Resubmissions
10-11-2024 01:42
241110-b41vrswgrj 810-11-2024 01:38
241110-b2c1xswkft 810-11-2024 01:32
241110-bx637swjhx 8Analysis
-
max time kernel
269s -
max time network
271s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
fnaf plus restored.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fnaf plus restored.exe
Resource
win10v2004-20241007-en
General
-
Target
fnaf plus restored.exe
-
Size
937KB
-
MD5
10fccccf042d47d4bf56bb1bc5e04273
-
SHA1
42268e93106a8b9831f1750dbda236137d37542c
-
SHA256
60ccfd2af3e5f68d1b1fa36140e97a65411f0ce26da19768933cd5128fe342fb
-
SHA512
ef5f4cca065311aae4b3d35c74de5d2daeebb36396e0a15fa5a544460ccb8ef82dd2efa7efae1afa0bb76468e9986c2e3dfa37cfbca1c01ca212c9379b3b36a9
-
SSDEEP
12288:qUDU9hdC/8PqDaPcUewtn10Gkt+Tu8mTLUyitik5ZEXhttD:qIU9hB5Bkt+TmYti8ZErtD
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeBloxstrap.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WaveInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WaveBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Bloxstrap.exe -
Executes dropped EXE 5 IoCs
Processes:
WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exenode.exeBloxstrap.exepid process 760 WaveInstaller.exe 1316 WaveBootstrapper.exe 3992 WaveWindows.exe 2796 node.exe 1516 Bloxstrap.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
WaveWindows.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\KasperskyLab WaveWindows.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\KasperskyLab WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\KasperskyLab\LastUsername WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\KasperskyLab\Session WaveWindows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 384 raw.githubusercontent.com 385 raw.githubusercontent.com 398 raw.githubusercontent.com 399 raw.githubusercontent.com 400 raw.githubusercontent.com 401 raw.githubusercontent.com -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WaveWindows.exefnaf plus restored.exeWaveInstaller.exeWaveBootstrapper.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveWindows.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnaf plus restored.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaveBootstrapper.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
WaveWindows.exepid process 3992 WaveWindows.exe 3992 WaveWindows.exe 3992 WaveWindows.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
firefox.exeWaveInstaller.exeWaveBootstrapper.exeWaveWindows.exedescription pid process Token: SeDebugPrivilege 3300 firefox.exe Token: SeDebugPrivilege 3300 firefox.exe Token: SeDebugPrivilege 3300 firefox.exe Token: SeDebugPrivilege 3300 firefox.exe Token: SeDebugPrivilege 3300 firefox.exe Token: SeDebugPrivilege 760 WaveInstaller.exe Token: SeDebugPrivilege 760 WaveInstaller.exe Token: SeDebugPrivilege 760 WaveInstaller.exe Token: SeDebugPrivilege 760 WaveInstaller.exe Token: SeDebugPrivilege 760 WaveInstaller.exe Token: SeDebugPrivilege 760 WaveInstaller.exe Token: SeDebugPrivilege 1316 WaveBootstrapper.exe Token: SeDebugPrivilege 3992 WaveWindows.exe Token: SeDebugPrivilege 3300 firefox.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
Processes:
firefox.exepid process 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
firefox.exepid process 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
firefox.exenode.exeBloxstrap.exepid process 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 3300 firefox.exe 2796 node.exe 1516 Bloxstrap.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 2580 wrote to memory of 3300 2580 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 1644 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe PID 3300 wrote to memory of 3060 3300 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fnaf plus restored.exe"C:\Users\Admin\AppData\Local\Temp\fnaf plus restored.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4452
