Analysis
-
max time kernel
299s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-08-2024 05:03
Static task
static1
Behavioral task
behavioral1
Sample
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe
Resource
win10-20240404-en
General
-
Target
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe
-
Size
1.9MB
-
MD5
d6612f5d347fb3a1e9b74b324271a5d3
-
SHA1
f4cf302408405179d0c865438d38cdf1dec0cf80
-
SHA256
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87
-
SHA512
66d2c5d204236b07902be2ba81114e88b4f0009e3b2733c490f83d5fb119e15c0670759bbb7c08ab44f1aaff2337bcbdb3efc155cc69dc348be2cdcf62cc13c5
-
SSDEEP
24576:A68w4WvvycyQHGq1hr1TEOx73tJf0r82jfSr+x2KQIr8QgEM/EEugO00V1EThFgT:RyclHGM1TEWTtJi82rSr+xCcNO/Hui
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
explorti.exeexplorti.exeexplorti.exe539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 9 IoCs
Processes:
explorti.exe0d383a3ff0.exe76b0bdeda4.exeef9258e7e9.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 2212 explorti.exe 2628 0d383a3ff0.exe 3388 76b0bdeda4.exe 2580 ef9258e7e9.exe 1972 explorti.exe 5896 explorti.exe 5292 explorti.exe 3256 explorti.exe 5092 explorti.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exe539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d383a3ff0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\0d383a3ff0.exe" explorti.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1300-33-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1300-37-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/1300-36-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4180 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe 2212 explorti.exe 1972 explorti.exe 5896 explorti.exe 5292 explorti.exe 3256 explorti.exe 5092 explorti.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0d383a3ff0.exe76b0bdeda4.exedescription pid process target process PID 2628 set thread context of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 3388 set thread context of 3700 3388 76b0bdeda4.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exedescription ioc process File created C:\Windows\Tasks\explorti.job 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ef9258e7e9.exe539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exeexplorti.exe0d383a3ff0.exeRegAsm.exe76b0bdeda4.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef9258e7e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d383a3ff0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76b0bdeda4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exepid process 4180 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe 4180 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe 2212 explorti.exe 2212 explorti.exe 1972 explorti.exe 1972 explorti.exe 5896 explorti.exe 5896 explorti.exe 5292 explorti.exe 5292 explorti.exe 3256 explorti.exe 3256 explorti.exe 5092 explorti.exe 5092 explorti.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4628 firefox.exe Token: SeDebugPrivilege 4628 firefox.exe Token: SeDebugPrivilege 4628 firefox.exe Token: SeDebugPrivilege 4628 firefox.exe Token: SeDebugPrivilege 4628 firefox.exe Token: SeDebugPrivilege 4628 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 4628 firefox.exe 4628 firefox.exe 4628 firefox.exe 4628 firefox.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
