Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
12-08-2024 05:02
Static task
static1
Behavioral task
behavioral1
Sample
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe
Resource
win10-20240611-en
General
-
Target
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe
-
Size
1.8MB
-
MD5
b2f0d9cde6cd1f83091b9f2a6875e6a9
-
SHA1
a7bb83cc3f9edc38751ba908d3e0bf393dcfdfc6
-
SHA256
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd
-
SHA512
51bae1077f202a997dbb78e3ece8cf14737362aaeb0e263917a0ba44cfb89cee3b2532c2e5db88151e07c2c8f644be5a4fc3cffb4c6a7f202ee58812afae5de6
-
SSDEEP
49152:38+S7Y13iG6Fl9z0+S92ONgoknqqFwY0OiMl+SkIxsNo:M5zplR0njNZviwYZjl+Yu
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exe259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 9 IoCs
Processes:
explorti.exe445fa0a4b2.exed97bf81a34.exe00a5877a53.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 1908 explorti.exe 2676 445fa0a4b2.exe 832 d97bf81a34.exe 3584 00a5877a53.exe 716 explorti.exe 2812 explorti.exe 4956 explorti.exe 4740 explorti.exe 3644 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exe259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\445fa0a4b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\445fa0a4b2.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4304-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4304-54-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4304-52-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2376 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe 1908 explorti.exe 716 explorti.exe 2812 explorti.exe 4956 explorti.exe 4740 explorti.exe 3644 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d97bf81a34.exe445fa0a4b2.exedescription pid process target process PID 832 set thread context of 2104 832 d97bf81a34.exe RegAsm.exe PID 2676 set thread context of 4304 2676 445fa0a4b2.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exedescription ioc process File created C:\Windows\Tasks\explorti.job 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exeRegAsm.exe00a5877a53.exe259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exeexplorti.exe445fa0a4b2.exed97bf81a34.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00a5877a53.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 445fa0a4b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d97bf81a34.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2376 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe 2376 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe 1908 explorti.exe 1908 explorti.exe 716 explorti.exe 716 explorti.exe 2812 explorti.exe 2812 explorti.exe 4956 explorti.exe 4956 explorti.exe 4740 explorti.exe 4740 explorti.exe 3644 explorti.exe 3644 explorti.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 3192 firefox.exe Token: SeDebugPrivilege 3192 firefox.exe Token: SeDebugPrivilege 3192 firefox.exe Token: SeDebugPrivilege 3192 firefox.exe Token: SeDebugPrivilege 3192 firefox.exe Token: SeDebugPrivilege 3192 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exeRegAsm.exefirefox.exepid process 2376 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 3192 firefox.exe 3192 firefox.exe 3192 firefox.exe 3192 firefox.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 3192 firefox.exe 3192 firefox.exe 3192 firefox.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe 4304 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3192 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exeexplorti.exe445fa0a4b2.exed97bf81a34.