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55cf3f9e-9955-450e-8eca-ee11e2d56bba} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" gpu3⤵PID:1644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47109e2c-ad0d-473b-b723-f0938b4ba0fb} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" socket3⤵PID:3060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2868 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49bb3281-c9d0-4ef9-99c2-14e02e83f824} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:1928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c3157e2-af96-4fb5-b03f-cca97fb158df} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4968 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {321c1ad8-0c4e-4f48-81fc-62a6da517afb} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" utility3⤵
- Checks processor information in registry
PID:5384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5280 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {049a2633-13d7-494d-b00b-b7fb6f1090a9} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71286dc2-d6d3-41a6-8de4-54d8e5f56f2a} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5268 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1b44ed8-28aa-45d4-923e-ff0123a7db9c} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 5948 -prefMapHandle 6148 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48f77685-d2c3-47bc-82ed-8c16b18a4de2} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:3124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -childID 7 -isForBrowser -prefsHandle 5872 -prefMapHandle 5880 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4960a1f0-87b0-4d2b-b34e-e238a709f09b} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 8 -isForBrowser -prefsHandle 4772 -prefMapHandle 4156 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {434f48b1-bd8d-4966-b114-6268560abfc9} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:3744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4596 -childID 9 -isForBrowser -prefsHandle 6896 -prefMapHandle 6860 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8198ce95-dbdd-4e1f-8754-001167d1ba75} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:2056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6856 -childID 10 -isForBrowser -prefsHandle 6836 -prefMapHandle 6844 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f978ee-6450-4932-a58e-6314bf9a20f7} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:1980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 11 -isForBrowser -prefsHandle 6328 -prefMapHandle 6344 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d582ac7b-aef9-4bb7-bce6-7c72e36c32e1} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -childID 12 -isForBrowser -prefsHandle 6456 -prefMapHandle 6452 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd84271f-ce8e-45ae-90fe-f6e549b5287d} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3720 -childID 13 -isForBrowser -prefsHandle 5448 -prefMapHandle 4244 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {479bea34-0ad8-4dbb-9209-644a2946cc74} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4452 -childID 14 -isForBrowser -prefsHandle 4172 -prefMapHandle 3712 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6c4181-09e5-4a25-8460-1a2d6831857b} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:5696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4176 -childID 15 -isForBrowser -prefsHandle 4576 -prefMapHandle 6460 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc122993-de96-458a-8760-99030069e3b7} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:4688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7308 -childID 16 -isForBrowser -prefsHandle 7400 -prefMapHandle 7396 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e6dc7c1-a855-444d-8dc4-d4b3a2e3e026} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7684 -childID 17 -isForBrowser -prefsHandle 7604 -prefMapHandle 7612 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1128 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f59f476-7142-497f-9cc4-8bf7bdc5259b} 3300 "\\.\pipe\gecko-crash-server-pipe.3300" tab3⤵PID:824
-
-
C:\Users\Admin\Downloads\WaveInstaller.exe"C:\Users\Admin\Downloads\WaveInstaller.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Users\Admin\AppData\Local\Luau Language Server\node.exe"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=39926⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD56546ceb273f079342df5e828a60f551b
SHA1ede41c27df51c39cd731797c340fcb8feda51ea3
SHA256e440da74de73212d80da3f27661fcb9436d03d9e8dbbb44c9c148aaf38071ca5
SHA512f0ea83bf836e93ff7b58582329a05ba183a25c92705fab36f576ec0c20cf687ce16a68e483698bda4215d441dec5916ffbdfa1763fb357e14ab5e0f1ffcaf824
-
Filesize
249KB
MD5772c9fecbd0397f6cfb3d866cf3a5d7d
SHA16de3355d866d0627a756d0d4e29318e67650dacf
SHA2562f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f
SHA51282048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31
-
Filesize
372B
MD5d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA104855d8b7a76b7ec74633043ef9986d4500ca63c
SHA2561eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA51209a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998
-
Filesize
6.1MB
MD56b1cad741d0b6374435f7e1faa93b5e7
SHA17b1957e63c10f4422421245e4dc64074455fd62a
SHA2566f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f
SHA512a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD55ae538c1207fcfad6edf9c301e366cdb
SHA1f37d5d2651163f864dfb9220328dbc958aa94bc6
SHA256da71f6c756bd77924dece967abf9397df4f29a4f8fd5ac449d7a81f34da75eb3
SHA51286d820519151375e5905ea76eb00af2096092b67e7d3cd81ac053f8a6e9f01fee7cfabbd62eca79ad1fd0273291313d97332fb2af8e88f77192958e0dc4c86a4
-
Filesize
86KB
MD5abe3073907362e8df7b199d214d411d4
SHA1273ae71ade06d8c14caff5d4f397e2841e6247dd
SHA256ed48b3e06ea31154c28be8c70f769a572f1f2808d4e07544122d834f20d2f3c6
SHA5120f3cdd45dfd7ddb03037b908d6c7dad04ff151b2a64d49e3a9e92214a7695cb219edc12759745ba17380e196503e2d429ca235ee3e8ecf4dcff7716c1446bc46
-
Filesize
125KB
MD517f92159a6dfaf583927360526c74ed2
SHA16ba5bfa28d4aa16e0580311c6cde166411e25f3a
SHA25625bfa6d812d79e68714a9e4c040b2947c19b601471e7ec9c66c0cb1e62a6a943
SHA5129349cf5fc74e58da133bf32d7e6a700bfaa2ccf02e7ad78d1a447590437f961f48b3599543e80d5b1063cf747d47e42b55474ca5077322061be55308b70af614
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\0B09FAE341F4DDD969BBA2C6B6B8F6253CF20D50
Filesize13KB
MD5c9f6bbeb184165e9a2e2407584bf4526
SHA1b05bf3e5aca7d21d28b35732f899950d1cbe089c
SHA2565f397f988c6e49c66faed4e2329453999598cb3d78586bec3ec58eb4746594ed
SHA51219fb282e6fb625a2f23e71ae18fc7567988dbdd6357a54301e8b57c8da7495ffc9ccb90dc0eb8b4982b4e38d364a770f7f92366370f02b62b1ef289921f11a30
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\15452148DC37F7F3E37A31F6162F9E9EF7545424
Filesize43KB
MD539134d0dfea80998129e82a84cd62acd
SHA175ab5ba5a5e071fde6b565b3130a05fb33864c05
SHA2560b4885575123d56aac012da631b424548f68c15fa2f8e995efdcaf82c89ffa90
