hxxps://www[.]strem[.]io/download?four=4

Analysis

max time kernel
109s
max time network
110s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.strem.io/download?four=4

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe

Executes dropped EXE 4 IoCs

pid	Process
380	Stremio+4.4.168.exe
5000	stremio.exe
5712	QtWebEngineProcess.exe
5972	QtWebEngineProcess.exe

Loads dropped DLL 64 IoCs

pid	Process
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\""	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\ = "URL:BitTorrent magnet"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\URL Protocol	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\shell\open\command	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\""	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\DefaultIcon	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\shell	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\shell\ = "open"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\shell\open	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\DefaultIcon	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\shell\ = "open"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\shell\open\command	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\shell	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\magnet\shell\open	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\ = "URL:Stremio Protocol"	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\URL Protocol	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\stremio\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1"	Stremio+4.4.168.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QtWebEngineProcess.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Stremio+4.4.168.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5000	stremio.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe
380	Stremio+4.4.168.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeDebugPrivilege	380	Stremio+4.4.168.exe
Token: SeDebugPrivilege	380	Stremio+4.4.168.exe
Token: SeDebugPrivilege	380	Stremio+4.4.168.exe
Token: SeDebugPrivilege	380	Stremio+4.4.168.exe
Token: SeDebugPrivilege	380	Stremio+4.4.168.exe
Token: SeDebugPrivilege	380	Stremio+4.4.168.exe
Token: SeDebugPrivilege	380	Stremio+4.4.168.exe
Token: 33	3232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3232	AUDIODG.EXE
Token: 33	3232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3232	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe
5000	stremio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3048 wrote to memory of 3064	3048	firefox.exe	30
PID 3064 wrote to memory of 2152	3064	firefox.exe	31
PID 3064 wrote to memory of 2152	3064	firefox.exe	31
PID 3064 wrote to memory of 2152	3064	firefox.exe	31
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2852	3064	firefox.exe	32
PID 3064 wrote to memory of 2020	3064	firefox.exe	33
PID 3064 wrote to memory of 2020	3064	firefox.exe	33
PID 3064 wrote to memory of 2020	3064	firefox.exe	33
PID 3064 wrote to memory of 2020	3064	firefox.exe	33
PID 3064 wrote to memory of 2020	3064	firefox.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.strem.io/download?four=4"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.strem.io/download?four=4
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3064.0.260292005\801554794" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1200 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4037dee4-1fbb-438c-894e-5e4b1794248f} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" 1332 10fc9558 gpu
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3064.1.1648759876\683416905" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7dcda67-7051-4672-9541-012d5dc8cc32} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" 1508 e6fe58 socket
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3064.2.596372543\927578083" -childID 1 -isForBrowser -prefsHandle 2208 -prefMapHandle 1976 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2ffebab-6e9f-43e6-a855-3785e099b577} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" 2012 1accda58 tab
    3⤵
    PID:2020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3064.3.1415117784\16254943" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cde89ab6-4f4d-4e7e-8360-4e370447d2aa} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" 2908 1d8bfd58 tab
    3⤵
    PID:2840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3064.4.728830407\967505770" -childID 3 -isForBrowser -prefsHandle 2760 -prefMapHandle 3592 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac042e1b-83e7-4118-a232-5720598331a5} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" 3632 1f3c8a58 tab
    3⤵
    PID:2248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3064.5.394073917\1216597386" -childID 4 -isForBrowser -prefsHandle 3736 -prefMapHandle 3740 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b05686-f779-451d-8fc7-b476cbdd2270} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" 3724 1f3c9c58 tab
    3⤵
    PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3064.6.328559629\295169417" -childID 5 -isForBrowser -prefsHandle 3848 -prefMapHandle 3852 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 904 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9b9f644-206f-4e32-b2ac-aca55e0cbcee} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" 3836 1f961b58 tab
    3⤵
    PID:1628
- - C:\Users\Admin\Downloads\Stremio+4.4.168.exe
    "C:\Users\Admin\Downloads\Stremio+4.4.168.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:380
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe
      "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5000
    - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
        
        "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --application-name=Stremio --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=1604 /prefetch:8
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:5712
    - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
        
        "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=renderer --autoplay-policy=no-user-gesture-required --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1688 /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x7c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
39KB

MD5
33869bfc3a22ee993c0492f6263b718a

SHA1
d90c89a1a2b445075b1390e20bc2731def7d9cc2

SHA256
bdb62e982b586794dd15f39d4abfb3d9d7beff24f6d2a2cb3f873b5e0629a090

SHA512
8b184e36907dadf88a7c409a670f1275cda4f1e5f2fead29afb7287618c25e5dbe3ad10f5b5ec13f1c3c1e766177b0437d05a438083875228b072f6893b9460d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sexvjvzg.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
aae09a16af4cb1301fe6c79c8dc3024e

