Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240708-en -
resource tags
arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe
Resource
win10v2004-20240708-en
General
-
Target
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe
-
Size
1.8MB
-
MD5
bcde09af967815e43273739df8377583
-
SHA1
89feb480e257720c9724f18bfd74b9ee5e309d18
-
SHA256
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f
-
SHA512
47ef547940bde740dc9f024da5c16b94ed262e8e4e44e05501386407f737d39d707c9893546748f13577fc6562222faba0ed583cb094a0cbc8dbdf8691104ca5
-
SSDEEP
49152:m+iJl1oBKPg8tUpaWSS2iRXPht4+4kSs:mlJTgIBUpaWDFTokS
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
Nice
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exeGDGIJECGDG.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GDGIJECGDG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exeexplorti.exeGDGIJECGDG.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GDGIJECGDG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GDGIJECGDG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exea2b4ecf6b6.execmd.exe3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation a2b4ecf6b6.exe Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe -
Executes dropped EXE 5 IoCs
Processes:
explorti.exea2b4ecf6b6.exeGDGIJECGDG.exeexplorti.exeexplorti.exepid process 4612 explorti.exe 3412 a2b4ecf6b6.exe 2684 GDGIJECGDG.exe 5008 explorti.exe 3076 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exe3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exeGDGIJECGDG.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine GDGIJECGDG.exe Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
a2b4ecf6b6.exepid process 3412 a2b4ecf6b6.exe 3412 a2b4ecf6b6.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exea2b4ecf6b6.exeGDGIJECGDG.exeexplorti.exeexplorti.exepid process 2056 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 4612 explorti.exe 3412 a2b4ecf6b6.exe 3412 a2b4ecf6b6.exe 2684 GDGIJECGDG.exe 5008 explorti.exe 3076 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exedescription ioc process File created C:\Windows\Tasks\explorti.job 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exea2b4ecf6b6.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a2b4ecf6b6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a2b4ecf6b6.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exea2b4ecf6b6.exemsedge.exechrome.exemsedge.exeGDGIJECGDG.exeexplorti.exeexplorti.exechrome.exemsedge.exepid process 2056 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 2056 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 4612 explorti.exe 4612 explorti.exe 3412 a2b4ecf6b6.exe 3412 a2b4ecf6b6.exe 3860 msedge.exe 3860 msedge.exe 2940 chrome.exe 2940 chrome.exe 2044 msedge.exe 2044 msedge.exe 3412 a2b4ecf6b6.exe 3412 a2b4ecf6b6.exe 2684 GDGIJECGDG.exe 2684 GDGIJECGDG.exe 5008 explorti.exe 5008 explorti.exe 3076 explorti.exe 3076 explorti.exe 5728 chrome.exe 5728 chrome.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe 4828 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exemsedge.exepid process 2940 chrome.exe 2940 chrome.exe 2044 msedge.exe 2044 msedge.exe 2940 chrome.exe 2044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeDebugPrivilege 4036 firefox.exe Token: SeDebugPrivilege 4036 firefox.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe Token: SeShutdownPrivilege 2940 chrome.exe Token: SeCreatePagefilePrivilege 2940 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exechrome.exemsedge.exefirefox.exepid process 2056 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2940 chrome.exe 4036 firefox.exe 4036 firefox.exe 4036 firefox.exe 4036 firefox.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
