Analysis
-
max time kernel
299s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-08-2024 05:00
Static task
static1
Behavioral task
behavioral1
Sample
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe
Resource
win10-20240404-en
General
-
Target
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe
-
Size
1.8MB
-
MD5
4a92075dbd9a0ed4d476c7372a6acff3
-
SHA1
9033b86c9e62e54f9cb90555cd5290c802051f35
-
SHA256
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
-
SHA512
961127df540addb9cbaf6e0c145a64d1624d661e86e9905db01d8a21962b30af317f2d18fad10c18632a62147ac659fb5350846dc782ea43690be0abe6d1e16f
-
SSDEEP
49152:FqO0nVOU6s2WK6pKGxzaai3syzpBtgVQS/N:FqOQEU6s86OLc2JXS/
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exe107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Executes dropped EXE 9 IoCs
Processes:
explorti.exefc2bef2d6e.exe3f10a3c797.exe2afc91cf65.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2904 explorti.exe 4784 fc2bef2d6e.exe 4628 3f10a3c797.exe 2120 2afc91cf65.exe 1560 explorti.exe 1736 explorti.exe 808 explorti.exe 4876 explorti.exe 208 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exe107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key opened \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\fc2bef2d6e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\fc2bef2d6e.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4148-32-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4148-36-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/4148-35-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4912 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 2904 explorti.exe 1560 explorti.exe 1736 explorti.exe 808 explorti.exe 4876 explorti.exe 208 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fc2bef2d6e.exe3f10a3c797.exedescription pid process target process PID 4784 set thread context of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4628 set thread context of 4468 4628 3f10a3c797.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exedescription ioc process File created C:\Windows\Tasks\explorti.job 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3f10a3c797.exeRegAsm.exe2afc91cf65.exe107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exefc2bef2d6e.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f10a3c797.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2afc91cf65.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc2bef2d6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4912 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 4912 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 2904 explorti.exe 2904 explorti.exe 1560 explorti.exe 1560 explorti.exe 1736 explorti.exe 1736 explorti.exe 808 explorti.exe 808 explorti.exe 4876 explorti.exe 4876 explorti.exe 208 explorti.exe 208 explorti.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe Token: SeDebugPrivilege 4540 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeRegAsm.exefirefox.exepid process 4912 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4540 firefox.exe 4540 firefox.exe 4540 firefox.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe 4148 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4540 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exeexplorti.exefc2bef2d6e.exe3f10a3c797.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4912 wrote to memory of 2904 4912 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe explorti.exe PID 4912 wrote to memory of 2904 4912 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe explorti.exe PID 4912 wrote to memory of 2904 4912 107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe explorti.exe PID 2904 wrote to memory of 4784 2904 explorti.exe fc2bef2d6e.exe PID 2904 wrote to memory of 4784 2904 explorti.exe fc2bef2d6e.exe PID 2904 wrote to memory of 4784 2904 explorti.exe fc2bef2d6e.