Analysis
-
max time kernel
30s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe
Resource
win10v2004-20240709-en
General
-
Target
014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe
-
Size
1.8MB
-
MD5
5289679ca71d26258a24106fd536df40
-
SHA1
084356afba81a2aae6f060c21d64e7a28d7d33ad
-
SHA256
014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2
-
SHA512
7695d4bd496ff20efc1541729ffe19e7a8b9b76ca1991eb22082cfc7294368a41f11e9aefd74789436dc0e1ef03215fc85aa5332752769555ff2f931ec347f6b
-
SSDEEP
49152:68s21eoZcTukRKdjx5F9GPjLPyA+oURSLfPa:js4eKkM358jt1Uk
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
25072023
185.215.113.67:40960
Extracted
redline
Logs
185.215.113.9:9137
Signatures
-
Detects Monster Stealer. 2 IoCs
resource yara_rule behavioral1/files/0x000500000001a505-480.dat family_monster behavioral1/memory/1864-519-0x000000013FC80000-0x0000000140EBE000-memory.dmp family_monster -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/files/0x000600000001a512-618.dat family_redline behavioral1/memory/3568-629-0x00000000003D0000-0x0000000000422000-memory.dmp family_redline behavioral1/files/0x000600000001c907-881.dat family_redline behavioral1/memory/3912-888-0x0000000000900000-0x0000000000952000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e2f965dfa9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e2f965dfa9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e2f965dfa9.exe -
Executes dropped EXE 4 IoCs
pid Process 1632 explorti.exe 2580 4fb85f9a42.exe 3108 e2f965dfa9.exe 3364 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine e2f965dfa9.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine explorti.exe -
Loads dropped DLL 6 IoCs
pid Process 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 1632 explorti.exe 1632 explorti.exe 1632 explorti.exe 1632 explorti.exe 3108 e2f965dfa9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4fb85f9a42.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\4fb85f9a42.exe" explorti.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 1632 explorti.exe 3108 e2f965dfa9.exe 3364 axplong.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe File created C:\Windows\Tasks\axplong.job e2f965dfa9.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral1/files/0x000600000001a518-674.dat pyinstaller behavioral1/files/0x000400000001cbd2-836.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3924 2212 WerFault.exe 62 4064 3856 WerFault.exe 65 3392 3956 WerFault.exe 68 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fb85f9a42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2f965dfa9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 1632 explorti.exe 2820 chrome.exe 2820 chrome.exe 3108 e2f965dfa9.exe 3108 e2f965dfa9.exe 3108 e2f965dfa9.exe 3364 axplong.exe 3364 axplong.exe 3364 axplong.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeDebugPrivilege 2936 firefox.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe Token: SeShutdownPrivilege 2820 chrome.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe 3108 e2f965dfa9.exe -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2820 chrome.exe 2936 firefox.exe 2936 firefox.exe 2936 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 1632 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 31 PID 2080 wrote to memory of 1632 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 31 PID 2080 wrote to memory of 1632 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 31 PID 2080 wrote to memory of 1632 2080 014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe 31 PID 