SHA512a601790fa14467ec45bb3adf0c97d2f0254f98df20edb4cce9a218ad6eba1bb714b990b04b8a8c547953ef338e7fe42eacc42fd27f52084a229e831422388bbd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\1951DE72CFFA8150C812E912B27FCB419836A7A8
Filesize22KB
MD52ff56147f449ff5fc45d762ecd77c5f8
SHA1c4bbeb2e974e75a986d518736112d2daac977dbf
SHA2566cade1c6e4bc79ae9b0dd605b6a0367049d97c488318ea4bb3822a87e4e215b4
SHA51250012439f3b5bc29dccf87863f404aa1d98933080959cb7013e15adbd2c8f4ddea257caac6eecc6e61e99f36a508ed087cb7980f1a2f62c3c67f38435aac71d4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\2F80A05A314CCDB66FB88D0D30B7405BCD9AB353
Filesize1.1MB
MD52de9d573a934efebc99b2e32a38409c6
SHA1198f11cf1b9cb6bc3cfcaffe9cc635db473b085c
SHA256b31d2b6da67f8bfd11560e3da27d967ad9ef838af52659447f9e687e3f746d7c
SHA512f19f78a5a8d2ddc80a1987ed84c2d591130af3322d297022bec480632df137a399584f4e0802676e200c9c9299201526f30a7877225927261ae5930b3f6a7ee5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\5C36AD522D06CBA27C557B84549A66AC74D92835
Filesize10KB
MD5f8d428409be95a771c9d414023e01ccc
SHA119513d44e8b9bd28f3a655a4f7252ff0836d360e
SHA256cc72ac8f1ae1891e8887753f261a49ca217a6c693c71a090354a9f7cd5e6fc1f
SHA5125cf7164487eee73199beb8deecd60aec9e021a66a015c50e83212617a9512384ad4f370f4048fc01d3a1036fda88e9031c236608b0e7b1b444b644a743ce6e6d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\5CAF0F45716E767E04F44899002CD8DC8EFBF123
Filesize44KB
MD57b8e97a8eb029284d05b89980b37d81b
SHA15af64eea60949747f3c1007342e5f015d03d1641
SHA2566d91bbe99f3872fefd1668d70ed0d51a7e18ba1da367554b66e7b2668916ea5f
SHA512e5bbb52ae12fd6da27adf6d593cb8ddaf18f78a73f0aee9307f0af77f1405f03979960b2f77c657c91af109aec2a3fd1a4ffd3a4446bd00814e3ad413cae6a65
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\5D88F86F32DC808B55FF241F00F12611A6FDBCB2
Filesize121KB
MD5b651bc9527c9aebe800eece7682a561d
SHA1df406cc1646a8c0c53b1a704883164b19e39ed3b
SHA2567faf1d0475ced72ff6badb40e840bc494af69fd1f504f83a17f5d9dbff8da479
SHA5123f8b6bedbfd30f0f491130f33de8aa8c578e7ffb3f59ab4efa2f4845b4dfde751a595597755fad22bcd7da7c6c2f1150e188d00df6fb9a986ded96509ea2ee5f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\816705FEF1DB3481B3B6CB5A4542A9BE5F9F75C6
Filesize788KB
MD5e2c8f6579c2bcc07bb593bad7b21dcf6
SHA10cbb9be957d6ed1c873180168a3e8d44ee578c6a
SHA256aac12cc4e198baf98a3d85e475bcf68c86fc883867eb92b455fb49c50ea71515
SHA512cf9b73b129eb095e81175f150f35fc2258e3cca38eec1324695cceca938c91b830f3b5969282b6cdea3992b748a5d1794dccaf1ba24420e950bc3866d934e238
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\944281DE8E653E8D9793A8E9F6BD27DE1695F581
Filesize122KB
MD547457ee238bef4cb7e8301d77d116fed
SHA109dab270f3d105e664f1860455d3ab61f3a110c1
SHA256cfb82b41bcada3107de248dab9b161c5aad5668c151a12fa083f8594d0e3d9cb
SHA51298aab2b843711007d8ca4029e26038d2c8932f4a0373ce395b52468b457f0764cac6014959d57240edaff6577fc445322ca3a3c424e8d72d6ffffce9a7a28a40
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\B3E9141EA653832D356942C18CCBE9C056FE1193
Filesize139KB
MD597622ffbb4d13d14ca5c3e35bf28cf60
SHA1def4ebd751c025285dc25e8457ae49ff6705cabe
SHA256d2afb0e76f2910b969b8ae3a455b4b73cabf9e2b132af39bbee0c35066018374
SHA51211e37fc53613ba49aeac4e080d07000ae74d42050126f6246d032f3f89295ea398027e9fe579f5a6831080bc937b29da424209439b6cdd54379884a5c9affc4b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\C0F4D880C1B3CF628066058BD865CA7B495E5F29
Filesize218KB
MD52abcb59db78a343418d5a485103021db
SHA19d018483c44193c83c804c888d8d5d965f8e18b6
SHA256ee427998f947b5522c8c8a5394197c0a551d961a5f6110caddf6ac84e759975f