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 4784 wrote to memory of 4148 4784 fc2bef2d6e.exe RegAsm.exe PID 2904 wrote to memory of 4628 2904 explorti.exe 3f10a3c797.exe PID 2904 wrote to memory of 4628 2904 explorti.exe 3f10a3c797.exe PID 2904 wrote to memory of 4628 2904 explorti.exe 3f10a3c797.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 4628 wrote to memory of 4468 4628 3f10a3c797.exe RegAsm.exe PID 2904 wrote to memory of 2120 2904 explorti.exe 2afc91cf65.exe PID 2904 wrote to memory of 2120 2904 explorti.exe 2afc91cf65.exe PID 2904 wrote to memory of 2120 2904 explorti.exe 2afc91cf65.exe PID 4148 wrote to memory of 3384 4148 RegAsm.exe firefox.exe PID 4148 wrote to memory of 3384 4148 RegAsm.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 3384 wrote to memory of 4540 3384 firefox.exe firefox.exe PID 4540 wrote to memory of 3880 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3880 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe PID 4540 wrote to memory of 3224 4540 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"C:\Users\Admin\AppData\Local\Temp\107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\fc2bef2d6e.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.0.338813945\191002300" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e54de3c9-0149-4c60-bc3a-fb73b52e2986} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 1792 219b13f5b58 gpu7⤵PID:3880
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.1.1999538935\837365051" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {986bf50f-75b5-4b91-aadb-bd117fd893c2} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 2168 2199f073f58 socket7⤵PID:3224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.2.1062840632\841426453" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2756 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf8ea650-6b56-48ea-a95c-b265938db4be} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 2764 219b54d7958 tab7⤵PID:4928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.3.1352008755\681135304" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5ffccc6-0a24-4a50-9214-be21a1c94be3} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 3472 2199f064558 tab7⤵PID:3672
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.4.1451832655\895259457" -childID 3 -isForBrowser -prefsHandle 4924 -prefMapHandle 4624 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de1d121c-f305-4719-b1f6-08597e987cdc} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 4928 219b5e06e58 tab7⤵PID:2200
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.5.1870361933\407945502" -childID 4 -isForBrowser -prefsHandle 5052 -prefMapHandle 5056 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de905d39-c548-4fb0-9617-5139db26e7f8} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 4944 219b5e05658 tab7⤵PID:5104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.6.1600500602\1921353508" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f0a2216-9afd-43ef-838e-36607dfadb70} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 5240 219b86c4558 tab7⤵PID:2732
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4540.7.1507780402\1871134597" -childID 6 -isForBrowser -prefsHandle 5536 -prefMapHandle 4924 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1340 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d1f1510-9554-4305-9c71-4e743a6c7844} 4540 "\\.\pipe\gecko-crash-server-pipe.4540" 5544 219b9824558 tab7⤵PID:2632
-
C:\Users\Admin\1000037002\3f10a3c797.exe"C:\Users\Admin\1000037002\3f10a3c797.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\2afc91cf65.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2120