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 2376 wrote to memory of 1908 2376 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe explorti.exe PID 2376 wrote to memory of 1908 2376 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe explorti.exe PID 2376 wrote to memory of 1908 2376 259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe explorti.exe PID 1908 wrote to memory of 2676 1908 explorti.exe 445fa0a4b2.exe PID 1908 wrote to memory of 2676 1908 explorti.exe 445fa0a4b2.exe PID 1908 wrote to memory of 2676 1908 explorti.exe 445fa0a4b2.exe PID 1908 wrote to memory of 832 1908 explorti.exe d97bf81a34.exe PID 1908 wrote to memory of 832 1908 explorti.exe d97bf81a34.exe PID 1908 wrote to memory of 832 1908 explorti.exe d97bf81a34.exe PID 2676 wrote to memory of 4396 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4396 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4396 2676 445fa0a4b2.exe RegAsm.exe PID 832 wrote to memory of 2108 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2108 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2108 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 832 wrote to memory of 2104 832 d97bf81a34.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 2676 wrote to memory of 4304 2676 445fa0a4b2.exe RegAsm.exe PID 1908 wrote to memory of 3584 1908 explorti.exe 00a5877a53.exe PID 1908 wrote to memory of 3584 1908 explorti.exe 00a5877a53.exe PID 1908 wrote to memory of 3584 1908 explorti.exe 00a5877a53.exe PID 4304 wrote to memory of 4056 4304 RegAsm.exe firefox.exe PID 4304 wrote to memory of 4056 4304 RegAsm.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 4056 wrote to memory of 3192 4056 firefox.exe firefox.exe PID 3192 wrote to memory of 1660 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 1660 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe PID 3192 wrote to memory of 3176 3192 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe"C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\445fa0a4b2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4396
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.0.19618515\652589225" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1652 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {070a6be1-ecf6-4dd9-a9b5-5ab269c7b113} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 1764 2246ebdbb58 gpu7⤵PID:1660
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.1.1101292760\478660733" -parentBuildID 20221007134813 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 21706 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdd798b3-ae81-4337-a4a5-001753a6db5b} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 2140 2245c872158 socket7⤵PID:3176
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.2.1422336327\878201955" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2796 -prefsLen 21809 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {484b2c63-a3ea-4af2-83d1-ec57f7b6d0e0} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 3040 2246eb5ce58 tab7⤵PID:4108
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.3.794031687\1621949624" -childID 2 -isForBrowser -prefsHandle 3320 -prefMapHandle 2464 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ee19dc2-4ccc-4510-91fb-d98caecb6bb0} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 996 22473064a58 tab7⤵PID:2972
