Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 13:05
Static task
static1
Behavioral task
behavioral1
Sample
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe
Resource
win10v2004-20240704-en
General
-
Target
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe
-
Size
1.8MB
-
MD5
9a078876b23608ca0de594f4feb973fd
-
SHA1
63355749469f7fabfe986fb3ae33bdc83834c061
-
SHA256
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d
-
SHA512
45ecc1a2bb87619656cb9204aa9eb2955e4d502adb84d528f004afe038e256a68de46224602ccf7cc81cdb3e62e6cbf5111ab2e33e72b3d8c10f6f81ac5615d6
-
SSDEEP
49152:tPJA2u/IMoVMGYZa7FZ1rxkBMnEAIAC/mkaYOswu9OeRkKjFkDM:tRGCV/7Vxn8uBswwJ+K5k
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
Nice
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
KJDGIJECFI.exeexplorti.exeexplorti.exe149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ KJDGIJECFI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
KJDGIJECFI.exeexplorti.exe149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion KJDGIJECFI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion KJDGIJECFI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exeexplorti.exe5189481211.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe Key value queried \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation 5189481211.exe Key value queried \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe5189481211.exeexplorti.exeKJDGIJECFI.exeexplorti.exeexplorti.exepid process 4660 explorti.exe 4872 5189481211.exe 5268 explorti.exe 5344 KJDGIJECFI.exe 3848 explorti.exe 4620 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exeexplorti.exeexplorti.exeKJDGIJECFI.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe Key opened \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine KJDGIJECFI.exe Key opened \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
5189481211.exepid process 4872 5189481211.exe 4872 5189481211.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exeexplorti.exe5189481211.exeexplorti.exeKJDGIJECFI.exeexplorti.exeexplorti.exepid process 2516 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe 4660 explorti.exe 4872 5189481211.exe 4872 5189481211.exe 5268 explorti.exe 5344 KJDGIJECFI.exe 3848 explorti.exe 4620 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exedescription ioc process File created C:\Windows\Tasks\explorti.job 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5189481211.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5189481211.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5189481211.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exeexplorti.exe5189481211.exemsedge.exechrome.exemsedge.exeexplorti.exeKJDGIJECFI.exeexplorti.exemsedge.exechrome.exeexplorti.exepid process 2516 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe 2516 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe 4660 explorti.exe 4660 explorti.exe 4872 5189481211.exe 4872 5189481211.exe 5068 msedge.exe 5068 msedge.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1344 msedge.exe 1344 msedge.exe 4872 5189481211.exe 4872 5189481211.exe 5268 explorti.exe 5268 explorti.exe 5344 KJDGIJECFI.exe 5344 KJDGIJECFI.exe 3848 explorti.exe 3848 explorti.exe 6368 msedge.exe 6368 msedge.exe 6368 msedge.exe 6368 msedge.exe 6152 chrome.exe 6152 chrome.exe 4620 explorti.exe 4620 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exemsedge.exepid process 1628 chrome.exe 1628 chrome.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1628 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeDebugPrivilege 1900 firefox.exe Token: SeDebugPrivilege 1900 firefox.