Analysis
-
max time kernel
299s -
max time network
291s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 05:00
Static task
static1
Behavioral task
behavioral1
Sample
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe
Resource
win10-20240404-en
General
-
Target
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe
-
Size
1.8MB
-
MD5
4a92075dbd9a0ed4d476c7372a6acff3
-
SHA1
9033b86c9e62e54f9cb90555cd5290c802051f35
-
SHA256
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
-
SHA512
961127df540addb9cbaf6e0c145a64d1624d661e86e9905db01d8a21962b30af317f2d18fad10c18632a62147ac659fb5350846dc782ea43690be0abe6d1e16f
-
SSDEEP
49152:FqO0nVOU6s2WK6pKGxzaai3syzpBtgVQS/N:FqOQEU6s86OLc2JXS/
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exe107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
Processes:
explorti.exe4319333f82.exe3f10a3c797.exe2afc91cf65.exepid process 2764 explorti.exe 2936 4319333f82.exe 2640 3f10a3c797.exe 2320 2afc91cf65.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exepid process 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 2764 explorti.exe 2764 explorti.exe 2764 explorti.exe 2764 explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\4319333f82.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\4319333f82.exe" explorti.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/964-44-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/964-52-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/964-54-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/964-51-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/964-46-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral1/memory/964-48-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exepid process 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 2764 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4319333f82.exe3f10a3c797.exedescription pid process target process PID 2936 set thread context of 964 2936 4319333f82.exe RegAsm.exe PID 2640 set thread context of 2828 2640 3f10a3c797.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exedescription ioc process File created C:\Windows\Tasks\explorti.job 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorti.exe4319333f82.exeRegAsm.exe3f10a3c797.exeRegAsm.exe2afc91cf65.exe107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4319333f82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f10a3c797.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2afc91cf65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exepid process 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 2764 explorti.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 864 firefox.exe Token: SeDebugPrivilege 864 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeRegAsm.exefirefox.exepid process 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 864 firefox.exe 864 firefox.exe 864 firefox.exe 864 firefox.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 864 firefox.exe 864 firefox.exe 864 firefox.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe 964 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exe4319333f82.exe3f10a3c797.exeRegAsm.exefirefox.exedescription pid process target process PID 2688 wrote to memory of 2764 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe explorti.exe PID 2688 wrote to memory of 2764 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe explorti.exe PID 2688 wrote to memory of 2764 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe explorti.exe PID 2688 wrote to memory of 2764 2688 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe explorti.exe PID 2764 wrote to memory of 2936 2764 explorti.exe 4319333f82.exe PID 2764 wrote to memory of 2936 2764 explorti.exe 4319333f82.exe PID 2764 wrote to memory of 2936 2764 explorti.exe 4319333f82.exe PID 2764 wrote to memory of 2936 2764 explorti.exe 4319333f82.exe PID 2936 wrote to memory of 2176 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2176 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2176 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2176 