1632 wrote to memory of 2580 1632 explorti.exe 33 PID 1632 wrote to memory of 2580 1632 explorti.exe 33 PID 1632 wrote to memory of 2580 1632 explorti.exe 33 PID 1632 wrote to memory of 2580 1632 explorti.exe 33 PID 2580 wrote to memory of 1956 2580 4fb85f9a42.exe 34 PID 2580 wrote to memory of 1956 2580 4fb85f9a42.exe 34 PID 2580 wrote to memory of 1956 2580 4fb85f9a42.exe 34 PID 2580 wrote to memory of 1956 2580 4fb85f9a42.exe 34 PID 1956 wrote to memory of 2820 1956 cmd.exe 36 PID 1956 wrote to memory of 2820 1956 cmd.exe 36 PID 1956 wrote to memory of 2820 1956 cmd.exe 36 PID 1956 wrote to memory of 2860 1956 cmd.exe 37 PID 1956 wrote to memory of 2860 1956 cmd.exe 37 PID 1956 wrote to memory of 2860 1956 cmd.exe 37 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2860 wrote to memory of 2936 2860 firefox.exe 38 PID 2820 wrote to memory of 2940 2820 chrome.exe 39 PID 2820 wrote to memory of 2940 2820 chrome.exe 39 PID 2820 wrote to memory of 2940 2820 chrome.exe 39 PID 2936 wrote to memory of 1748 2936 firefox.exe 40 PID 2936 wrote to memory of 1748 2936 firefox.exe 40 PID 2936 wrote to memory of 1748 2936 firefox.exe 40 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 PID 2936 wrote to memory of 2996 2936 firefox.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe"C:\Users\Admin\AppData\Local\Temp\014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\1000020001\4fb85f9a42.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\4fb85f9a42.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DF28.tmp\DF29.tmp\DF2A.bat C:\Users\Admin\AppData\Local\Temp\1000020001\4fb85f9a42.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b09758,0x7fef6b09768,0x7fef6b097786⤵PID:2940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1284,i,13205506213459035982,2821042112824386000,131072 /prefetch:26⤵PID:1400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1284,i,13205506213459035982,2821042112824386000,131072 /prefetch:86⤵PID:600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1284,i,13205506213459035982,2821042112824386000,131072 /prefetch:86⤵PID:396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1284,i,13205506213459035982,2821042112824386000,131072 /prefetch:16⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1284,i,13205506213459035982,2821042112824386000,131072 /prefetch:16⤵PID:2876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1300 --field-trial-handle=1284,i,13205506213459035982,2821042112824386000,131072 /prefetch:26⤵PID:3340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3316 --field-trial-handle=1284,i,13205506213459035982,2821042112824386000,131072 /prefetch:16⤵PID:3500
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.0.1791500343\358570788" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87ada6d1-cdbf-4591-917e-73ef52524b7b} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1280 128d1758 gpu7⤵PID:1748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.1.1681320940\2142370320" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a34b54d-514f-4af8-b481-3d532518cc92} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1496 e70358 socket7⤵PID:2996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.2.1499684921\533787639" -childID 1 -isForBrowser -prefsHandle 1996 -prefMapHandle 1980 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac58a097-3876-4b58-91d2-1babfee66af2} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 2032 18962658 tab7⤵PID:1312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.3.1214561994\2039903880" -childID 2 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f80537cd-dd4f-41e8-9428-7969ea5b8c1c} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 2860 e5b458 tab7⤵PID:2520