chrome.exemsedge.exefirefox.exepid process 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2940 chrome.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 4036 firefox.exe 4036 firefox.exe 4036 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
a2b4ecf6b6.exefirefox.execmd.exepid process 3412 a2b4ecf6b6.exe 4036 firefox.exe 3184 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 2056 wrote to memory of 4612 2056 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe explorti.exe PID 2056 wrote to memory of 4612 2056 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe explorti.exe PID 2056 wrote to memory of 4612 2056 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe explorti.exe PID 4612 wrote to memory of 3412 4612 explorti.exe a2b4ecf6b6.exe PID 4612 wrote to memory of 3412 4612 explorti.exe a2b4ecf6b6.exe PID 4612 wrote to memory of 3412 4612 explorti.exe a2b4ecf6b6.exe PID 4612 wrote to memory of 4312 4612 explorti.exe cmd.exe PID 4612 wrote to memory of 4312 4612 explorti.exe cmd.exe PID 4612 wrote to memory of 4312 4612 explorti.exe cmd.exe PID 4312 wrote to memory of 2940 4312 cmd.exe chrome.exe PID 4312 wrote to memory of 2940 4312 cmd.exe chrome.exe PID 4312 wrote to memory of 2044 4312 cmd.exe msedge.exe PID 4312 wrote to memory of 2044 4312 cmd.exe msedge.exe PID 4312 wrote to memory of 2172 4312 cmd.exe firefox.exe PID 4312 wrote to memory of 2172 4312 cmd.exe firefox.exe PID 2940 wrote to memory of 180 2940 chrome.exe chrome.exe PID 2940 wrote to memory of 180 2940 chrome.exe chrome.exe PID 2044 wrote to memory of 1004 2044 msedge.exe msedge.exe PID 2044 wrote to memory of 1004 2044 msedge.exe msedge.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 2172 wrote to memory of 4036 2172 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe PID 4036 wrote to memory of 4168 4036 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe"C:\Users\Admin\AppData\Local\Temp\3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\1000006001\a2b4ecf6b6.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\a2b4ecf6b6.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe"4⤵PID:5668
-
C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe"C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAFIJDGHC.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\689230c112.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff83194ab58,0x7ff83194ab68,0x7ff83194ab785⤵PID:180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1908,i,1716705132359642402,13913414439058734256,131072 /prefetch:25⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,1716705132359642402,13913414439058734256,131072 /prefetch:85⤵PID:1044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1908,i,1716705132359642402,13913414439058734256,131072 /prefetch:85⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1908,i,1716705132359642402,13913414439058734256,131072 /prefetch:15⤵PID:1612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1908,i,1716705132359642402,13913414439058734256,131072 /prefetch:15⤵PID:4692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4196 --field-trial-handle=1908,i,1716705132359642402,13913414439058734256,131072 /prefetch:15⤵PID:3416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1908,i,1716705132359642402,13913414439058734256,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5728