SHA1
4bccd228fb82a3791c857410e184866221ef57cb

SHA256
96e791536787d2617c46420864181be4792da6d192ce31a40f2e6fb15d5ddeb7

SHA512
765983b49e23fed0159d86eae1c668f52195dc3a7555beda2955fd84dc08210e205dd4337b836e00249ef4544073fb6cc4435414005ac254a4f2c57df19e3936

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\CacheStorage\88fcf258722d55f5951a2da9c15b52822bdffa79\a9c0d482-5023-4e3b-8104-c2882267c08d\index-dir\the-real-index

Filesize
72B

MD5
e94c0d5474aaca2588078288716394ea

SHA1
af5875ca598df93bac9679c6b31e932c71b3c808

SHA256
5cebffddd01a7fba1d7a8bb8c9fcc76949050bb707dbb7031be6931141fac71c

SHA512
a41115f7a0b872548b9777d3c367658e9f3ffe8ae816f52ba25618813226cacac37fda97cb31e167a088a80a0d70ecc6ab879e403085ee4fdb04af85d91a666a

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\CacheStorage\88fcf258722d55f5951a2da9c15b52822bdffa79\index.txt

Filesize
106B

MD5
9ecb08552cf3b4ccde34ba17ca5239d0

SHA1
57d77df27c4512917f64ec766afbdc7f05f4cf51

SHA256
c93f09457d2ac2475639a92f40f00aa792d4ec55a4099eca7f8ad53cf707fd7c

SHA512
5bac73d3f772a7706f52e504544644d18df89712a510b5ffc85ebf93470d8438873cec237f7c245ba65025ebaef9708a4132ee7486a6f9d1eaffc1293ead3428

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\CacheStorage\88fcf258722d55f5951a2da9c15b52822bdffa79\index.txt

Filesize
101B

MD5
b90f7d48b1146d2188c472893edeee2e

SHA1
91e5972da322b21f6419737dcd3f1911094088a6

SHA256
63d8d99e183a8683221f7c686181771711ce8480ef39a9d77a24129d8e351a17

SHA512
f47dc1450f4566edbcf26895072a720d0ecae32dca8120fa3e61ec112f5fc736443f79df610683b34a0cf2269b2f3ba3c71b9adff5f39d56967c469ff2e0f17a

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a5bdfc4500ac73389ace68318c366bd2

SHA1
f299879f6b2ab4fe1eaa44d1463fe7d607da5a03

SHA256
5d45f876c9984d62686468647b15c3ccb0b11da790593df77d32d5a8854b5c7f

SHA512
a16ad6641614b81994eb65a8897f4cb8343497f6b0803014e8fea1370c684c99ee68e1b3543203550344c7444f3a4d560afa311176943b5700f0d7e040ca92ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2EC0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2ED3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso365D.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso365D.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso365D.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c73682921fd8be52c47982469ccef351

SHA1
e3e14f9d7e4a88c4ac52791c72dd101a2a7bc925

SHA256
0aa3b55a9748fc5bba7503fd7a478730b657588d78058c54eea37e22e95eebf6

SHA512
2f60202c805d7f21175642fb9751d91c87b8fe481b9e786652ec18f830b81c6ec251ec05679d4713e92071099b67e0a5e1387048fee96330c669c1c60eb63d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\4e0fcd0c-3ded-4607-99a0-8810a2012853

Filesize
745B

MD5
899f66aa9c6c4ca381f76bafa4f46451

SHA1
980c3b09544fb9bd2140a81ed337c0956f81b7d8

SHA256
334bc66d806818c8078ac905c3f9acfa64fa842058b2d7b1610bcd22893e6fe4

SHA512
dd4a94d1f644f1f68fc06422e6d3d272ff35b98092c2abb9e4dc2e2bcf4876a346fd7635a8b2740a7cc96fd03ef0f2ad5c12516e34f208f96f4f7cf0b1727339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\datareporting\glean\pending_pings\6ec2c5c6-c1d9-4c38-aee8-9aff24fa192c

Filesize
12KB

MD5
4420adbc3747745be329dd939496d143

SHA1
8b581cecdda40daba7adf99fa887d0a90a58845b

SHA256
e05dbd391b625534fa6e685b8f571a2411a1d4afadd1c8d3d5dfc5ca4e9160fd

SHA512
594cc1ac69c1332490c31617641c928049e9c85b9eb91655c4978e3bed01cb79405854beb4cdfcdce8a41e87878b3c8d1fa520760c0a864eb0f879cf13a04e37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs-1.js

Filesize
7KB

MD5
fa2ac82b7c61b1fb12b5bfdc20f8d5b4

SHA1
68ce286021bf85c388505649fcee3be35c26b7d6

SHA256
a728f53b8ce474e9d12f9bc2419edc87c1b233804a4e3be3609aafd8089f4cd9

SHA512
2687458299c1c52fb977a0940e47c1fc8bbab4869316bacdbd39f03d39b3347e35b2c9d425276642245ab764656d7ec3d3037dd9449f2eb52332b9d2e071914c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs-1.js