SHA512646f5151ebf1d1804b7aaddc0fa2a3674467f714c27efae17fdb9c435a6f03d77a2d8b27577c7504fa1375f5932601d0221dd5db4c1c12716836722356a0754e
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
949KB
MD5495df8a4dee554179394b33daece4d1e
SHA10a67a0e43b4b4e3e25a736d08de4cec22033b696
SHA256201263498c60fa595f394650c53a08d0b82850349123b97d41565e145ddf2f42
SHA512ce3bef1038741f7a0f90cc131a4a1883fd84b006654024d591f5451e73166b4cae546e307c358b5b90aa0e6517bf7b6098f1f59a3ecc01598d4feb26e6b6af33
-
Filesize
8.0MB
MD5b8631bbd78d3935042e47b672c19ccc3
SHA1cd0ea137f1544a31d2a62aaed157486dce3ecebe
SHA2569cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c
SHA5120c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize14KB
MD59f02b5ca14334400200521ef95ae1f2f
SHA168ad8777a658a23830ab993ece7c9e6ba0f285d1
SHA2566e968e2ff79391f5c5aca818e1d4860a25733b132a9492260528a15952edc2a6
SHA5122dc8e207ed362700eb84e76a08343ea83faa9d35f6b77293d20cf4b6c68a0b393e70f41db51872c5c9eaaa6b79684fceae6838f7d45286f964d962ffd6079f84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD57eceb2d53ac1333b643809105c569a03
SHA17d2ee1fabe4d6f5027af488a18cc14a5ac91d76a
SHA256205bdc219a2da231d0ebf2e714bda8ae75807bcfd8f5c1c434e3277f0e0a414e
SHA512ea010887277601335938dbe41334fed1a0c7eb8a1855a22cc9080963a8118d480a1a0b89e30f89e4670534330937d1e57f59d39cea621982429f693e1b8497d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize8KB
MD565ec2f218c073d662943e63786c87304
SHA122c8d20c7e04bd24ca77aca2b226b27fda9bcf41
SHA2564da1b7c18ab0b2821c7ff5f8c90661f271900f570c0d939ce0b0a4f6804e98e1
SHA512a408eb1fd8a76f78c790ac081862af6297b089c0041030d5fe54ce3179a791d98169716b2364111625897bb1c32ef402be89d36379d3db9483bcb95cb387d0a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize7KB
MD5932bef375ba231ec9369efa5b70e5edc
SHA1df0abddf83f89434e456e2406be8b253ad6935fa
SHA25673640d344269a1f35c2b55b2b243d51c5c3ad74b1eef105d3e932c53b9ba2a72
SHA5120368cc5bde4c94835f7ebab3eed21276a29ad2088c9b1195c2718b0cf2b083cbaebbdab60c2ef591d422d5cc387696c720a32180dd9765314bc4cd7733ed2116
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize13KB
MD5986613ecaa1d5ffe7eec18396ea8ecba
SHA11246edddd837b593112526c352d9ae8683746f24
SHA2568dbb0f4a3df19030b3dacc93cd137d7c0642ef0bb9b78f467f37ca628bae7528
SHA512ffab0a1df960be4d379fb550ea7227428a259928378f041c7dc6dda93c5c9b10013cf7979d277d90d62cbee729284e36ae8477141658aae2dc2c21403264ccf5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize17KB
MD51166b284dde38196a1b75aaa66aa4723
SHA10777a06beb5b5fef9b077cbedd9b056b4f0b6bad
SHA2562f24b1ff74922c55720f4fa928596991c80ca6d1616e5b9d67b4328c8a5125d9
SHA5122f5d4c3b2da9bcbd8f3520f9a3e99f681ff7fcbcd7fa9124a3977ef7262265ead08e4fc4b340703487b4471b2ead22287a7b4104c549150836f865751697d323
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize20KB
MD5a163122f8362372fbf8cc0f8de832bd7
SHA146244bb45e00a9285f527ba99d5911e51eabf7f0
SHA2565b4b96827805ae0d21553227c058f223faf3e18669772222276bcb0a0dc6cc0f
SHA512385c7f01e3c4c7ac3bd76ba6616e77068619f486162bf7d008e4193ab34d9147a3a6a9824b7b1d171e76dfd86ce6f9fe6bf75e3c6c6818477bcf50429f5cfa4c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize25KB
MD52fb74fbb662f6bf11e756e7c8803e28d
SHA12b35c28101329dfc8f8f922cfc619d3d96491dd7
SHA256a33e3a6ed6960c4b67aa9836b1e0a0733146cd5b96cb30b1f8c9bd2743dfdd80
SHA512390473fd1bcdb31c1d4137bff57a544680ce134989209bf07bba4b867a9146949cd8d66d4ae30b8a834e13eaec96e605e6839a9645f8ad81bb84b9471db31ac4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize8KB
MD54913649c1a6f8ec5c9d961956903393a
SHA1782496ed73ad6596bc49dc5020e6876fbe7aad15
SHA256777ff608aeba0db5450ce75c394bc3981acd8608a7d66014b0315e6b87ecec84