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8316546f8,0x7ff831654708,0x7ff8316547185⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5117792185639978359,12512067436262874589,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:25⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5117792185639978359,12512067436262874589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,5117792185639978359,12512067436262874589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:85⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5117792185639978359,12512067436262874589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:15⤵PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5117792185639978359,12512067436262874589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:15⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5117792185639978359,12512067436262874589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:15⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5117792185639978359,12512067436262874589,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2916 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4036.0.156329323\677597865" -parentBuildID 20230214051806 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 22176 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {674747fb-a948-426f-be2d-057cfe6868fa} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" 1792 202c9a10e58 gpu6⤵PID:4168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4036.1.1303714060\1302402484" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 23027 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d3551e-dd4b-48f0-8c2a-a1da7b8a0a4d} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" 2440 202bce8a558 socket6⤵PID:820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4036.2.1163302971\1457665546" -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 2944 -prefsLen 23130 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3de6c1ca-0a60-4379-9dd0-29ff2416de64} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" 3240 202c8995e58 tab6⤵PID:3632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4036.3.1032873075\1495142577" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3800 -prefsLen 27624 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e600b6e5-78df-47de-a49e-c27008351106} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" 3860 202bce81958 tab6⤵PID:5404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4036.4.104659925\1898267320" -childID 3 -isForBrowser -prefsHandle 5056 -prefMapHandle 5068 -prefsLen 27624 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35ed0f7f-58f0-48dd-85b5-952cc647a39b} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" 5036 202d07b6858 tab6⤵PID:5840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4036.5.1197080285\1330252084" -childID 4 -isForBrowser -prefsHandle 5200 -prefMapHandle 5208 -prefsLen 27624 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1421a24f-883a-49f0-9c11-5d25aefa2e07} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" 5284 202d0894258 tab6⤵PID:5860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4036.6.1739940736\948223424" -childID 5 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 27624 -prefMapSize 235121 -jsInitHandle 1020 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2849fbad-ef7c-48b9-8d0f-ca8de965413b} 4036 "\\.\pipe\gecko-crash-server-pipe.4036" 5304 202d0892158 tab6⤵PID:5868
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3184
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
Filesize
216B
MD503a8bbdcc94a498b10158e79f92e1d23
SHA165038c209f4b49ad0ef1d393d618671a82b9e0af
SHA25661813863c361df07b7c027b757a98084d972eb014d82b69346645c359648f24f
SHA5129f5edb70dc71d32db3dd14946b1b48ea1ba64431e367e219f5f60da5d86ab82dc09501a9fc7218719a551afe80b6247f9c23f2cacedce2031217765b27948619
-
Filesize
2KB
MD562b1068c0b7c8bff3f04ccb5e9cffab9
SHA1d98e3138c1247d85081c02f3550295f64d140c14
SHA2565f64b9744821e1e048bf2614ee31a262ca00a16290be1aad27704cd8365e8f7b
SHA5126a14b050dcde54400fadfd1e9b326790b768ad9b8939b4152fa62ea637add4fc6337bef9390f2edeb5e3fcd7a577a736913465649b2ebaf1b285caffb3758d26