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.4.1683067599\460580353" -childID 3 -isForBrowser -prefsHandle 4708 -prefMapHandle 4692 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a64049ca-e622-4596-aae9-c069d4b04358} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4716 22475c76c58 tab7⤵PID:5004
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.5.695800744\1999302700" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa3a6e0-5134-4e68-881e-41bcb8fe4110} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4960 22475c77258 tab7⤵PID:4220
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.6.1521049519\553312737" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 4968 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e50958ed-7ee6-4893-a65a-3406b9dfe4d4} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 5088 22475d54558 tab7⤵PID:4952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3192.7.1782515130\1096917961" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5544 -prefsLen 26529 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {740ae149-2aa6-42b3-80bd-3dbb1747fddf} 3192 "\\.\pipe\gecko-crash-server-pipe.3192" 4892 2247713fb58 tab7⤵PID:2024
-
C:\Users\Admin\1000037002\d97bf81a34.exe"C:\Users\Admin\1000037002\d97bf81a34.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2108
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\00a5877a53.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3584
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:716
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4956
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4740
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3644
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD562c81eb8cd78dbcf5767f84caad6972e
SHA19a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA5122feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
Filesize49KB
MD5d748aa903bd5ecc6b4d26dee23c88cb5
SHA1261d184847ab1d3de7871e5c4af723217980d590
SHA256c9d52b3fccdee15501fd916b79365d0af36ddeb5f806a3f4393a2c62cfe149ca
SHA5120b4a181cbb29d50299f1872ce243b13a17efc7a876261158d1f41ed6f75a0a9a9398ec5eeadd8e108e5ad88dfa619510c9141a95b04b37f3bb8578afbe22aeb7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913
Filesize9KB
MD504222f80e7f668fe6cb5abb2acf2de55
SHA16d5d768eea5845023a639e280f1a50f33285323a
SHA2567dd188c29e4731db706c9c995e92a42a50f8c0fb0566e42bb353319a0b7383c1
SHA512520731a998038d10c5ffa65a165545e7cb15358fbf90f9245073e176ffa8bf0e8fd658c466d2c0ed4d497eeb6c5d06b336b198849d1c3719bfc2f79cf82f7ae5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2
Filesize15KB
MD5325f5e16d84528b677d98f2b79ccd63d
SHA12528f4a3f759a424a87d3bc769ef7c8deaea5250
SHA2568c4f3969ff34b500255257b852b171350dd68d6cb01ceae162dd44dc176122a9
SHA512894dad44183358c95b6a52f6aa090a98236dc8aa8b11e2695f0777d42f51c5bb41339b396c8a357821c7a187e0ff3c690cd0e65fc13d20d1aebfb805b590e432
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD58bd42b1079076bbe8a3c2e738518ac8c
SHA1170c1db96c59d8d0c74f7d7fdbb371a587abdae8
SHA256f3132d1d1ce636f5f04050c1e583ca932b9e556e81c2d8afe7e13ed5e7d13de9
SHA51221f4385a504363dfc0014abdd8b1e1cc249f79ac06422bc6feae25ff594b3d444a85f844653e4e7ef5af2650083d67c7f50ceb303579c6818301ef4856a6c5f6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
Filesize13KB
MD568968659f79a5aec142dab2ec004cb93
SHA1ae015f484fe1dc0b20c8eb71af16390f7c56da03
SHA2567b94f8092ab8e74155171d5344ba8737ec0380128a88e1f0f6c6b64a6863a29f
SHA512266d58a8160c92da21053c3db12a97b26d40cbbec14d65dff48f3cf9d2a13bd4db246b07174d45ee09c34c28e86ea0f8d781cb13bec227e20856528a029e2c7b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\54075BE4BB4CEC68713D2AC66A9955D8EB1B7384
