Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-07-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe
Resource
win10v2004-20240708-en
General
-
Target
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe
-
Size
1.8MB
-
MD5
bcde09af967815e43273739df8377583
-
SHA1
89feb480e257720c9724f18bfd74b9ee5e309d18
-
SHA256
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f
-
SHA512
47ef547940bde740dc9f024da5c16b94ed262e8e4e44e05501386407f737d39d707c9893546748f13577fc6562222faba0ed583cb094a0cbc8dbdf8691104ca5
-
SSDEEP
49152:m+iJl1oBKPg8tUpaWSS2iRXPht4+4kSs:mlJTgIBUpaWDFTokS
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
Nice
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exeexplorti.exeGDHIIIIEHC.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GDHIIIIEHC.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
GDHIIIIEHC.exeexplorti.exe3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GDHIIIIEHC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GDHIIIIEHC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exedd17347374.exeexplorti.exeGDHIIIIEHC.exeexplorti.exeexplorti.exepid process 4952 explorti.exe 4956 dd17347374.exe 6092 explorti.exe 5320 GDHIIIIEHC.exe 4588 explorti.exe 4596 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exeexplorti.exeGDHIIIIEHC.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000\Software\Wine 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe Key opened \REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000\Software\Wine GDHIIIIEHC.exe Key opened \REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
dd17347374.exepid process 4956 dd17347374.exe 4956 dd17347374.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exedd17347374.exeexplorti.exeGDHIIIIEHC.exeexplorti.exeexplorti.exepid process 3712 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 4952 explorti.exe 4956 dd17347374.exe 4956 dd17347374.exe 4956 dd17347374.exe 6092 explorti.exe 4956 dd17347374.exe 5320 GDHIIIIEHC.exe 4588 explorti.exe 4596 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exedescription ioc process File created C:\Windows\Tasks\explorti.job 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedd17347374.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dd17347374.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dd17347374.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-299327586-1226193722-3477828593-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.exedd17347374.exemsedge.exemsedge.exechrome.exeexplorti.exeGDHIIIIEHC.exeidentity_helper.exemsedge.exeexplorti.exemsedge.exechrome.exeexplorti.exepid process 3712 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 3712 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 4952 explorti.exe 4952 explorti.exe 4956 dd17347374.exe 4956 dd17347374.exe 1380 msedge.exe 1380 msedge.exe 4092 msedge.exe 4092 msedge.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 6092 explorti.exe 6092 explorti.exe 4956 dd17347374.exe 4956 dd17347374.exe 5320 GDHIIIIEHC.exe 5320 GDHIIIIEHC.exe 5756 identity_helper.exe 5756 identity_helper.exe 5764 msedge.exe 5764 msedge.exe 4588 explorti.exe 4588 explorti.exe 2312 msedge.exe 2312 msedge.exe 2312 msedge.exe 2312 msedge.exe 4500 chrome.exe 4500 chrome.exe 4596 explorti.exe 4596 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exechrome.exepid process 4092 msedge.exe 4092 msedge.exe 4908 chrome.exe 4908 chrome.exe 4092 msedge.exe 4908 chrome.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeDebugPrivilege 4548 firefox.exe Token: SeDebugPrivilege 4548 firefox.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe Token: SeShutdownPrivilege 4908 chrome.exe Token: SeCreatePagefilePrivilege 4908 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exemsedge.exechrome.exefirefox.exepid process 3712 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4548 firefox.exe 4548 firefox.exe 4548 firefox.exe 4548 firefox.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exechrome.exefirefox.exepid process 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4908 chrome.exe 4548 firefox.exe 4548 firefox.exe 4548 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
dd17347374.exefirefox.execmd.exepid process 4956 dd17347374.exe 4548 firefox.exe 2728 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 3712 wrote to memory of 4952 3712 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe explorti.exe PID 3712 wrote to memory of 4952 3712 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe explorti.exe PID 3712 wrote to memory of 4952 3712 3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe explorti.exe PID 4952 wrote to memory of 4956 4952 explorti.exe dd17347374.exe PID 4952 wrote to memory of 4956 4952 explorti.exe dd17347374.exe PID 4952 wrote to memory of 4956 4952 explorti.exe dd17347374.exe PID 4952 wrote to memory of 1376 4952 explorti.exe cmd.exe PID 4952 wrote to memory of 1376 4952 explorti.exe cmd.exe PID 4952 wrote to memory of 1376 4952 explorti.exe cmd.exe PID 1376 wrote to memory of 4908 1376 cmd.exe chrome.exe PID 1376 wrote to memory of 4908 1376 cmd.exe chrome.exe PID 1376 wrote to memory of 4092 1376 cmd.exe msedge.exe PID 1376 wrote to memory of 4092 1376 cmd.exe msedge.exe PID 1376 wrote to memory of 1208 1376 cmd.exe firefox.exe PID 1376 wrote to memory of 1208 1376 cmd.exe firefox.exe PID 4908 wrote to memory of 3324 4908 chrome.exe chrome.exe PID 4908 wrote to memory of 3324 4908 chrome.exe chrome.exe PID 4092 wrote to memory of 2168 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2168 4092 msedge.exe msedge.