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
522B
MD554e638d901280f87b04cf90444011629
SHA15ae551c2c6c7a6382f9db0577ca9f0c0be3c4d38
SHA256fa3a5bcc4a3ce5cfbcfc89638ff74e9a4154219a5d904c01d0f09915dd6c7d3a
SHA512d6142a2c29ad0c93d442dd6a5a34ceebaec2a93e2eca61de7dd969672360aaefe5d0237140a17c8e4a56b836e35183602134d457ac88ba0e5e77859cacc59924
-
Filesize
7KB
MD58872a0e011919400a2c23411942f321f
SHA182e0b85a5c17ae76fd3233a6b943ef7561968dfd
SHA25622cdbe4c1d60ca69d3762ed80e91f67f18c66dab7d5ff188a4ba4e7f969871cb
SHA512bf350cd42bb4abd1733f3fe349b1bab2f4c79966f41940c7c49f53474c51b710cb10720b220b7d39e398caa871029b5e2e489109f2e07a6772ca47f7d64f8401
-
Filesize
144KB
MD573ec9214172c94f25980a5e2b2eeac06
SHA10c3106682b8edc13df9bb733a1bfc84c30a97653
SHA256180f77dbd7d482e403063a2ab5c44e76799cee0b997ee23faa19396a4a901944
SHA5121130a274ed011c0fde2584ac0451129725a98ffca96ee738b87d9a711f553e04de5e9a43880ec053d682da1f11d6718bef215bb9bc504282cd8b4e78f80326c9
-
Filesize
152B
MD56ae84fc1e66cbbb7e9d28b0e12d64550
SHA1100430bb653c896c11b94ac0bf2297a389ea5ad8
SHA256856a9c0ac8c29f738a3501b6bd007fd8cbbac211e461b91f4caff52dd41da75c
SHA5127fe7a8639d96118b843e67a6a6d397271b181dc6b049e6f7de77bee9c9214690b1b7f73164f7e463e117406dc978334ea02397fd639140598f60f89c6aaddbe8
-
Filesize
152B
MD597f8be9c465b0ed67c2415868506c354
SHA1cdb221d6debcf55615d3b5f30796e32065046dd9
SHA256b606a1ee10b65eb9077e7d2f3b34a0d7a1ed6a4802a169fe55449c975332ee02
SHA512a0fe0ed30624658127316873137f4fc488a5916005e5e3f1f55b7d6442b54010c08d7037b94d0cf3c3316b1bb4acf91bad9e64ee6d15302e3cdd62bb18730542
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD589d98c2056885784474267a8c743c546
SHA1f549c17b3d4a6da6a26814379cd26be87b4aef98
SHA25618e7242411ebee5b5114c636431641d783cdee5a9c39e37ec598e6071f0efd6c
SHA5121c790d797b014f331be416f71d77ff3d9f11f29161dcfd0237b4a45eb741e904d0604c383514859be29c83488e2417135e36b27454684d9fbe1f48877e08c837
-
Filesize
1KB
MD57ae25a29f661695900f6bfe7c552a112
SHA1505538fb8e1f445870a6cb67352d05d0352c2777
SHA256ecaaf2d5249ca2aeb347db956c34009c1db4b5c5685ce20a281da858f4151f51
SHA51290c06ece14f0b53ff8f97c3925f31024d7b7f199112a07a19d21226ea111e1dfeaec97c21f5537e773e61a39e9566ed4b2cebfaadea9d56633d0d8d96cf052ce
-
Filesize
6KB
MD5a0f8673f6aa73aa601bea79b5d331a9c
SHA1f4d40c534869d78fc299ca2aeba62dd0921f3b61
SHA2561daf609d2258c878f9fdc1d6938206524d232fd7e7b066e0bf5c5abefe305392
SHA512e6a3b414b289772f6468a8415c6001fffd1d0f894bcfc82bb42f2c2d1fa85a97817eb8d4184493091172706b390d230710eaf6d97cf74bd597f73cda62797aae
-
Filesize
5KB
MD5f1692eb75674b90d4210449af59fd113
SHA1872294c6a060df42965d32f1224efb229cddf1c8
SHA256f55aa1db62f16c02a97f0c473bd93497526172636192dc0eb5376120549c6d71
SHA512697833baeb7fb10b3eab8a99021e0434503923017a65c50eda1e5d6dae00917490593db98e6d121e32c142f5209dba4aeb5947ff530148827d4cf7d43c52474e
-
Filesize
11KB
MD5a0b977c55a931d3e27cfc9c1f8b721f1
SHA13944fe4ec8766fb783d619fb457273712a4d972f
SHA256537006c0f59bd3827fcf7f83cacb0af892315e2700c98ed5a961e3ab28c62dfb
SHA5123a03e9e5aec9f51f4c0844fad5a52e31cf10b57e7a528953ee288986f166c819378b5c66011706bb114aa780d19fe1ae86971eb76082c64499f8d1775efed204
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD51c29875a1b0abf8551dfca48019824e2
SHA1edb3f3a743d5d02eb91b601b2031700b3a02fff5
SHA256c159bd55cca445e6ad2c41e22b5714357eb89fb6eb8b794003d03a783832d94f
SHA5122d21a317087e04f9b3f27df6233c5385d3773406526e80b3ddb7f626f5eba93837df7610388326352c376014803aa06e2164473f8c8b5f54919a62eabfbbc85d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD548f63e71723f4084dea7a2508b3a6c41
SHA14a04394923f81a6377c3f8ec9f7876ca0f7e95f3
SHA256d1f0d7e67f4112f1bb667822161aab1b6db56a5ba0166036c1f2b113cbccacd5