Filesize35KB
MD503d4bb994b34199f9d4660b95c94dfe1
SHA1d924323ce6eec4237e0e10b87096c5312eb05a39
SHA2563917c00b0dc29489213f0ae3863935bee9b79a95aa6bcb75d84be5a3d4cd131f
SHA5123995fbd42a64e1f0065b2f945391f4800464cb8990ec227273a10f3fc0d436def57f6fb9dcb2747dc36f19093831829abba02cdfef6474b3644f9804165a46ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize15KB
MD5acbdc382f38de38a5495c914f7fe932b
SHA1047f1a1efc23947655b9bb7a9ad5a78329463f06
SHA25667c3cabb021990f076dd487ba808cb051c6cce45bd5eb5169e7c2ef7d5e621c6
SHA512ed328d4d8ddef5f3b701baf1fc84153ad69be7f18b8a6c4afc1cbea5506eeacec4b24c382201e9b7e137b3e2301dccffce1020bd4c8c2acc93bdad50c0ca05c4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5b3f0484972145486d9d48812126b3ae9
SHA1e722b538026a854ab97afd41e3640bcd6a1ccc2f
SHA256ff7634592301e774e3faf6a9a62902d3a9de0a0223786fe9bc90fdd71c8312fc
SHA512cd7bd0c3c93329aa4ce09f769deff22160f625dd21d254013137e999cd49e260050ca4ac562a2c74706850ccff2867b702729b78caf05b0adef1917fbe9666a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085
Filesize11KB
MD5193b93ec2f42f5bae489f61ed1602433
SHA13b4eccd8f40a08ee86cd0c6a84cd902edacf4008
SHA2566e01ed9e60cf205d3075e10c222314385dd52aec9908e39eac38c78771e91d68
SHA5122e1331ce0a06471bdbcc6fad2b63c8ab78d1c5089692fb9c6ba3eaeaa9e8b831f684cb1b584425c52e052bdf0fe34b6260275c1e8b3733ff84802a67e9996f7e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize9KB
MD5aa5fc5770f44440cb78299565d31c268
SHA10c7cbdb9c09b368ae0cb6205e4c64ee604b6bafe
SHA25613d8650cfcd6e18fdf6c5b9a9a13436a906510935d981fa2f412aadfc866c6bf
SHA512810d62549624a36cb9365d0d58e9faf6e6f11f5bca0a696207ba3543baea998fef799fe29977df2cfbe6696dffe440baf4866e0750448cce95d5a98ff04938f9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
Filesize
1.8MB
MD5b2f0d9cde6cd1f83091b9f2a6875e6a9
SHA1a7bb83cc3f9edc38751ba908d3e0bf393dcfdfc6
SHA256259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd
SHA51251bae1077f202a997dbb78e3ece8cf14737362aaeb0e263917a0ba44cfb89cee3b2532c2e5db88151e07c2c8f644be5a4fc3cffb4c6a7f202ee58812afae5de6
-
Filesize
1.2MB
MD5db946418424011c782182c76ab8c179f
SHA1d640d54d341cf6341bd434c9015d23d22156612a
SHA256bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize7KB
MD58d1608192f86fa02da06a201581d83b3
SHA1d4a2a67feb97c94b2483701ddf4d4a357af0b5e9
SHA25680357437cbf3956dc51104ec36495f1ce9fae74b5cd39b9eff9df34d57c16f64
SHA512541ddec725992e88063f9593b9da22945e176e5fa864cca5fe6d4dde59a956324c553456813b2ac3d78ac4d68ac1e4e9dd347ef6ea27ca70f6a07932eb0508d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\bookmarkbackups\bookmarks-2024-08-12_11_f70S+BIHcjdozL1H+8sV3g==.jsonlz4
Filesize953B
MD514e152530b0003973263fd54064ea363
SHA198a18c46e4980317a1f795bb0f364f02b7524f06
SHA25698818f8d867aabab23dcf95b03d2d912fd8d6106f1bf48e1f04dc9b5af42f199
SHA51221a75ea8970d68bac8100f499d88b38fbdd904d5217e69492f10f63c9026f43f00508fc62e059f54f82d7a1bb6c16b15f14b281c87542613ddd20893029ce664
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\broadcast-listeners.json
Filesize204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5c2cced1d7aa1ad750047f4c020d8bfcc
SHA1c6055b89e52ccac5cdf52ec8aae8e1c2c03088ce
SHA256c480c6a2c0672c121680db26926775a37b402d7e434b8390119ad872c17b469d
SHA5127f40892814764bb079d8b41c33742223d23649c901d463cb0bf9a41c0e73da3c6318245f744b8829ebb0f1c05b6258d5cff8284bbe9f8022caf0fb3b2ecf8fc5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e175b8a1-6099-4d69-a76a-781f3eb0d5dc
Filesize10KB
MD57b47b0e42a336407b8cf5d4f314b485b
SHA1cf61d0941230bea56173595e8237ec1d7b57aafd