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe Token: SeShutdownPrivilege 1628 chrome.exe Token: SeCreatePagefilePrivilege 1628 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exemsedge.exechrome.exefirefox.exepid process 2516 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1900 firefox.exe 1900 firefox.exe 1900 firefox.exe 1900 firefox.exe 1628 chrome.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1628 chrome.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1344 msedge.exe 1900 firefox.exe 1900 firefox.exe 1900 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
5189481211.exefirefox.execmd.exepid process 4872 5189481211.exe 1900 firefox.exe 5720 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 2516 wrote to memory of 4660 2516 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe explorti.exe PID 2516 wrote to memory of 4660 2516 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe explorti.exe PID 2516 wrote to memory of 4660 2516 149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe explorti.exe PID 4660 wrote to memory of 4872 4660 explorti.exe 5189481211.exe PID 4660 wrote to memory of 4872 4660 explorti.exe 5189481211.exe PID 4660 wrote to memory of 4872 4660 explorti.exe 5189481211.exe PID 4660 wrote to memory of 1172 4660 explorti.exe cmd.exe PID 4660 wrote to memory of 1172 4660 explorti.exe cmd.exe PID 4660 wrote to memory of 1172 4660 explorti.exe cmd.exe PID 1172 wrote to memory of 1628 1172 cmd.exe chrome.exe PID 1172 wrote to memory of 1628 1172 cmd.exe chrome.exe PID 1172 wrote to memory of 1344 1172 cmd.exe msedge.exe PID 1172 wrote to memory of 1344 1172 cmd.exe msedge.exe PID 1172 wrote to memory of 4204 1172 cmd.exe firefox.exe PID 1172 wrote to memory of 4204 1172 cmd.exe firefox.exe PID 1628 wrote to memory of 2016 1628 chrome.exe chrome.exe PID 1628 wrote to memory of 2016 1628 chrome.exe chrome.exe PID 1344 wrote to memory of 4232 1344 msedge.exe msedge.exe PID 1344 wrote to memory of 4232 1344 msedge.exe msedge.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 4204 wrote to memory of 1900 4204 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe PID 1900 wrote to memory of 4616 1900 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe"C:\Users\Admin\AppData\Local\Temp\149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\1000006001\5189481211.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\5189481211.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJDGIJECFI.exe"4⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\KJDGIJECFI.exe"C:\Users\Admin\AppData\Local\Temp\KJDGIJECFI.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5344
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBFBKFBGII.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\135016d09f.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff0369ab58,0x7fff0369ab68,0x7fff0369ab785⤵PID:2016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:25⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:85⤵PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1360 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:85⤵PID:2912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:15⤵PID:3064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:15⤵PID:4692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1764 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:15⤵PID:6004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:85⤵PID:6732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:85⤵PID:6740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 --field-trial-handle=1988,i,7788134946808019528,2257799460770922566,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6152