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.4.999211038\1314177375" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3716 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba572620-e836-449c-ab41-c514f7063411} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3744 1eec8e58 tab7⤵PID:3672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.5.783690664\1035195141" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3856 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d4e0df2-8085-4313-afde-f0264cbfd1fe} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3840 1f0f9258 tab7⤵PID:3680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.6.550937477\592006692" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d70632-4e22-43f7-98fa-632b726285e8} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 4100 1f0f9e58 tab7⤵PID:3716
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\1000030001\e2f965dfa9.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\e2f965dfa9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"5⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\onefile_2124_133667751069398000\stub.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"6⤵PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"5⤵PID:2212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 646⤵
- Program crash
PID:3924
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000003001\343dsxs.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\343dsxs.exe"5⤵PID:3856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 646⤵
- Program crash
PID:4064
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"5⤵PID:3956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 646⤵
- Program crash
PID:3392
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"5⤵PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"5⤵PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"5⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"6⤵PID:1744
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"5⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"6⤵PID:3388
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000027001\buildred.exe"C:\Users\Admin\AppData\Local\Temp\1000027001\buildred.exe"5⤵PID:3912
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2692
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
6KB
MD590684f4a502c71d96d2b985913ab838a
SHA1e7afc6fae692d549cac79090d1d631a6f51ca36c
SHA256d07d57c74a5d191ed6acab0552f375fd0fb4a7b7f1dfbd7b82337e589b5eb5aa
SHA51200c496aa15d1b706e8bf5f2ecd4aa7e1feaee995133ef3ac87f06bd985a99a228f5b4a210a89b5bc38eb6440d7b3512676e283f71b14ca0d1fcd0e7db648014c
-
Filesize
6KB
MD5c0a771a1507b7e99afa7e03126f1009f
SHA1592f34ab53d8ce0c01111f6675c7a3094eb3680d
SHA2560dd2504a6f0623641a68dbc6cdae273ee3e27cea48fd79bc06f750fc3ba59b6f
SHA5120f0a318c2b25d0c70f7cfe6bc369f5934655301c579241cd4e9e0d9aadc4c57588a7e1354cfee9ea49b080b57e9da52c0b0587714426d036a73cb73da5a09e24
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5d5cffaab2e30fb5508ad6c87f93c40b1
SHA1af6ffd90e87d7bf8261cd9725b6bfd86f4a87fb7
SHA256aa42e18ce9057fcec7e83c2ab71189263be99368b71a6ae5f4ce9c9851ea34e0
SHA51285312a2a7fdf35c0e4d90ed2a4dcacecf2a3debc7bc43f3858a180d2387d3370cbb0a55c2005c65821e376cd303d5b233d03cb8273c9202a22fc686bb0aad0fc
-
Filesize
1.8MB
MD55289679ca71d26258a24106fd536df40
SHA1084356afba81a2aae6f060c21d64e7a28d7d33ad
SHA256014dfd9b7e1982af96240f6853d3fd9ef11fdc2b13d00e8319b75f92676f60a2