SHA512f2e72874e12818bb943fa7ddb109937b55cd76327acb2031de0c170fdcaeb3e632d783caf9920c7796bd4114be900b88daf975fd4f2d6130906aefc84c94a18d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5f7a239e2586d131bbeb20b74d2b0e74e
SHA1d2bbed40b4c38e2238e1e4ec57cd2c57e21722b8
SHA2565881a7b7ab3bf1b2b33588ab7f3d3a2ef0bc9d590fc292dd26e99a25ed3d112b
SHA512019b062b3be27976cfb49489f851806aeac5378658d425c59f9c9b9d666e4a1e29c2ba93f9a1658e18a695831cc3b0053e0e45635febc56139ad8c3c24ae5bae
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\cache2\entries\CB4F0A898744713F17C3A2E0C804B48F9D0DD468
Filesize76KB
MD565bfc5fdcea2697855eb2251211005d3
SHA186c2964bbe054dc28a76e20473004d657b19c0e2
SHA2563467a9e5cfe9e9125650abc58237e618c5464763c16e251c68a059a53d282a4b
SHA5127abdf974c53928772efd384dd80da660a553d27e3ebccf2e3755872211442d480989f7c2e493166905d347bc3c3acb73b354b188157d623ad413066b78e3a11c
-
Filesize
2.4MB
MD54090bcb4c36bf660e37c44041456c55d
SHA1b2c2363a5b69c1393b62b03bac15e9fc4557c715
SHA2563729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013
SHA5120ce916ff673c9dedbfcdf3a5b29a8c0e46bfb87995c3fd0280a6660cbdcedc997ea974d5684c79edb726a5aca6e2631d63041d3d392d8f861d9a9a5b4e522182
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD5bcde09af967815e43273739df8377583
SHA189feb480e257720c9724f18bfd74b9ee5e309d18
SHA2563f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f
SHA51247ef547940bde740dc9f024da5c16b94ed262e8e4e44e05501386407f737d39d707c9893546748f13577fc6562222faba0ed583cb094a0cbc8dbdf8691104ca5
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
192KB
MD5ea3d9f6c9d45759cd86c0aa6c1ff4cc7
SHA1c8c11fc706e0a529c21e0b8c3c8a63a996976c59
SHA2566be5f0facc391af26c8475f947434b008850cacdd202c5ee96d05f466aa16fcf
SHA51250e7a1892823953a14d2a413167d011da77916a800be26497ad9ccafdfe320163b0f3e11f18c8a5bf1d972dd52cefb29ff1bbd5fe2b76a1b53b130d117025aee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD515eabb2b5568d0b8ab08488d9af9f660
SHA17e5dd8244d34405e5159b8c2ed049544ff0a72b6
SHA256499365c49bac5b7c47b03d1b02d322bfefbbf44cce3ddd0260810919ff02293c
SHA512e65cb60dca82e0fe4972ab82d5bbbb4160b9af0e93d77d63418941c65aa40a50d4540e2dd54dd2932d1d4e06ae07add6b1e611ebf0760a6f7e33a95cd46255f0
-
Filesize
6KB
MD554da53b6cf2b9d2a99ed3983b53448f1
SHA1687211864fe17f4f522d86e619da797d50210643
SHA256db1ab131252a2f0fb558865abc80e191ad2dcec80ac1375cf5f360ab71f77be0
SHA512e302b1017add92c112bf81d64f782b229da950cabeadac7700d8d1eecaed277e1c53eba3e9cd14b966dd26c0fec983de3f827ef33dfca223b3bed40c0c013e4a
-
Filesize
8KB
MD570cb3971cd87ad0cac465adcc5128e41
SHA1d33eee45450d792a2d55c0acc330d735d914985f
SHA2567fe8de58a9c847c53c5d0bb73670745545e29b073b11ff5de52415d12a8dcca5
SHA512e482540dac195863bcb324e4894e672f8baab7807e06ab31c1031549b7dc727198d1c2ea18c6d2b79a8102cbf5eb9211a5ff525be90faf2228b1c607da3818d8
-
Filesize
6KB
MD5642cc34b80fcb13b08afc6b4f9a18380
SHA19109179a05c4e19c4a3360c5a62b98e701e9187c
SHA256319c730104991ed81a425144205a0ec7dda35be990cf516bfb689ebaf3333cfe
SHA51261e526fc189558b9740936116ded16073a7657cd237eebe16cbf542b9d9098b221ab18d97037c5ee17f5a6e58f8c85c79177a30e5849a4f2a66cf44133742bb0
-
Filesize
6KB
MD5bca74dd66ae005103b941518b4cf2ce7
SHA1f43af90b6b17b83349484f6c3e4052931ae66bd5
SHA256bfef57074cacc599769b72494d6387d21d26d690958e5ec3a85806404d931f28
SHA5124786e8a1b9d5027e397dbecc96ea4d72ff36943852461674556ed3c108d829bcdb66764d1b149bc3b2cd43c75d7725c7155a307d0405e402db93045ee1750656
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD57780771e37c1bfa248de66431878267c
SHA1f6232d76bd7827d36e4b144ce1b892f0b1fcbdd7
SHA256e5874e04d2dc687f763a8ddc8af38f48a36767ec7e3dbd07e1734a96f5a9b9fa
SHA512bd1d413509aead9ccd207d4284be52eedfe3547cc724a21f54764b8aed18b1fd9129a3b4e84e79bb8200211d68a4415384aaa25ef4bec40818d4c9c154b51ae5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e