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1736
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:808
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:208
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD562c81eb8cd78dbcf5767f84caad6972e
SHA19a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA5122feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913
Filesize9KB
MD5ec728ea73bfb37dd55bbd976e74c226d
SHA1b33a7e7cd7d9faa6ef340fdae96d28f2193b8561
SHA256d532cc42084bc259590993dff4feccea2a9b213fc5b9b13f9d7742bbe9d9beef
SHA512349f8f4622de87ad7fd0e46ed88c442d6238f55802132f6e5209d4cb4eab32c0ea705280fa29c291d7897fd87ddff42f045838a61a84ab9ef182945d90df06e5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD59a9db5839b504fcb68996816896bccc5
SHA1abea3e08c1fe85ce68408994680309b76e612221
SHA2560abfcfa224b224dbfdca6a5940c0f6e86e8112367ce9d7cc05292b3d500b2af8
SHA51261aa74c1600bbf091a1876064083c6d5fd7ec30512e1b306b2b8f9f7049d4f1453fb8b2bb34912501dd6dc9c51bfa19438b1575c9b7c589f1e42ee28968762a6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize15KB
MD5c4543bb29b467ba72b3403af61d8755b
SHA1738b0a88421ff577640bbe69c086f461e1f91b99
SHA25601997b538f0769cdc439a195bd7fc1c73d75529b5a683e7f8894aa0ff31dc0e2
SHA512a57ef368782e299a8700bcb64de5b44b8a58510b44c8022fbdb4de833e6c2056a7aea41afe8a59f1a4ee5c14a4da9aa459364bfabf57122206674e2a5ece1d60
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize13KB
MD559746f66000687350a02b6af03c03fe9
SHA11d599ab5194e99c96eee7977bcd0075f8aa957a2
SHA256b7c49f43fe79000666600ee17037cd8e96043497a7f7902ff7bcdb0c68870084
SHA5127bdbf74f2f5042badc232bda118ed3cc1e2facce8686eb50d153a67a8748eeae82204982820a0fd098b47d9f105090aba2a918618ea184f59d3a3b6042cb95ce
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5e89115451394d4e4fde52e519931b112
SHA11bb17c197030741769ee128534ab968fb4ac1257
SHA256d86738becd2a912540e709f14874f22c8e3d784d676148bb2d0607c510a41b98
SHA51294cca6cbf539c204752d7b6c539545d41c1d39ca6915cac0d2e39bc0d6e9ed8ef37b80f9e06d65fe7169087cf6c40566f0e24b016178584c31d9b81f8dec7bbc
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085
Filesize11KB
MD5c7196cd0d784f428d3e9bda011f69a31
SHA1f1669a3c35cda22f0c5451450b7141d5b11e04be
SHA25677cb27dde413c6bf17b75fcb81a2701cff918838837377f85f8cd0cf18d436d2
SHA512bda32a89e543d1b01e0a0753a47ca343924c9ecf18aa3e1f05c71ef5694a0aed9eadac8cb9c94bcedd46f8209b09a7650618ea1d77a9eb8342163c4c01cda1f1
-
Filesize
1.8MB
MD54a92075dbd9a0ed4d476c7372a6acff3
SHA19033b86c9e62e54f9cb90555cd5290c802051f35
SHA256107221991db10dcd981da9f0d3744a74deaa4c5f0cd15b85cb4d238093bf93f8
SHA512961127df540addb9cbaf6e0c145a64d1624d661e86e9905db01d8a21962b30af317f2d18fad10c18632a62147ac659fb5350846dc782ea43690be0abe6d1e16f
-
Filesize
1.2MB
MD5db946418424011c782182c76ab8c179f
SHA1d640d54d341cf6341bd434c9015d23d22156612a
SHA256bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize7KB
MD59357e30d8461a05a3a563e55bbe9a8e3
SHA1f1af6610a8c8b95c667b0229c0d8ffe7e8f4680f
SHA256524f1eb3d8588da32de96b117c900a149af477de4f3e09aeee64dbfa43ced3b0
SHA5129f5dd9cdbd744d4ee1bfc46f0a6a992e160871f0645de52cb9d1cfa3e11321e577de29cdd15085b2c40b000e3ab921383bd2766853bc519d40eab9784b030f6b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-08-12_11_+ftwiIQfjYtrlniJNZ3V4g==.jsonlz4
Filesize945B
MD55454384ec38638981ce5e67157b8f07d
SHA120da940d1b48d7c555b5f7d050fcc26b9fcaa217
SHA256faa28431b2b70bce1f1552ef63266622ee731b9a30a3b314c9b6d6e0bdc07e11
SHA5125526c70002b23f106dbb494742fce905cba27979f8bf8f2a92832232fb34b6bf873043f0b54f88567250f358e5fdd93438f5211318ee303ad71615ea85d1f2f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json
Filesize204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5341695e9cac2870cd36b0388a21520ec
SHA13968ece2266b2544a0e87d356bcebbbbbd184fd1