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2176 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2176 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2176 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2064 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2064 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2064 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2064 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2064 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2064 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 2064 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2936 wrote to memory of 964 2936 4319333f82.exe RegAsm.exe PID 2764 wrote to memory of 2640 2764 explorti.exe 3f10a3c797.exe PID 2764 wrote to memory of 2640 2764 explorti.exe 3f10a3c797.exe PID 2764 wrote to memory of 2640 2764 explorti.exe 3f10a3c797.exe PID 2764 wrote to memory of 2640 2764 explorti.exe 3f10a3c797.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2640 wrote to memory of 2828 2640 3f10a3c797.exe RegAsm.exe PID 2764 wrote to memory of 2320 2764 explorti.exe 2afc91cf65.exe PID 2764 wrote to memory of 2320 2764 explorti.exe 2afc91cf65.exe PID 2764 wrote to memory of 2320 2764 explorti.exe 2afc91cf65.exe PID 2764 wrote to memory of 2320 2764 explorti.exe 2afc91cf65.exe PID 964 wrote to memory of 1900 964 RegAsm.exe firefox.exe PID 964 wrote to memory of 1900 964 RegAsm.exe firefox.exe PID 964 wrote to memory of 1900 964 RegAsm.exe firefox.exe PID 964 wrote to memory of 1900 964 RegAsm.exe firefox.exe PID 1900 wrote to memory of 864 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 864 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 864 1900 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\4319333f82.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2176
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2064
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:864 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.0.1892668569\1604881904" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f5ce8cd-3e41-4b17-be61-c091035c38da} 864 "\\.\pipe\gecko-crash-server-pipe.864" 1296 45d8458 gpu7⤵PID:2796
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.1.1553072931\2131308318" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2299702-4238-40b3-8683-fce1af55e655} 864 "\\.\pipe\gecko-crash-server-pipe.864" 1496 e71858 socket7⤵PID:2628
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.2.2083489582\2019642731" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2044 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c44cea08-5b03-45a5-a5f1-7d2b192ebeed} 864 "\\.\pipe\gecko-crash-server-pipe.864" 2068 455a458 tab7⤵PID:1924
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.3.1404986934\1102116868" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8086d4a-f8d1-4b74-881a-3cc8da9ce073} 864 "\\.\pipe\gecko-crash-server-pipe.864" 2912 e30158 tab7⤵PID:2068
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.4.2142128249\1881575508" -childID 3 -isForBrowser -prefsHandle 3784 -prefMapHandle 3792 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c8646a-8dde-4b6f-93ac-1df0e4aef767} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3800 1ffd3058 tab7⤵PID:2964
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.5.68785526\789058439" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1ff75b5-1eff-4488-8a30-e51e59147058} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3916 1ffd3958 tab7⤵PID:2748
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.6.1317749055\1428459700" -childID 5 -isForBrowser -prefsHandle 4080 -prefMapHandle 4084 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2145ca11-ab67-4e9e-ad0f-3ec21c8454a2} 864 "\\.\pipe\gecko-crash-server-pipe.864" 4060 1ffd4858 tab7⤵PID:2780
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="864.7.1478840435\1503009647" -childID 6 -isForBrowser -prefsHandle 3968 -prefMapHandle 3972 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b45984-7aa5-45c8-a0de-3ed64c48ce63} 864 "\\.\pipe\gecko-crash-server-pipe.864" 3956 22c8db58 tab7⤵PID:1752