Filesize
6KB

MD5
f2afcb7c60494eeb650a178a5cd820de

SHA1
5f68b051f0e5b48cfa1db9f80651798ffc6a01e7

SHA256
60e0d1d99dae021973b97a62f2f8c8687a994ebf3acfa1e2b27c0b6660af3770

SHA512
847b97ef949bb237185014935b502fd21f1e37762d7b9ce664dad95d5fd69e4964a22f616b9377d0a4bdf7054d5f754df3ea12993dec45aac48bd6a2e081b4cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\prefs.js

Filesize
6KB

MD5
0c067b9550d6cdad5e6260af459556bf

SHA1
68a7b010a42395ca43b14d8e6d3465411e1d6543

SHA256
797cacf8c665cf2b2253b67fc7fef5b77497e81d9e35df7c32b0bf596e74be48

SHA512
c12eaa0fcae9940be78f38b0a4efee3c6a9ee99c6a0855f75cb1b61dbed08e750edfeb7485264413720dfcb053c74d6540115e8816ded8d379407ff307e4f24d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sexvjvzg.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
940B

MD5
825e02c207a026a6d011338878855cf8

SHA1
b20b833316669e4384704965ac3c47e5aad156fe

SHA256
786f9feafb39d8de56b5a1df39e8b30f7c79c605809728de313ff55718899215

SHA512
28afbab4dffeb86cf5c90eb6f8f5bde7d88b64f71fca73cce6e575c5ad2e916e20a4bfa177a368952669a4ed527b76ac4bd362cb247ded2978cac692d51b9779

Download Submit
C:\Users\Admin\Downloads\Stremio+4.ZxmBPCqN.4.168.exe.part

Filesize
1.2MB

MD5
4c7cb565133d990335b701382541249c

SHA1
336910c3b16a8e4c4ed65f5f1edb38e36f395991

SHA256
8772b57bca07502b9d99bb5c3fd40b590a805dfe196bf77f2e651d64dd74bac9

SHA512
dfee0a8bdaa648d2eacb8807420ee7eb7d6c70435fac3fc64d3918f69229329dffa8b7fcf9f8464552597c58f605b876882e76698490f38acc8cafc5055dfa7a

Download Submit
\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\Uninstall.exe

Filesize
173KB

MD5
f43d4bfd5752bb43724abb81bb556976

SHA1
6c6cbd3c00b808f38cac1d76749a8a43fdcc11ff

SHA256
8a88898e43a6bf6a595b5cc47886ca8578c659c2dfc0d99dc7f37cb7cda9b90c

SHA512
497f65f7572cdb489508367ee41614933b1718344b54c4729afa2647f4de53e2ac9ad816bfe70fab48751176f6ebfef680500f03154a7bcde7edbb8e3ac83cb4

Download Submit
\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe

Filesize
300KB

MD5
c0fbaeea5372c54a2f39716fcbc6afec

SHA1
e54790d82d0abdc75607fa0384bb886fc9b8027b

SHA256
cc7b6317d48368cb5791a1e95de5306b6152777b09758d14666d82f4b315dabd

SHA512
002aa47f5223eb113d3b2bfe1c88eb0ba588b1fc79465340b06c69dde1b897fef73c1f2540712ff22a658a6fe7b8bca4d2b6d4ec9c3d643838ff70275ebd8816

Download Submit
memory/5000-5212-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5191-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5225-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5224-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5223-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5222-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5221-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5220-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5219-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5218-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5217-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5216-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5214-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5213-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5227-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5211-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5210-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5209-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5208-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5207-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5206-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5205-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5204-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5203-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5202-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5201-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5197-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5195-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5194-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5193-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5192-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5226-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5000-5190-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5189-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5188-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5187-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5186-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5185-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5184-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5183-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5182-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5354-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

Filesize
40KB

Download
memory/5000-5353-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

Filesize
40KB

Download
memory/5000-5229-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5000-5233-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5000-5546-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

Filesize
40KB

Download
memory/5000-5547-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

Filesize
40KB

Download
memory/5000-5230-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5000-5231-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5000-5232-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5000-5200-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5198-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5199-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/5000-5181-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/5000-5179-0x000000006ECA0000-0x000000007386A000-memory.dmp

Filesize
75.8MB

Download
memory/5000-5169-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5000-5170-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5000-5171-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5000-5172-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5000-5173-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/5000-5159-0x0000000003CB0000-0x00000000040F0000-memory.dmp

Filesize
4.2MB

Download
memory/5000-5161-0x00000000040F0000-0x00000000042F0000-memory.dmp

Filesize
2.0MB

Download