SHA256356f4979450f5390bbedf168f00e00bc33a802b458ec94bf4a034e73fc9ef826
SHA512ac1e84f39b9a3daee5b97d62c3a2489b7f43b97731d0f7ea3b88e1b271b3b1fc512b81d33f42eb89cfe9c18ce4a6d774b8d71ac5fc61732f29d814e19ba2de6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\e7f69535-c382-4282-8fca-7f272ad2b08b
Filesize746B
MD58eb5dac91382eada115a2d7c506f8de0
SHA1c89a803a204a90cf07b57acbb245d3371c95c95a
SHA25655ef004d98fb9c9fc4ea73e55ffd554190c8973a5a18ea8009d4b5c053bb5899
SHA512165867cb7eba8b9adb3e74a9f298901768ac6edf29f78212ce07ef5000cf8e8d6815af3c9048f565c7b2ebba261302b72ad2e9a771fa3b0d3baf58f3f18aeb3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5556188707146e39beffee94f3ef47eb8
SHA126d3de95b90635525bf7362d9b742d793e454c80
SHA256f86551698b34a6fcdfaebe38529d596eaa06d3e63552520f1138e3a00833c88e
SHA512180e15a7f6231ef02cc6ddfcf2d5578b7c69cd936aa41f19d22f93309cbb4c1339ea68c98500e693b7d384c27fccefdd1eb37cf7e050c9b0d0e029dbe8b3f447
-
Filesize
6KB
MD5da8d649e80251e5aea3385e1556c8c43
SHA12663b67d9f253ae19f79ebabb4362db2eee1bab4
SHA25642ef1f55a030b61bb317376cacead743edf464a826ca5665bd4873cc18fac779
SHA5125d11ccff32dc4f6e5575c65270cc7e9e8d3e39cb9d719c02307593ae23f6cec76c61af38a38cf9e7966592be5994536c312368cdb27b3af038475bf294ce53d4
-
Filesize
7KB
MD54067c76945ad26046292a71176842f03
SHA1a88c0e5380eb8cad6819b1c0438ebbf0290e2bb6
SHA256e993a03aa88a21a20330d190c1e7bda88390ed6e01c2574d85b55e6431e0f652
SHA512c2dd79d421db188b78805f91c7df0d617ba0402cb9f5256790b791925f85dfe2b267485de3e6954942402dd86c5f0ffbd8c7acd49d4d1da40573130588fa4b10
-
Filesize
7KB
MD5cb6eaa309751919d2f146ebb6b7b980d
SHA1ccc40bf1ea7107ea934034b01d5b6ac0e04577fe
SHA2560d39b8c8223863b694b543482464db109ddb975aae9189d5387df6b4ef7fa497
SHA5127d045d77ad47947ae526eb59700355882860a4b245c58add2adf871ab1a3375ac73c9e64a92722f3cff571989514ca48c80f0b660045bce15dfebc96427dcd6b
-
Filesize
6KB
MD5851cb82269f00d289553c1447c7b9c58
SHA191cdab107b3fe885a1b41d67ce956190470e9a59
SHA256bf7282998779d72095775f6c1a6a0c1dd3154fe8df9198fccfd8bed7c654ead0
SHA5125bb6a3c97e2a73af139efe5942e4d3183fc543f683dd41ef760e52af49d1cff5e4c02702d5bf4b24a9733f42d148cf904411b50efa7929a07f84c3354034c466
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f6ea354907746df9dd80ec9ed4c83653
SHA1b23e04cfa0daca79f316fffde8e93494e074d61d
SHA256d62bfefa2cba7650effc22e472645ed6125f3f0ac294af93d6e5de6cfffa9a30
SHA512139f4afacb4ee156d7bf7fd5abcb15e86927053d3da7ba8e61caaebd3b90026d4f45f87cf1e2bc031eb54d0d426d95e707e64186454e3ea68b5e519cc3cd704f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5792a9225c20ba7bee624f485d35b2dfe
SHA14d187d56649087d735626221ce5c1cbf4f65d6e2
SHA25679fa15f6bf5b35d7ee0b1f13c188be35c8f1939de7b08534c1c1a6f22694d728
SHA512337669f8ea6723711080ff3a3523592b8ab036ea85a0619805602c9702eba231c32cde3e6c167ff8964ea147e237be626b1bdb2b178c565b94ca9c034de6de3e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD54c1f58aca80b52032da4ac4bee4ce462
SHA19ce602c07d2e23aebc8a60043c1e530197c6b04c
SHA25684b09dcc0173819e4e0f7e70560d18b08b7588e87a1243a1331a8e8cee3ce372
SHA51260c5f8e824fcd032d05bbc1cd356ecd3d53b7952283670ad5b06f548d1ffd330400af830c44b0400de1eb606c893af4f53b5165ba7ab7b8ab19a3bedcedfe83d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\targeting.snapshot.json
Filesize4KB
MD5c8645ab5ca9cbf9b935755443884f23a
SHA17e0b69d3c0b3d6568aba62f83f01b2a4bbdec1fe
SHA2560f569c91685fb13de271a2e04a0061a72192d447e9ff5ee73a56f876ee67be6f
SHA5120360c0e0ea147773eccdfbffb7650b29db53f2fc3b0b8327f368b1d2514c37557a75aa1e408665da2c126720c487dfcb10d3fa95165d7892bf3e39ffa04974d9