-
C:\Users\Admin\1000037002\3f10a3c797.exe"C:\Users\Admin\1000037002\3f10a3c797.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD562c81eb8cd78dbcf5767f84caad6972e
SHA19a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA5122feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\activity-stream.discovery_stream.json.tmp
Filesize46KB
MD5bc7f263fa748782fef952f0a2be05f86
SHA1ecf73428b56e662ac3499818f202d946d3ede996
SHA256aa5ba3cb2ccd0b29b4bc81e02dab773d6304e7fe3fbc1505610247fabb69961e
SHA51203ebd4b6528de9aef399774f4b78599a8cfe052ea2cd0bc95eb6aa8d7e58e2b9e61a3eac56f5a693806f9ca4e0df811a346cdb55f360888b13bcc1f96f237309
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913
Filesize9KB
MD5c7f1f33f05554d1ade98e9ecc2cb4397
SHA125579ad40f3523712e1098497ffe21971862f0a8
SHA256655859b69149f7d7752d4a07ace34e46057a5da7eb65ec80a69171e1f27087b2
SHA512650da86b72801487b688bb677f7dedf28df6835f82a6f674604f60c3ed1cc1125e40c32835dce822de309c212e9b64d9db906aa2c81649df69e3d4069c4a3342
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2
Filesize15KB
MD51c8134e403e5f6275559f31a8e750dad
SHA104f8902b9c389d0f762ba21e35418aad17d8d241
SHA25697729157e9bc829bdf527c1cfa12bf384c8831f02da811b6fdb3fbc96f68f850
SHA51260eb64b47ec3f65dade79d85aaa48367976c1c09f12fa870bef9fa7391ea2aa1036cecebd6ce03521ec0412b9b5aecbd1511c46d7e6c0d094e649b3f5b56ac82
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD5c3c305a14eb5463d357f8ef3eb3fe6ce
SHA11764c7bf30829ad16c2e100c5f5991a2f2836ca2
SHA25642693cd16c2aab91079621f895f7718b71cd42bd2fcf840c58a2b207a3038b7d
SHA512c20e4ae5197d0e8660a3368327141aeff2a0be5eb66e4bd01efece40d28950bf81c04c72908406b76ffca86a7fe6be8b2a9034773d1e769e7f9c6bfbcde55528
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD53c432a25082fc1eb89d73697906b1ca0
SHA162c705926ae6fc4d5bfb470883a8737c0fefc830
SHA256855219f6dc1256a16a236e1f550e9bc5bc2b9f48223843eaf7c3ae78c02b7127
SHA512447303a771fb2899fac80f9fbc0ebe4fb5cfbf35a6d56d92624abafeeff6f9784a5dbc94496069480fbad0aa147c350f9bae2a94d3c5b918ee4f558ddb95db6b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize15KB
MD5412a4d96c30f33ba90e10c5146a9a119
SHA104c56dc6b45b84ee22e20fef92a9aab06601cb1e
SHA256d7adc6dcb6c4d0445924a4259f8f2a547448db0612f9404cfff84a389983e1e6
SHA512d2e9c349f9b67698feec549b6f8b9fdc79ed99f39a48622f59ababf6d29ca58aba3709c29a998b1445d71728908d30edd140e47a34d15112a50b72731607eb21
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\9F2876E394CC0D145C752C03A25AEA847C11112D
Filesize32KB
MD58bcc22d59c316dba8d3abd229e4bc363
SHA100a7a6774813c67843af73aa00a75da16a0a65c3
SHA256bec6d6e2c67d05acce105c4e7731a326e1697dd038ff6c6a20141e7f22f6440f
SHA5125fd3958a75165c337476e722b779e561b28e12316390d77034784898e231c6f19eb5ac3c4f830bbefcfe9d408a1c1db5819e57262693796f7f29ad1e7a7bcfc6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085
Filesize11KB
MD58d869d871c17b2ff88f93f05310f126e
SHA13e7dbe0760b17d39b76d4d0bf9dcacc0db704bc4
SHA256fe6f3014c4837bf5550629a880eaf1c35306f25c6108366d917e8a7779d6839a
SHA512b0d2c0408ffcc92bd24d67fb54e2c7e3ec43e47564d1a29b91b2e297fd5e2630b8b5d9575b065de8598e0cee1859716b370c1e051bf3695df82388ee89948ed0
-
Filesize
1.8MB
MD54a92075dbd9a0ed4d476c7372a6acff3
SHA19033b86c9e62e54f9cb90555cd5290c802051f35
SHA256107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
SHA512961127df540addb9cbaf6e0c145a64d1624d661e86e9905db01d8a21962b30af317f2d18fad10c18632a62147ac659fb5350846dc782ea43690be0abe6d1e16f
-
Filesize
1.2MB
MD5db946418424011c782182c76ab8c179f
SHA1d640d54d341cf6341bd434c9015d23d22156612a
SHA256bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize7KB
MD5b7379d370f7981892b5848df0e5e8914
SHA14ef13c2765a6525a2513f417b5f5d66595fbeb3b
SHA256de6a742a1685dc25ff72a59c481c4518953e9b23618ba6aa26aec7d357b890f6
SHA5124b650ed823e8d7b74eb125a28e0015230ff179b2ca177484ac242c90a20fde9eac4226af0748ba22b4c6298c2275af5a4ddd8527224dc91b56170f8547e46728
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\bookmarkbackups\bookmarks-2024-08-12_11_5h7eKW0pE3Aq-pSa2dI0OA==.jsonlz4
Filesize946B
