SHA51226aa88cb2095c15ee18e9455356b3f87fe5aca14610fdf0683e8a8567215ad99d2b2456fe1e13ab4b81f757096ae9a3cfb2c7704517825ee0bc06329a1c9394c
-
Filesize
6KB
MD525f2fde436fbe2d3c50b23b6dfc211ca
SHA1fb48bca66d7ac6271c365ffa3ac913664529acae
SHA256a9aba6aa1be260762fef09cbf85bae4e0ed5ed80dc01a678e9dfcbfc96e8f2d0
SHA512d10d735e285801cfaf81f8a4d972054b8f87d9568cec293d767aa0f3b4cf019504d88a4e7adfd4f04a385aecc81b3a8febbf1f76380221c05e03a1ea11707052
-
Filesize
6KB
MD565668617ea75ad0a42533f2f0e4ad441
SHA11c26086282903b6d872b7354744b9bdd09eec5e5
SHA256e459237f9786b8cc381df418df2fa044cc4806c5b393d28e7e48464bc49f7f91
SHA512deb90203e4069c9827ee67b27f42cc821cad3cc86f88910d6101d3c0e6e90d6a6750c59760897fc89dad91634350090aa407c58c6efca645554fcec200b9a09d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5c5633ac621372a00963a58d07fc8d041
SHA16de548c77eda8cdb7f85deb389cc3618bf930a19
SHA256acd0f80b8c5fc81a7f10f03ab43180226d65af3113a03f11e33e6119479267b9
SHA5120d2dbf9aa58a76d12a7e1a60879e16d7de583cb69b42aa72edc9cd02a065dfb4c4194279f20868cb7a9766743fe5ab4485b877b8c509368a50299968187f2eb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD54caa78bb4c132fb9de23854486ef0533
SHA1c9530ec92215a5fafad4f992c1f58a33f1cb080f
SHA2568ea3afc73c8d60c75464f707fe33f222a59869a91c9da2bcee6215474bfcbe0b
SHA512acb4ac18945d5b011b28f4fbf0587d81d19e70739d859480fcae44d622a981d4bc3593c43f798195a63a16130bf54fdd0152210e866668daaaa773dfa92480b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e7ecc635c33ad3f738c7d40c456da464
SHA17d405632923e14aa6fc749895b8f13f03397a818
SHA2568bc8263a6775acaa6def3f859385fe8c412509a6d46d7d512730fce2d745813e
SHA5125039389e55d82718a5fd7146eafec68bb421e68582970e1aa5d3b1671fa524ea8b8770e661349502a040aa64db44a2f9f17998597fa276d2e174d4efd5e00318
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD50d0013d9708d9fef539adc917f5b87f6
SHA15e071e6b4d8abf007c8bb78ee948caf5bb0439e1
SHA256f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b
SHA512851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388