SHA256e05c9377bc017934087776c60c1b91efed82774d46173bf405f0605543ca6b0b
SHA512a0087b8afee96cd4ccad9f4e78e1a220131894bb0b44df53365701551bf03f8bbc8b819458e5db9d47eb1334b7969f1bf017574218428bebac154dffe201d4f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7a59123c-ca92-4df5-9adc-2aa99b74fd28
Filesize746B
MD56e2f456aa3ba477220a273c75375f309
SHA14876f7f673dcf940bffad398da27b8ed3c383c65
SHA256046da92467e148643dfc8c4def503f4d5f66d9f90a016f68c5a754674726555f
SHA512b361513e6372399e0d417a0f83ab31aed0559de4671d8a509b91db7fc643fd1e9e8319c5dc233a6f45e80d2f53b25671e5470921223911ce61e86820d613bb4b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\b798b364-a4c6-4efc-a04a-41847ed6e53f
Filesize11KB
MD5629dacefbd394725dd8c0549a8a42fed
SHA1c2950bb366efad1f074ec04790a81423cae95105
SHA2564e21438d0f24bd44095f3481eabc63c03c8026e1e8213624733ebc464da9c567
SHA512c278c655c946d37faf420559e3aa51a33d81f8f9b1bcb0244882bd73168b6366181d50be4420730c4ac69436b6d2c82fdd59e52ad96f99f5bb73c88e95969b82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD54fda31c7e3b5eba728e1e469643b71c0
SHA1cc89fb5db17b8df7e330a81cd6dc654e6ef4c43f
SHA256804aba13576e1bc63200ce600bcf347cfd07d14505dcd774cfea3e8359eb35ac
SHA512f06ca6ee96cd1f6c0a6467a68996929b921484ed6571a2203abd1a2043ad70952ef6c37638158bf1e7058208f8b8af407bd1ad2106397d4007b7148b606e4bbf
-
Filesize
6KB
MD525bffd7a78c7f30b0511b3ddd970686e
SHA15b686450d44fe2c8974b9cd073973ae55d9b8715
SHA256ac800dc50e891d9830d91e5820b1266c9afa8cfa81b9faffb2f013a321773996
SHA512edaf3266697dd855322f86d5e4cebc807811aa98aa3c2edc5b3ea6ae4895b123c2e8e1e41e85dd68e0e7a9ab7ba9ea0132392e9a78f59daac6cfd1f19f674642
-
Filesize
6KB
MD5c625551ce2d609be773603db0091d329
SHA15c395d71c63da412b6b07c5317fa1cdc2f2e8464
SHA2564df8266994b34dd7ca9cc5921403a6bdf23977ffc1adc1f64aa7146e99cb69e5
SHA51201237a0862608f265ceae0cdb44b3de07c3c51cfe7260f375ad520c75045b8bdc223d5e169d81ee53d87e106b1ccbb8f35efb9dc5fb4384a56a9dc98999727df
-
Filesize
7KB
MD5baf8bd79a6de8363be427363b12dba2f
SHA16fbfe8d84403f4f25180d9d921ea347a3415ba92
SHA2565dd5462352c70e0f017a6b51aed91d451396b731bbf5d7f9754cba90bd761aae
SHA512987eb40a8350f3de873371b633cf6995dbb28e27a4f39f6bc954d29fa67242d9f2f92a4e84f6e876ee051f9711a27d8d4415133bf0909f084678b92a11933d91
-
Filesize
6KB
MD5cca7a4d98b0c7f557c3eb6eb8a30a72b
SHA197afc4d9efd43cddd261741ca53c0b9a7d717048
SHA256d79a9abcb852c022bda59facdf84906a5f81693873cb42e000f3b24b2808645d
SHA5123a4cc5f96b79ffce9366717db1d354c739911ed51d0610fac2f3dc032b340bd91d0ca1a8e11ce6d80fe81962857304bc4039037ebec51c480ccda6287cb698f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD525bb4fc0d3c97030b481ea6c394fc757
SHA1faa52d98b9a3addcdd7018b130710f1ca4a93c9d
SHA2564d82959b15da94964fa618cbfca35bb2f484e4aae0a6610497c27870b8964d30
SHA51297bea60a54fabb48cf2e2790f14ea886ea020df77f9c18e2e904737dbdc14a5f14e75b4085022c6243d3a384ee8192933b1855b9db7ece1bee0381049870e453
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5d7ebcc1f4737f8f0c3d45c73745a0aa3
SHA15f20c711d26a6b0d7b6eaa948a1977164b2e73ee
SHA256b6cc34f5d20cc43a757d51712f69e4987b2007a414202e62851ebecebd99dbaa
SHA5128dd1ef2293f7fd84bf5e97ed183c99c4292be16dc4aae6c511af8782098a34c9e4a886928c29f6daf6faf7691dde204b0ee1b204fa9a6a04ede972ebe7ecdf7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5acb98d3d4e718735b97cfa91dc502aeb
SHA1169e52e36b0118c591b2c7c4566f7d24bb48a1fe
SHA256d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5
SHA512a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json
Filesize3KB
MD5d0a16a3177e6f8a2d130ef88a2ffff1c
SHA16680e33f5d4b58e68724d44ab52473d3e92e2483
SHA2564045dcfa3f4b9fdb9b758d6795734e6eb22b082e3e058b2711ac3aa421b61c49
SHA51242551ce797554087ddc0ccf8009cddb1707d798f26c83c3650f1f6761835bded72d8e8a844c2c2ffb4d9897f30deb4bcadcbe6e160a868e90c36579730eb7f38