RegAsm.exefirefox.exepid process 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 4628 firefox.exe 4628 firefox.exe 4628 firefox.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe 1300 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4628 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exeexplorti.exe0d383a3ff0.exe76b0bdeda4.exeRegAsm.exefirefox.exefirefox.exedescription pid process target process PID 4180 wrote to memory of 2212 4180 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe explorti.exe PID 4180 wrote to memory of 2212 4180 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe explorti.exe PID 4180 wrote to memory of 2212 4180 539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe explorti.exe PID 2212 wrote to memory of 2628 2212 explorti.exe 0d383a3ff0.exe PID 2212 wrote to memory of 2628 2212 explorti.exe 0d383a3ff0.exe PID 2212 wrote to memory of 2628 2212 explorti.exe 0d383a3ff0.exe PID 2628 wrote to memory of 2784 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 2784 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 2784 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2628 wrote to memory of 1300 2628 0d383a3ff0.exe RegAsm.exe PID 2212 wrote to memory of 3388 2212 explorti.exe 76b0bdeda4.exe PID 2212 wrote to memory of 3388 2212 explorti.exe 76b0bdeda4.exe PID 2212 wrote to memory of 3388 2212 explorti.exe 76b0bdeda4.exe PID 3388 wrote to memory of 3376 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3376 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3376 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 1928 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 1928 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 1928 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 3388 wrote to memory of 3700 3388 76b0bdeda4.exe RegAsm.exe PID 2212 wrote to memory of 2580 2212 explorti.exe ef9258e7e9.exe PID 2212 wrote to memory of 2580 2212 explorti.exe ef9258e7e9.exe PID 2212 wrote to memory of 2580 2212 explorti.exe ef9258e7e9.exe PID 1300 wrote to memory of 1360 1300 RegAsm.exe firefox.exe PID 1300 wrote to memory of 1360 1300 RegAsm.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 1360 wrote to memory of 4628 1360 firefox.exe firefox.exe PID 4628 wrote to memory of 1988 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1988 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe PID 4628 wrote to memory of 1572 4628 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe"C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2784
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.0.1699300312\1245909160" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {887f5505-07f8-46c9-a1e5-a720508be2fc} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 1796 1b77ffd9b58 gpu7⤵PID:1988
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.1.1978711312\166743239" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51169f68-5738-47ef-b4d1-aefced0b0737} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2172 1b7011ca458 socket7⤵PID:1572
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.2.11050568\1875956795" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 2684 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5812ef9-7a4b-4436-808e-3103c561fb6d} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2720 1b7043ce858 tab7⤵PID:4172
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.3.675724113\2102222229" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02678771-4392-4d59-822a-e11ada3df290} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 2756 1b705551158 tab7⤵PID:2768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.4.1821092895\58823418" -childID 3 -isForBrowser -prefsHandle 4928 -prefMapHandle 4916 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d6286fd-b13c-4cd9-84d4-9d998c1cf387} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 4932 1b704b36458 tab7⤵PID:1708
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.5.1626656698\471861220" -childID 4 -isForBrowser -prefsHandle 4964 -prefMapHandle 5092 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd8d30c9-a0c0-48aa-a8d8-196e9d8bf0e2} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5196 1b704c4ab58 tab7⤵PID:520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.6.1032471559\291607937" -childID 5 -isForBrowser -prefsHandle 5320 -prefMapHandle 5328 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03b6b3e2-480c-4eaa-94d1-389c0023be76} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5312 1b704d56558 tab7⤵PID:2580