SHA5126bf46d48372c71c973530f90f2b1e519d7bd0b4ffd379ff82599ab1857de70fe767b59a69c1ba5c50d686633222dd6ca0780b26e6270c48ac6eeb12c474cf78e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize15KB
MD55e9615d2523f3707434cd2d1d1bffb0a
SHA1cd326468334ad58ed6d9ea4ef69820712a56efac
SHA25689c41b49703f1af86e46afb4e2399acd1615f2246244357e48757e9ef7c812d2
SHA51254dbcb5a1e448c828b88c1b7279eae97a7c3d5d0b5c1ad843f5efe9499a0e51ca0a0eaaef75a64c1516645f0a901a56c67be815bff0c7862b3f9726e95a590aa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5b8ecfc8a5713b0f5e4b0520bc157fa51
SHA1c1d3cf2e2789b46326ba175e122ccdc22151b452
SHA2567628d319345668b3513bb08eb77fc4cb92385878ff36a70b3eccfa0b97277e8c
SHA512e2b41cdb8d1720cb00eb5c28db6e207916db8be76f13bb672f9b84ee4713c979fa73781d9c6c1fc40951b4db2bf69ef3bcae67bf0b185ded82d58def17c1ff1f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize96KB
MD50588032595cae55ffdcdbf98ee865a6e
SHA1e9ced0ccae515ff72c869fbc381a986a2886740d
SHA256b29e516c423349c54f8855f33ca0a328ef34858b5967d6526c8c18c908a5c31e
SHA51212af6d38e0524c3f73e2ca50fdee60bf30cd718de48a543e59f8915cbb55eba4f47fc7df594a2ff21ee21a511334d9004ec564865a8e9419c4dd39352392fa1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5ce83bceb6e080e1192bae2b362a246de
SHA11cd46714a37f8b1e23b75444ed2ebb9f1cfdffa8
SHA25687b19911f946c4140b01f6026cbd40ed455d42f2c51e0befbca509e9fd499759
SHA5128eafa7b704a32f615ac09be254ee89eba9277565524cc15be25c959d0e09344a296c4f29c7617e798c47d946447a1f38484940f1de2e2be4ea394fc78e691ed8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5a5a948a8a78889767828138d7313bbaf
SHA15eea307189916da291827711363c78bf3a44d892
SHA256379faffb9d503943ab66791f59f25f09dac9a29efb4d98826c3275be7f41c768
SHA512f385abd13b5fe1e84e5392bd7d29cfb035e5ed4f52d109bd774eab3abb967ea7e79b5f3776958362419d47c957f1623326506929972d41029a211d4005ef616a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize96KB
MD5d7b11c7ea9e6de388212593952f59606
SHA1f74fda99d7fb5057b5ade476ae8b00dec0859ea2
SHA2566779cb5b0ce3b9fa158960d77eac030dd4cbbf9cbacf53f4d604548f21175f72
SHA5128a0e84c1671660bf339948bd9f7b6d952300bb256aa4c53d2c9729a6a6fff7c6efe03f54115ac9261829c11a80111a9232c8b5ac01f2d5a4f6bca6235979b96e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\3c1db6f6-1e0c-442e-9f31-f6584ae000b1
Filesize4KB
MD5c5757489bf889a243b4bfcf43830797a
SHA165f4d3d9221cbb4b004d3dfa87375a2ec985a9e9
SHA25623c55b294f33a8776265570fc4f5fac28db25090156d5aad5eee22993444bc45
SHA512d941fd98932fd6ef7169beb871a11cdd5bd57534a0029e72894f885e4a9f65fcb0c0e46130cfdf09d184afda1c5101a03b942dc440bea455d6a6d943e4769cfc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\b602185f-0ec5-4fd8-a328-a874c68accd7
Filesize659B
MD580f5ba69534aaf27846eec38d7052c75
SHA16909faae95ffb47b02f4697b68fc62d26601793f
SHA2566585be0dbf699fc077c542dbf3a98ebe465afebacb7e51186a232b97f51a0b24
SHA512ff7e8cf45638d9584c00d27fe0acf619e29dc418fc611ee682a1f73c688560cc8123f500c6bccc8c4cec50c683891fb2fd100e7dff072109e7e8d31a3000b405
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\e0159c21-9161-4d2b-b90c-761d73fec01e
Filesize847B
MD5f3243ce8be9c1e83be61c990829a9e89
SHA1db13c86c94110f68f85ad57e0e191d7cc21d91d7
SHA256a31c62d8561ac5e89848e580706b5762aae633c8e347e73b2105f982dafd7070
SHA512cd3ca5e25dc5829df59f0c64fc81fc62a32c9fdeb65c6d89366556eee2b8a7a92a2329ed9afb79a95a65a2299d9643e38d565d7f287eb1b54b2b42037479b145
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\fb2d409f-e005-4ed0-9400-be0e692978ee
Filesize982B
MD562208780c18354865f58f86a67bff58e
SHA1460fa142437bb97286de5262ffa5910c0a23c9e7
SHA25692b829d67aee88adbb34eb8707967be380b04f1c392faebc72f1860a21151bb7