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff035446f8,0x7fff03544708,0x7fff035447185⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13529602371483321212,12909143515936426563,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13529602371483321212,12909143515936426563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13529602371483321212,12909143515936426563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:85⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13529602371483321212,12909143515936426563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:15⤵PID:1300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13529602371483321212,12909143515936426563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13529602371483321212,12909143515936426563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:15⤵PID:5888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13529602371483321212,12909143515936426563,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6368
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.0.1904468946\1023248259" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e120f49f-a283-4b0c-9a0e-1941c72a80ac} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 1840 1fec9b0dd58 gpu6⤵PID:4616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.1.739466369\273141195" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2464 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba8fed86-442a-4dbe-aa36-6c6387a363dc} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 2488 1febcd87e58 socket6⤵PID:4388
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.2.1683540049\778854434" -childID 1 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92be254f-5b4e-4710-b445-452508ab0954} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3472 1fecc75ee58 tab6⤵PID:948
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.3.2101383999\491147042" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3444 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24ffaf10-d5d6-4c88-ad24-df5d3f97756f} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 3148 1febcd84d58 tab6⤵PID:5520
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.4.106876412\1321219304" -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfbd4b80-0ffd-479d-80fb-c15b5d7c035b} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5284 1fed06eb858 tab6⤵PID:5416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.5.1105132632\1145449681" -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f490a2a6-f6a4-4d9d-b509-25114076ebe8} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5464 1fed06eb558 tab6⤵PID:5996
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1900.6.176248164\1892384978" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 900 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dde300c-5ca9-42a0-baa3-4fd78b1e9c9f} 1900 "\\.\pipe\gecko-crash-server-pipe.1900" 5352 1fed06ebb58 tab6⤵PID:5860
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5128
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5136
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5268
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3848
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
Filesize
240B
MD563df501a05562018dba4259d554372eb
SHA1d90b92e69e73b2854f029a577a5e6287d63af43d
SHA25623235cf1eac94ffb816cf250c2e09eb48550fd1093fc1d8a025939821a9689aa
SHA512788ee640230f2a15abc223278fa3efa18971e40ad8d35f4ee0680c9f0fe41080e40eb297d854364370252da32413dd20739cda3753a9c890142f59ceb834d4df
-
Filesize
2KB
MD51e406863ccff21bdcafeacf6cd036296
SHA1b765852ad04c5f0308d6a43104f88d3c95e125de