SHA5127695d4bd496ff20efc1541729ffe19e7a8b9b76ca1991eb22082cfc7294368a41f11e9aefd74789436dc0e1ef03215fc85aa5332752769555ff2f931ec347f6b
-
Filesize
10.7MB
MD5c8cf26425a6ce325035e6da8dfb16c4e
SHA131c2b3a26c05b4bf8dea8718d1df13a0c2be22ee
SHA2569f7be9bf913d8378f094b3f6416db9aa4c80c380000202f7cfaddadb6efc41b4
SHA5120321e48e185c22165ac6429e08afac1ccfdf393249436c8eac8a6d64794b3b399740aa5b2be23d568f57495d17e9220280ed1c2ea8f012b2c4021beb02cbc646
-
Filesize
529KB
MD5d3e3cfe96ef97f2f14c7f7245d8e2cae
SHA136a7efd386eb6e4eea7395cdeb21e4653050ec0c
SHA256519ee8e7e8891d779ac3238b9cb815fa2188c89ec58ccf96d8c5f14d53d2494b
SHA512ee87bcf065f44ad081e0fb2ed5201fefe1f5934c4bbfc1e755214b300aa87e90158df012eec33562dc514111c553887ec9fd7420bfcf7069074a71c9fb6c0620
-
Filesize
413KB
MD57b0a50d5495209fa15500df08a56428f
SHA1ab792139aaa0344213aa558e53fa056d5923b8f0
SHA256d7f591f60eea358649cd97b73296b31a682e22fc5784df440026c3086de3d835
SHA512c1fe0cb875124c9069f01fc3ef44d864ec82cfad49ee733edecd8b9b5e021594937362641aa33d865aa8a3ec376e46162c988906b0cb7bd0666e873988fe3661
-
Filesize
1.4MB
MD504e90b2cf273efb3f6895cfcef1e59ba
SHA179afcc39db33426ee8b97ad7bfb48f3f2e4c3449
SHA256e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e
SHA51272aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555
-
Filesize
248KB
MD5d3759d5a234b497cf2d79a4b8fdfd279
SHA1834fbe1074432cdbc440715166fa325c8710d4dc
SHA2565d3c79bc9d6bc31703aa9001556967fe8433903ecfa43897ff949037bfd4cf61
SHA5122444ea3721db9f4bb32eac6dfde77e2f21cb28a76039f3132ccb6bab9068f5a148aa66de2f478c360ed5eef74117520c3c8eb8b4a6ccd539672a6e0a2e0cedbe
-
Filesize
304KB
MD5a9a37926c6d3ab63e00b12760fae1e73
SHA1944d6044e111bbad742d06852c3ed2945dc9e051
SHA25627955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b
SHA512575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97
-
Filesize
10.9MB
MD5faf1270013c6935ae2edaf8e2c2b2c08
SHA1d9a44759cd449608589b8f127619d422ccb40afa
SHA2561011889e66c56fd137bf85b832c4afc1fd054222b2fcbaae6608836d27e8f840
SHA5124a9ca18f796d4876effc5692cfeb7ce6d1cffdd2541b68753f416d2b0a7eff87588bc05793145a2882fc62a48512a862fa42826761022fed1696c20864c89098
-
Filesize
12.3MB
MD595606667ac40795394f910864b1f8cc4
SHA1e7de36b5e85369d55a948bedb2391f8fae2da9cf
SHA2566f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617
SHA512fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142
-
Filesize
89KB
MD554c5864073c75e18b3743cfb560c5310
SHA119877d0d8cdc81a3fbcdf92e5387273ee23e22ed
SHA2565f8568a05ac1f933f6d608d182fef22f773ed28cbaa6b834a9f31ebaf19130d0
SHA512fd9348f50b5a2430d62b63ce0aa994e2139f89f420a3022afd389557b5742080af77e8a2a8bfecff6a2d24cc3b5760090269e74fb2581ac82a4a23772f5ab193
-
Filesize
304KB
MD54e0235942a9cde99ee2ee0ee1a736e4f
SHA1d084d94df2502e68ee0443b335dd621cd45e2790
SHA256a0d7bc2ccf07af7960c580fd43928b5fb02b901f9962eafb10f607e395759306
SHA512cfc4b7d58f662ee0789349b38c1dec0c4e6dc1d2e660f5d92f8566d49c4850b2bf1d70e43edf84db7b21cb8e316e8bcc3e20b797e32d9668c69a029b15804e3f
-
Filesize
1.8MB
MD5b4720c6b85384eb6bfd8435a44ca73e3
SHA121f112312adb61a932d6d7ed2b044465bb4dcf46
SHA2563b028d3534d1381e00c3e53e38175c9232c99371a40375d439c3865f5fb7553c
SHA5128898e563616fc46f21229ecc70310d496b2cfcad6f320713932501d03c35712e094ec04c4c25e96f4a0cfc206426252e08b3d01428928076a957683b3c650d48
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
964KB
MD5cd7a487bb5ca20005a81402eee883569
SHA1f427aaf18b53311a671e60b94bd897a904699d19
SHA256f4723261c04974542a2c618fe58f4995f2dcaf6996656bb027d65adeeca6caf7
SHA51224da7a345429f2bc7a1b1e230f2d4400b8d57ecdf822d87d63fd4db0aed888b3ea3e98f8cb3f5b83986bfb846c1bd6eac2ac9382caba267c6ceca6ee77d79417