SHA512abd46ecb1bab16541b342c80d8db3b57515d7c470ee417d48e526742ff87de0ae1610f9e711cb9fb0be0fc775b725b5c53f8257b08dcaea8d9ca71387d454342
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5c4fbfc42fcacf7d8fd9eece925d8df5f
SHA184cc35d46844717f7db45472be69e2670c366ca8
SHA256d5aaf5bbc028389f89dc80679b56f034ba5e9c850605fb3f4fda8395e2533134
SHA512817c67fd7e68ac572cc9fa0a655265835fe7be3e327580fabfb9e56ddcbfbe0dc48c491c1b513c1be8a2775619ad1c97996be9ef97c1abe4147cb597c4a944be
-
Filesize
10KB
MD51e4921760188a6c00a165d37f0e4644d
SHA1403596caad70207fc192bcc850dc3e1e1ee2e9ef
SHA256a6bd86dd905dec24b3c27c95cd740a853f73b55cf44f1c3218c1a668340502e4
SHA5124cfe65bfe699825ad7e1cd84c4eec780f8a51fafd08080e6c9208a5141cda32ae1a7e0292a8c4850377ace524f811e27c38578efb11c7aa2eaacb5507e76cf5e
-
Filesize
10KB
MD58e9a1a345d4a05a2ab745fcec186ca17
SHA19ce0844b23f9efb4c2cf7d65780ceee12f79c154
SHA2561ba10490d2958e97c3b3be73c7b46922b5aae08cae4a315623a6ad37968f6cb5
SHA5128519879ffc8f0db5efb59e49e3e78d97863cd56ebe4a1ad4fd44faa87d60a9f18e865bdfe60a3d6e5d0d8a05adaef294143ee3fad9178754c7645211dae3641f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5cebfd236335c96cf990e98b48957014a
SHA1b2c180c778dc8ab173e777aecc67e275567b00ac
SHA25685147370ec31a574ad8d7cb5a6589cd4971c14fd001ac9477df4c44587dbd477
SHA512ec79878b2ba252694e63d4ed5b6d8671f85f8149ed7d296dd9df6f472220850542a0e7f80bd5668595f34ce5306a56c5dd939d26948e6d4172336419b2eda242
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize24KB
MD5576428b1052758c5b418696150fdbbb9
SHA13ee0dc2a0af329abbfd5765f69d60d9ac31f9fcd
SHA256442b722d58acbe3c7d00e3a53d988bcc2eac27b69565e883dc5188e5d6dc4ad3
SHA51247668ed4bd274e1d81dec06f99802d5d947da99f3fcebf5c7fb47e7955f0f0689aa1598aa65aadd5d9ce859bb0ed5cc6c45670f3f66fe069a741f23edc9e5074
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5ec8485943eec7180a9b04c91b021c069
SHA1089b6dea05b6f6a05a736f56fd7ebc042a0db58f
SHA256be28c35212eee50cb55568860d52157a96df5b6368a3ba9ba69472cd4c2e4123
SHA51278f03b1bf7db2c9545c24a0836b7bd21cf64d6192d8c589d7682c35301e4d005bf5c2c6cd9c9f89ab776fe34d7d6f7100129126c0c0208452f0fb1de8b65d15d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD5875bbbbbadf364c9a59ebd3c8ff9c98c
SHA1ca4b74e30311eb9590dd744913bf90a21d651b7b
SHA256cf9e6801f375629d5242a697a35e81a231c05a04db615b8ee3d1c62abaf050f1
SHA512d0f0056cd7cbca325ceea71fb1066d7f56b7a61c4768490d00a0f5b11ce8e0ced257c2dabf47b837918fba185fb87ac284c2328d09c356c41735bb4cab7daf00
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD54d9de78b5f7be5279e9567783d8603bd
SHA1b8c2bdc23208c8d85669b732f0b8dcf5e6ca5689
SHA25618b75313d1ba773389eae2e553013919b8798aa133133a5a665ed70e6fb9273c
SHA5121cffa1747545376bfc193705dfe07ea1eb206d1db08c9c798a2c4b232192a599a039d3f0989cdbf641519a64b89fa375d417011c91df4afda059d41e742dfc67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize24KB
MD5954215cd48e41901c3ab8abf36ec2951
SHA10a4e08128710bdcac19799e0d7c9e717c7b8c905
SHA25644565919bdb3cf8b13d13af9a1aa9656d62bca2feb0cc6aaa0ae39fb29a77bf5
SHA5127d1d4b2c3720c1109d9093e3e4dd44fb3d8c742e01d255178e5b457cc34fe260ff26c834cd11d798ce50d1732d4192c76a13bb836a436c168afe4c2fdff41dc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionstore-backups\recovery.baklz4
Filesize8KB
MD53407e32b118171c0faa4abdb553bc1a9
SHA12f723e4bacbb787e3890d323a33d195a889dc97c
SHA256daa5e036dd520ea5ece7b9c7096f4a22561a90caaa1da3b34939c0f35c31401f
SHA51245e82cd6f43bd4011a2485868c1f60bac913e27573b6a2e99a889b342f6113006e32b25363aff50ac4d2003136d0fc96821f891fd244b6a3f24148dd1feeaa8f
-
Filesize
2.3MB
MD5215d509bc217f7878270c161763b471e
SHA1bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
SHA51268e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b