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4628.7.1508561197\1279762685" -childID 6 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1280 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bd13abf-8e6d-4fcb-a255-6a0f95970f49} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" 5500 1b704d57158 tab7⤵PID:2880
-
C:\Users\Admin\1000037002\76b0bdeda4.exe"C:\Users\Admin\1000037002\76b0bdeda4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3376
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1928
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5896
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5292
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5092
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD562c81eb8cd78dbcf5767f84caad6972e
SHA19a508e8724c1431394717ebd3c6dee2f9f21d082
SHA256166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250
SHA5122feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913
Filesize9KB
MD54cd8468f8987fdccc0dcc352f277d771
SHA1897279c741789d992362d0fc448bb0205a73daf2
SHA256b7e34c9fb8362632d19c22fad541b05901cfa7a21bd0fbf42f58921b335f10d6
SHA512327c90a2704b3c7264e64f54c4b25e8872cc037d43f8c87d347c4fe2c326d520e654580ad684e58a80df1c9913255035bba6884445a3b5649e69cd6141a6165f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD5285a0c85b5300e909dd8343c90f9c879
SHA1d37b49e48471c01118e4da34580e76c14482487c
SHA25637f4f5ac93738ce7f70a1275b21f726835e717336ecf725267eb6c034774d54c
SHA5123fd985b64be1c88d2ed1d8221f23ae254aa83aced9a7a42ad52928ac60bcbf1c1a1deb83ff179150cdc9bdf254fa91a5c11d8ef68ccfc62a7336b3c728adcdc7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize15KB
MD5fafe822197edbfdaf8d1bbdb0fd136b1
SHA1a96be16734e82e4a6704b971514fe4169a27f1fa
SHA2567fbec730458ad4f6df50d03dc34fbec505cf332d291ead65d4781618d13e8498
SHA512221d80dcd606c9ce274bfe51b593f41b940f67a2974f520a904f2b65bfbef9525ff9578cf51a67e07f97668169a83970939c8e8ec91f23e67bbc5837e24ed22f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize13KB
MD51e5c9d3e01234129b0582c5bdf10edb4
SHA13c36433875e40ed0be68763096851a914916afe8
SHA2561c249621a38dcb6cb2ecea9e142a501a528f49c6d282817b214adfceea27c59f
SHA512cf72f92fbfb1a2d9505a99baf1a3ee9b0925d94c37e9d98316e123c708da962cda99a0eba57cb71f90c4774d8f020a6f513d9b0d17990a37d177419ae6e24327
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD54e6d52d6d66c43e3c6b70507b7247373
SHA129e291aeefc71d1efd0aeb3adf1a05e3da7c530b
SHA256de88ad8891208677429aa216706c1014e1b8d02e5c7c3b4932b9c4b6bd465c80
SHA512157477d297ebde9187f1638a2af24cdce791a451332465b4b9e74ddf4ce667c06955c4337a5a8a37b1471c922e14f14e7c6b3b7371ab3165b1096c1f2772b9bf
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085
Filesize11KB
MD538c93bc18c6c0e7f109062f36f13b3e5
SHA1e78d245193c7e1f86fde40fcd52a0fd68d1472fe
SHA256b17e7399bd22a019ecc8ba3403b2356ef25f0e7ecc4a34c55b94f6f80d87e9d4
SHA512ff5b96121bcc6e7e8d13633c3520202e045bc99c78eef0e993fce585ee5650f8410201f87e988e925b45113c5ef411c0bb9b4676beecd8684adbe35f76c1e29a
-
Filesize
1.9MB
MD5d6612f5d347fb3a1e9b74b324271a5d3
SHA1f4cf302408405179d0c865438d38cdf1dec0cf80
SHA256539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87
SHA51266d2c5d204236b07902be2ba81114e88b4f0009e3b2733c490f83d5fb119e15c0670759bbb7c08ab44f1aaff2337bcbdb3efc155cc69dc348be2cdcf62cc13c5
-
Filesize
1.2MB
MD5db946418424011c782182c76ab8c179f
SHA1d640d54d341cf6341bd434c9015d23d22156612a
SHA256bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e
SHA512a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize7KB
MD5a58be80b0b6be072704c1b81e098b766
SHA1c0c11753bd8814b22dd203efbcd32c512ab3b35a
SHA25645ac0a1e4bda91d5d701daf4688248130805f65d7959febf389bc4d28bd4f9db
SHA51282a16c5dd9497c7db857c6856d52e2e654d0b3a9c00594264f7b928a2759a9b5839de55729f3fc94d41c2363e41eda9af36a531a469618876fdbb09348f2d7b2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-08-12_11_JYHA1IDH37kjW2ud4k03lA==.jsonlz4