SHA256bd6f16ddc8d7ea073c22dffa159dc6429a9288082703c9edea33db055fe56f2c
SHA5127899b5937ee044073b5a95a1de4aa018890ee574f2c92ee978f33dcecf2f123979e9141c40025936a2039471bda5b26642f343d2759d75a736ebdc02cc70f9d9
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD58d3d09f484d5cc30cf4dea933298c937
SHA1b07a72d05f7ac170f15dd917bba4b2372f1f9bce
SHA2563cab676813c7536568fadf2187e15e5cfd9e3a4d4a7de49d46db5c937bde5cfd
SHA51220519d2d9d6ec7778e2dda1097a5d68eacf3c4cad11dec84f5c266ead6f397fc4e2aafb9393dd360661459c11f28d15ce7aff5a6c8b7951a76bf1bfd13482b67
-
Filesize
7KB
MD5a5ce07fac5551730069b79d7dad73b4e
SHA171c1e082b9fca2b6f8ba53fd4a4cd25947c8a024
SHA256f8845f95d55f53a388124163c30a4fc58e0ae69850437236a5fb92a9757f2fa9
SHA51253b65ef62ba1568540786b8256e4c84f50cb1576b1f33514ecfe7f7e366e998d61210cd7b6ef0208aa557d3103380cee82783e331684fc19a8d50775b37bf969
-
Filesize
145KB
MD565e671e312b2f0081dc88b4ea529f6cd
SHA15ca45dc109650a7ada0b9ddb5bfd17fa8e02a1ef
SHA2564b6dcb44e625671382704fab7dbe4c8e65c24079eb37905108849c70e60da830
SHA5122368cb58e32febb76c33630c915c90da08d9b63ec88d10b72bea8f4e188ecf3a623eb1d967c14b900eedd9d8417a69a265874f0cb1abb250449aea1f131d7591
-
Filesize
146KB
MD579cb3346e82c58a1032a36269b978f7e
SHA16058e3a4815ff65498b240160f98720cd8147d67
SHA256af2e173490ea758ab5839a097f7a208051f99f84ba926ad89b4fc83d323b219a
SHA512330e8a5f4b6313c4b0aa2094e3a0ecc0e79455123a14c415959e387d1fa8138957dfe6f9571163870b43c096f50f6926d8dc70e0292764ffcfeff3116af8250f
-
Filesize
146KB
MD562a9e3aec641da649de6f7e0c5a24512
SHA1eceee92e2f0dc0bafcaaa7d3f2912199f22fa63e
SHA256fa00f5447a340152a120fe9b71c28e4cfdb7291a65e49280cc974609b8529b5f
SHA512b3240592f82c189865b1f49f33ef0dc046ef7b2cfbadbd0b1687881a75a30754ba4f2cbf384240ae4890d89938af77f5cdfa1b46137303b423763e09789cea71
-
Filesize
152B
MD50331fa75ac7846bafcf885ea76d47447
SHA15a141ffda430e091153fefc4aa36317422ba28ae
SHA25664b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a
SHA512f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2
-
Filesize
152B
MD5f0f818d52a59eb6cf9c4dd2a1c844df9
SHA126afc4b28c0287274624690bd5bd4786cfe11d16
SHA25658c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61
SHA5127e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5d79b850771a554269588913e9e4f59a4
SHA1621d311c27962f88726020632c8efc5fac347dff
SHA256bac06632264aa10515e3b5f257c40b229312b418c0afab3cf87c402452bb15a9
SHA5121e053aa03b58a1274d8e3137ece8780d1176af3fa231c945bdbe129f0193f1bd8544820aa2e27e6a56e9c576a5d70673dcf55290c24fee8f194380ecd8f49988
-
Filesize
1KB
MD5cd0c83b902cc047fb52d656af7a18c7d
SHA14d722262f95c745534d81c5ecaf8070aa5d9064a
SHA2569ece23ded5cfc0640f64fa56aac968551494746527d03d8c3138f41194b2dd70
SHA51260a6e664112bbc0cfcfba8cbb6ea3086e35d687d8ec4065c664b20fc19a868268cd9dd019b341eb47ccfb50caf685a119f3e34c053f9fc15a9c6d586c8dd1b62
-
Filesize
6KB
MD5d168fc9121d30a0c7249890509c3f7a7
SHA15688dcf87cb408ff93b75b56bb8d49b566b5f238
SHA25622d48a2236910b27f03ca1956ae3652a83c580cc52587b82d0b66b8dcbffd2d7
SHA512803c52529890ed09b522e77d88715feab4b8146dde8cb063c31e899399a3882f82d5004a34186093d0f029681d66113161f49b93cd5dfa3fb0c49468f262db96
-
Filesize
6KB
MD56ece4a2d5f442540132aa1c23230c02a
SHA1dcb5b2c169c0743cca386826ec55a7501041a922
SHA2566ac02070b171cc4e98ebf05a4e4e61e80f64fd61bdf9ad9160533404bd5f586c
SHA5127109a3edfcb8584c7fa07f7a131466e02a058b11024facaf891f1688e1d6de508324aacacece3033069ea8b8b4f4c618520a70e69a8d820ccec03666764ce2d3
-
Filesize
11KB
MD51a8e72e8fc4ea522c163a4c5224cc1c0
SHA1f3bb50d88c0321ffe08273c945f49cceb74258c2
SHA256950baa8c29f3d220879c8c91a6e35e7a0d68157a0c66ccf3f8d1e611ad9aefeb
SHA5126d7be71ccd4f7efa0a0e5ca6b5d095f4502241b3ba72f7e7cd9c9b976752e9c0cb09c43dda66fd81cc6d496d4e487c36c8c973dcb50f220fbd98fe006d451bcc