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5ee998e521ac5e0aaa0dbf51b88a44398
SHA1ccfceff1902e054692d0d238810afff696ee4c3b
SHA256e923d63211368efd6e8ecf134736c3c8afabf38d4c88bfbe16fceae89488d34e
SHA5121e33e9ad3f4cd3af881d57ec705ab5d603a2756e33042c3f50d2bca043a4aacfbdb9dd83ca71535476882c538b0ee8c21c2548f1e0aad4dccc17ccba1ef0eb24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\f7dd65da-4502-4bda-99e0-2fc8caa0ca93
Filesize733B
MD5431f61daf1fb2fae08030e3514cc6e9d
SHA18cf199e6fdb895ca47bfaf89365dba7c1bb06ec8
SHA256e68df5043303163134d68b2f109ac02015b5662b13f209093ee08ab992abfa24
SHA5123f26fb553ee90315a37bd0317b88c7e09350fbc74d10b2db35c1a2e90ed97e0f0f92f805d87e501abff23a2977cb2283cb5349c9df8442f75cb019378a2d3e1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD59d65780ff20ec8ee0a6d04d450a820ed
SHA1b7d5635b7c7133a6d9503b0c8684a6233b3b8edc
SHA2563351321a6e780807022a76969f463cc713988be6e89da7b67057e16b68537988
SHA51294371ecb116472d6c2f3422a243ea0fe51a13ba2f24e5d4b27dbff2e48b43d72f2b347ecd44843e3d70d6c35b48bdec46413c5edae8b8c43639ce43b914a8067
-
Filesize
7KB
MD50669c38ffaea8d4c543db724d092c1d2
SHA102ba8aa3b865e1b2da2137e43692dab081fc5adc
SHA256a2f4c9bef1744e7f50b395578a04771a90b2dba86202d947abbbcb3a684472a3
SHA5128cef94bd27f04f3c8a509367042f0f6ac24ac417c645a6e18f4f4346939f800685be56a2417e4142c236337c194b392fd66f95aad11f685aff8f29c24f30798d
-
Filesize
6KB
MD5608501c67abadaab56393fad4feb3a82
SHA1c144424d58e9cda9cba92ebf50da5a22fbe5b124
SHA256e7d0dad1b5ebba54a8702926ce1266e1819c0a64fd5945a532325cfb13da6414
SHA51266d2f553f54febf079eb6322647b268a7ca587ecb226f3f13f8cade152d42b5b1043726e8d3a92c618109f75aa0c0c28951fcd2dba6343eeebdd85f1be222233
-
Filesize
6KB
MD5ec100b77dab253d580232b0fafe8fc68
SHA1bddc3c7c3242e8834982b475e89d977d85f73a1a
SHA2563ad4d35003258139f10985cf30f59d6511c0f2538b0226292fca7acb02db25b3
SHA5124ccdcf9d00a28f13746622f1f652308cff2a8570c3fc4d58626a3bc8fe14d5515d8c4ccada4d917892117e7a003ab6fd1bbb368f75034a17cc0902234cb0e318
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5434913c17262232c6085886ad913397e
SHA18e879112956f600c8b739cdfe1e6e05325c8a906
SHA25621ce09a8d3a6dd9e6ec96d762aeb1b41f0b3ae91be2c277a3ab0e94e3118ae1f
SHA5124cfa6073e07235ed4d51a57c116df315364ab2df6dea7d2bc8df31fa8198ab5b9e55a5f0162d17898e6649128c807fd0a2abfc51697fde56c8fe339b6a3c2eae
-
Filesize
14KB
MD5afb7cd2310f1c2a3a5a1cc7736697487
SHA1d435168703dba9a2b6e955a1332111687a4d09d7
SHA2562e75641d7330b804c3cc6ef682306d2b0f89c4358dac3e1376b5fb2ebd6e2838
SHA5123a05ff62f4c2cd71d5ecd5732c9d3f8ef91077a056e4082530fed64409b26cab7f4617e03ca65faf1738faffec49f2de65f0f082cbbda1b12bdd07b85b985c26
-
Filesize
17KB
MD50f38dd38b314e7e7ada9f09506d9df32
SHA15c83750cf4aea5293d704df043f505ea4d05e239
SHA2565f3dc66fb6ed58b324512c57ef781d1092c1c2ae7e0cb5d287907f9b4bb77248
SHA512c80dfdf3a3eeefacf631f31691aec278d01b08b4c2ec151d3eeef2256c37202ff6aad363f872e7f9d8b969663db72f213f68e3d4e709a2df39fce643689d1604
-
Filesize
14KB
MD5683d6579333e3973206b54af6be2c5ea
SHA1e9aebf6246633ead1750acbfaae4fdd6f767bec9
SHA256c446925083f68506717f84e9303d1ac9394bd32c1d98087784499f103617f1d2
SHA512858f87f00a28cf66215298673bbb8b4ef24ef7a160b932dfed421d4c5d78f469aea0c712d97cf154a264425137a25651d230a4137e1c6bdd4992096acf8370c7
-
Filesize
18.0MB
MD51cf17408048317fc82265ed6a1c7893d
SHA19bfec40d6eb339c5a6c2ad6e5fa7cebc147654c5
SHA2561352ad9860a42137b096d9675a7b8d578fbc596d965de3cb352619cbe6aaf4e9
SHA51266322d7cb5931017acaa29970da48642d03ce35007f130511b2848b67169c1dd4167f1e5a31e5e1dfe5f7122846482bdb878b5cd695ac58009033fd620813a0f