MD5895682c2fc2c07cda215ba62e57261b6
SHA1fb66e4eea346617848114284d5f3c788ce3276af
SHA256c156c613aaeda19ab4baead86896360c173d4af91d03c030b179fbda8372b4e5
SHA51200a3f07045bed64190797c18db731015afb997f378005c0acda45f6e6ed412a5ae1d20590a3376e4a32a6eb12289e611ce60543702c078090a20ac7ca8914317
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\broadcast-listeners.json
Filesize204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD55b8c162e2146e64f831a5829ea6f74f6
SHA1a1def5f927bb4a5aceb23cf6b71302b155fae26a
SHA256d4deb6805eb0b8fff8cbc90ab6213c16288fe8b2c8d94143d637b60f57722ca5
SHA5128ec24939c083c977a1a331fda3f2d83d09a750aaec3c8f15c91d9c0cc25df302a0da8621476a24572402b13e1dc5cf24585d8a8ccc74f9c461b4d698da2945a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\8373eb38-6ede-4e13-b69c-ec6367642c28
Filesize11KB
MD5aaa31a84d36873c13d4a685b69004a38
SHA16be0b1a3515f5c4854fb056e5097194ecbda37af
SHA25695f1e78f004ee5399b8486b5a6b8b0758e3d39483589466051a83acfd0abdcfd
SHA5120ff004dd3e05cbbc8ffebdc0b45a62752b8b2c5fb446fd9646b50476dabf7e34ebbf7598c5a3854ec8aa49178968503f66fd4a3caadd03cee41d42b8ee2daf9a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\e3306f47-06b1-4c33-a1c5-2079179b18bd
Filesize745B
MD57a91d32b41dbd4688107ffba79f8d825
SHA19caa6e39431e55fbf35726e05ab79e184f820b1e
SHA256f6f01830a2f026d052292be3f63a3787f1c023468004a1137873da02383959b6
SHA512b0b75977c1a4a6d926acdd97b8807e592a5c06ccb10d38def6a3c97665670237beea1f935ec15e700bd928d4ec402f9848234e0fea0a34158ff7017a1053a2b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5ef0e8eabec735d52c8e321a11e73fbfd
SHA1c4a0ed706d701e0bd49910694ad332baeaed81d6
SHA256324d464e7b0f68418b5457bbf4ce6c4a2072b9a90837c3059b36f000339d9b36
SHA5121b9b1428da08cd78d5fc64edbe0c84a15952f712b4b0e4b20d94c1a048e1786de169692b8c12a445610086cc2286e77ec367be2d6dadc9e414f057ba58e807bb
-
Filesize
6KB
MD5be04f86bf0dd66aa7312d42cc631166a
SHA1f1c5deff848444b88dba4c06502cd69a04d9aca6
SHA2562a64386508b6a545dde41c91a3198dbeb8e0ef33aea4e536b95a68ad6206b5f6
SHA512e5eb341da09c679f4d5a1c95be9401e90a1730aeca348fa3e90cdf511c1d0a57e046ff7606f4fb7bf20ac0a849da2f1dd320dc6dd065f0105ae82667da04dfb1
-
Filesize
7KB
MD57842d49200d29a6e18ca605e2cf05b88
SHA10d2ffbbfd8d1538ff8532b205ec458978c84d7a9
SHA2564ef58d5d2ebdbfbbbb1f6a12611ae8059b888d0cc62fc78e47ce91c4215d0d68
SHA512af93a4010b553a72eb33919c3026937678b76e14ed92f3b90695aaafbdebdc3f50b8bd8e0182f62012170cc6c4c6bde3951d3eb576c0821c37ace6095afd481f
-
Filesize
6KB
MD57e1df02bc994a379bfa54e1e1c06bff7
SHA14f693431bb7e45e7697e9c328933e4df1d61eb2a
SHA256bc14f8eb7bd7be313eefb04a2fd90f042dca8b5d6ea5e3ddd3818b43e95d5988
SHA512ba1962d8d3d5214ebb25cdb651a8c12cb3a348e79a4eda8a08cc0271a0aded1ccfd0a015f298c0e6baf033b1a93b1da75b8151fbf9432f0c5bfd242e1e371af7
-
Filesize
7KB
MD5720f3a56101a5d57d5a226701b403ec1
SHA1d0b67a64eaebad59099f7ec4d85e7c9c9014d6b6
SHA2560e9055c8e186ce8e62192610a78057ad11424c1ae656adccbf7950651060660d
SHA51289ab72ca83f8b64a17904b7d6637133a4a8c6288b697207657e3818beaf1b67e6ebeb0b84276e66b66e101cbafa05b9d44adc6bd8a13957f7822e0984cb1f70e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e32d79f4092dc7cc5e6709620798cc4a
SHA15994dcaa882647bce083c0a8b204c4a0d78a5797
SHA256c040686c9bda2825ee182502e53de66c503951cc4381e7afc499a4425c9216be
SHA512ea8a13f6976edca5f89aa77e1ae5ca1d51a3ed93f199fefcc6117a118274ec1882ff952dddd926215f8d95bddb53306bc3b1799dd7aef1cbc283aadabc644796
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5b35168e22d4587ca37d0174f4eb27c8c
SHA1a07075038391d0b93092e1618497a7799dcb5e18
SHA25683cde2e7574cc3209d39b0db964fcfcc28f52e077021ab0604b3f52710f8ccc1
SHA512277cd4696f5a1db9a14ee880b423932a0c00a1f7f9944560942dcc8a6ea930e84e0bb42962ef3c7b27c192e041ba86eebc945ea32dded85a34dcf5a57358a79e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\targeting.snapshot.json
Filesize4KB
MD5411ddff8a0098dec6ab50f23e7ba231c
SHA1880fc989fd4a01e4d169206dce331246b66fed0c
SHA2561875aa64032888f201ec0b4a35f406a4fe6850cfd7067ac3ac9d4197ee4bb7c6
SHA51296af74216b2369c87c300fccab462a0ee92c889012e1bfe5a6a8f69504522e7f7d5b1ccbc8ed8833fb470a9392cf7376b5cdfdca8df61409f09edea7450932af