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD51779000332ae233c24d87047ca24b878
SHA1139a0ae67ab9564d06ddfca9ed040c4562a63014
SHA25621c09879dd3687fae1f63ae5e1083337baec70f312dcf2d4bf62b66b0c3c46f7
SHA512eb98bce2b7f7625e65a9c05164f6ab4c072e6d635bba3c0b578d0b539fd2b9a32961fcf71432bc909873ee959517a301e8bc5defa46be368ed36de52458bc6b2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5deeb5ee8876d62624b05e6a15bf04c30
SHA147db16d4dc2a16cce38ee83a4f3ce70903f669eb
SHA25678559f6702845feb6578ba4e17ffe12d2948f4ad3b53729d614567406f16ae8c
SHA512ae77398dbfaa82c015f095cab9611af455f7afab686d030e5a7145d576bdef66bee246c553f301131a9fb8d067e0d602761b139ac303e0f3a81b7fe62cfc07a3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD561aca69304519286fa8c3bbd36707eb6
SHA141df6f1b8675b4293ad903a606d4e958a973c328
SHA256dabe5dfea50144b4cc8f86360f6508edd6e6fa79d072d243afff3f3f36769b36
SHA5122d895962ade3603f32f29b2642df4be95a36d27caa3cd8c6e1ffba72303dd045841249f361d101d1a6276bc63d910d87812bfbe465ab0b2994003195b66a5ecd
-
Filesize
2.4MB
MD5372c9047c2f9bc0241a64b506054fa0a
SHA1a3dca1dc8b61381c1fca9f6951352aa5f6a2403f
SHA2563781240686f18f44cfb8397dfe462c164a00f0c4b08177b468129bc8c41a1f22
SHA5121ddc4dcc4e77ec0c147afe1606f50a989ae8cc8ecae67cc5fb122cf985b2aec84c4968fc2075ffeb0f666d1ca0669acef855e8e647e681a31dd1d5d70a0f13fa
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD59a078876b23608ca0de594f4feb973fd
SHA163355749469f7fabfe986fb3ae33bdc83834c061
SHA256149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d
SHA51245ecc1a2bb87619656cb9204aa9eb2955e4d502adb84d528f004afe038e256a68de46224602ccf7cc81cdb3e62e6cbf5111ab2e33e72b3d8c10f6f81ac5615d6
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD5cd8ec97ceb7e022022d2b511e2dcb277
SHA12755d904bec4af7121d5b9b43b523e888f3ac47c
SHA256a48cec75e3a7cc2fb1fd2c16c6393d2ec682c8b1a420b85ffe8a6dcb11fbc3e4
SHA512ab4973854d16707224503b21b843f47e8b696afc6056183d0ed0edce63b5bc9c23eba0eb577f2be5751b379f82039c1b466783e51781961a9d3c2f4d49206950
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5de024e7a5941ed134515776026177725
SHA17795c75fdd3b01e82f609fbcc9748aa8af5bb85a
SHA256d18f372f526e90fd8a1f26bd898b3a7a86dec79098965b77d1b99225b0dc0b34
SHA512510abec1090a4e6183761f6fdce14456f7346cac73c5ef6b3f1a2d6be6d5200aedb2004dca536352a2bfcaf3fdf39f7ba46bfaf5c1ae9208714c6bca68ffe759
-
Filesize
6KB
MD54ec52e29396819e12e2ab6561f639680
SHA1a680c3092d3d0912f695fb32a92a6969fef8eea1
SHA2569ca5f0d5fecaf112b74758f493dd53a7b0e9cef242ef49e8ebe795644121d214
SHA51229f8805e6f415c7a8f558ecc0ead57af883654a61aa4ce2bacf43bc6e1abbc472e8ed78be69084cee96594254e232d4ace23fddaf46850a66aa0f463ad3b828d
-
Filesize
8KB
MD53f49b796453fd9b1a48157123572c56d
SHA143179e6889e6fc4a7ad7a0c60280707151f632a9
SHA256f77495dac16ceec9f9237246aaf0a77c5eb65f8456d148b128e87be373fbdd8b
SHA512ef3d49bb7ca041cacb7e646105f1c2d645b2c3161b90400b7f34bdb3d08530f3e1bff60c514bc19710d820fcffcf896d5873c89ca9b10898e3f7f15dfa8056ea
-
Filesize
6KB
MD536537c77a82a553daba7cf0dd40dd20d
SHA16877cb890cf0bd451fd379b621520642fe23d072
SHA2561d2fe1ec5dd960b42b255f1fb5fb728754b3bd5958f8fab4e5a144db2bcac19b
SHA512416f5a6b61717c61cc0dee8e2498118bf526dc78cc5081d45d679c5bb62389bb703c57ab86d985b1c9385bfe0acb3f9783ff340f40e0720cf18f51faa0f054c4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5f35ab01afc91e196204b7054c158fbbe
SHA1f92b6ec22c7370ae99918a9a8beb4418347b77f1
SHA2565072e856c6c090e6512228fabc07b4e0842520345bf85d1c21610287d182dea0
SHA5129bb91b5803c8abbaebaa13c63a5334b520a6404b5fc6126e9cc5c8323f9322c7e78869d7496e0cd7d1f25ec0fde9c79fd55b228e10b357448780d3a762a86dc8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e