Filesize948B
MD57c618c5385632ed123b3929e89a9104a
SHA1877eef304b5bca587c7f990c0b187b1fbe666e04
SHA2560c052f029079668e4dc8f63800c6b2fd173fd97de4739e5a66d017df726f519c
SHA51278e0c287f8367a1fb67e816d2ca7a675cf880d1a245ebc1f4633c52a54bd7fb8ba4564d7c07ceddd9f56c9efbaadb2da1ccc928f679645b3d91dcdac7c87d64e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json
Filesize204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5caceb3b07c2599f179f5bf1763d3a2df
SHA1f786adc9659ff6522d11ee4710de01af31de298b
SHA256f156e07fec4481eac4d1b82a211cf9036e3a224f572188722516d179dbe8e31e
SHA512aae9f31c4ada61cf28fedb7f196753cd9884efade3221f7d62be09d154cf264665332a3a7366b67b64ad2f4b9b185ea76c65805f9b0dae584700ef398c2e4de6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\73796c48-4061-4afc-b120-a871daf1324c
Filesize746B
MD592537fffb7c04447005f1293e545d329
SHA187e009c1ab1e04a040659f7da15ac234d73f10f0
SHA2568dfbf111d7678f8966894268e757a68cf42b5bf141ffb5aa44e637c67ab98fa8
SHA51259344f37385ff58a6c24fb028ebea773a5e09974ccdcbfc80b07febf627fd04917a494c4e0a790dc744bdd0f9fbbd2ebab4814e027045cde0a5196fb54c5a871
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c9d4758d-581a-4e03-9182-9b922553c934
Filesize11KB
MD592c2d83feb1423f8a450454ff2799b6a
SHA1377276b1927a8e53ce912a6f1f92275995d84640
SHA256abda13ac3d24a253b9f068fbdc7da67473a490747940747e42b1dbf5f7fae529
SHA512a30e8e33870d04fd91b834a2195e07feddfcab5ccd24b30161fd353e37cf23dcb079e9933349b8dde905e51c56872343b78016b98af8c169c301699aad509c5e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5c72ef77cdec5facf278b0ac73146cac6
SHA11ab635fa43ac0606dbf29aff7cf9cf54378561fb
SHA256f112dfffa0bf30d63cfa01082c094097c7e88715641b52581bf5fa378c4dc935
SHA5127b30f2ad333055adb6d8222eb04f55d4ee4ac6f8a6d11e6bca9d369cd170df68c2b22084a9a50439c16b128586295a6f3ace7055d5c1347bba86abfcb5fad8a3
-
Filesize
6KB
MD5679c695b2c7ca15c7f256d9d5365b224
SHA179c8c531fa1c0599570389d46c03b4fac94baf6d
SHA2567c9919082f47992650799a04a07a08914991990b0bd388b895b7ace3573b845b
SHA512ea9c63ba68f5ddefe9df3e942bb7956d78ce25a97b0911ea6351f7f0b8ef4ff9ffefd40d660d76efd5908c852650922690f6945d1a9f6c9b70ced8758d88a5c2
-
Filesize
6KB
MD55779a0c6c1de1fa5f022fd6ce97a1c3e
SHA1d90ec1146d2dada326a6422388cb124d49f204ca
SHA256519bb5ba5cad4a9b7da0d7fd5607c4d41127aa11b72041cb5d7b6206d7c0272e
SHA512774ca9683c5392186290bd8ee0a206d8da21183189493d61175e99cfe390e97207604cae61b1a13d7461e050ac161c959e9d41ae26fb695c80141cb7ee64f5ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f5ba49ae5e48f0540e6d3353f8b8aceb
SHA1dd5a7c13c5d6de2765e9b1b37a7b574bb11ecb37
SHA2563d7b98a7258c1e1d87c22dda513bd2fa1e054282cbeed3dc32aa8469b8d4b1df
SHA5123d53783bc9d6234519165e18706324e96d113a69d6a6f38a6abb3fdde4110d00d19f427b628658072cdacc89e0387e4e0b99fea19a2d2cd05c2e530a6f8d0602
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a2671249c42d7f3052b47b058c262c9e
SHA14b87e2653d88f77c103ef0b1464e0b5d33da19a2
SHA256369c95ca45254dd593289876f7a7b02a96b3d07762317db14c7dc2a4fa576d66
SHA512d1732b34a524b12d54b7be229bf58a8be59c968b44428052f4ef762c87041a01dabe778d5827ff99d669c7a1b1b9cb4145940a2371ba5aa5b644ce632f23c6ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD51fdc13de64cfdb8ba3fcd71aad9d33d3
SHA1b7649cfd66d751435fa56a4b4b20daace452c692
SHA256fa890605b23aecfebe4300d159f10096cfaba982a942c8ce829617b3de36a783
SHA5123c9dc261a1f0a96d4433d60de03423d58f0bd63dbf5db48962372658103f16991f6da06c1670deea1e51efd2a15aae699d1d287ee377e0a457299a7dd9f691a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json
Filesize3KB
MD5a7aa7d8d92ea8550a29cae1e4c6a76ad
SHA128728cbb9b83cb8d700883849537060ffa1f4190
SHA256c5a9fbf6a2c4750574999c976d8ac02c1eb6e76d8a5e92e6c28fa15a3c3e708c
SHA512f01149d20dae9820862dda4b5e37aa9564dc57e2a501b5a87c87ed0282f22c098397f111976b6d3a5620c8c86e3db827eebe0f249b5582e6e2cad8b9a1e7bf68