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 1208 wrote to memory of 4548 1208 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe PID 4548 wrote to memory of 4808 4548 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe"C:\Users\Admin\AppData\Local\Temp\3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\1000006001\dd17347374.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\dd17347374.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDHIIIIEHC.exe"4⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\GDHIIIIEHC.exe"C:\Users\Admin\AppData\Local\Temp\GDHIIIIEHC.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJECGDGCB.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\b83d7f3c05.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd912fab58,0x7ffd912fab68,0x7ffd912fab785⤵PID:3324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=2108,i,17495545924091366735,2680901992094864889,131072 /prefetch:25⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=2108,i,17495545924091366735,2680901992094864889,131072 /prefetch:85⤵PID:2812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1888 --field-trial-handle=2108,i,17495545924091366735,2680901992094864889,131072 /prefetch:85⤵PID:5028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=2108,i,17495545924091366735,2680901992094864889,131072 /prefetch:15⤵PID:5100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=2108,i,17495545924091366735,2680901992094864889,131072 /prefetch:15⤵PID:4608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=2108,i,17495545924091366735,2680901992094864889,131072 /prefetch:15⤵PID:5380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 --field-trial-handle=2108,i,17495545924091366735,2680901992094864889,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd910a3cb8,0x7ffd910a3cc8,0x7ffd910a3cd85⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:25⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:85⤵PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:15⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:15⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:15⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:15⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:15⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:15⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,15539359475529471339,3075422259962393790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3464 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.0.1762333361\834312895" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9155d18a-06a1-4fd6-a3bd-9006dd9a5bf2} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 1860 1e59630ca58 gpu6⤵PID:4808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.1.702745683\1291628078" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3450a890-ed03-432a-be20-c054631baa89} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 2440 1e589589058 socket6⤵PID:2484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.2.1877074854\1996986553" -childID 1 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72386b27-b031-4a52-8af0-05732c02bc83} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3452 1e599273558 tab6⤵PID:5240
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.3.771763903\2098976949" -childID 2 -isForBrowser -prefsHandle 3164 -prefMapHandle 3252 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67376c26-5497-49b7-bc12-d81cf764c76e} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3116 1e59bc76d58 tab6⤵PID:5672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.4.228938803\1301223090" -childID 3 -isForBrowser -prefsHandle 4636 -prefMapHandle 3216 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8805b6fc-c4a1-4de1-ab7b-df567a265a4c} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 3248 1e59d39ae58 tab6⤵PID:5152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.5.1768019241\875648097" -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5356 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85c8ddf4-b50a-4d02-89d0-f90d4c47978c} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 5340 1e59d39c058 tab6⤵PID:5144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4548.6.1877584664\323212175" -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd8db2e7-abba-443d-b14e-8d752637a8d2} 4548 "\\.\pipe\gecko-crash-server-pipe.4548" 5544 1e59dbdb858 tab6⤵PID:3588
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1524
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:368
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6092
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4588
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5c524c1503a685c90ebc5493131e29c9a
SHA15c8c2f7f59e04549fe97fbf3b82922ba1c04c331
SHA25610b92fd7b964d5b49ad7249f47eea748b4a4f6d15f34b841f68f8d28ce77888e
SHA512cce61f19b083b1b53b6ad3d14d093edbb711f53e1ac514b565e48acdf7e73471c5d0d8b430204cafba44748bf74253e2bbaa88b01916600471d4ddf5efa7ded8
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5ca40ae836cd8342cd70fcf9af0eb1c82
SHA1ef4bdb146498da808ef1f4e7ceca60561545bd18
SHA2568a7ea1fe81c6bb77fb2c58d224bdb23e636e40fbdba1aa2ef24e103ac87af630
SHA51261d76ea0882eb5e8ffd573c3a419742a527aaf0897328e1048a65fbfdc06725741c9765ecb5aba0147b5f96c7a1f77ea9ff4615a41d50abb34423d3eca79f196
-
Filesize
2KB
MD5d4109f94f63d28b3e9786f46acb47709
SHA1d9f7768358e4e92f3b00d671ba2f067276ea98b5
SHA256f4d64f2500eeaa33e095f743298e0b4db6633e137f69380db5902737414c045d
SHA512ed2e1407dd22073ec8fa069f113442d335792ea4d65c68fd0767971c8b8959e21a0efbf72681b9b1cf12541cbc563240449f66db878e891a2032347c1de1e348
-
Filesize
1KB
MD50ab7261f13782a2a3c1ed29c309168a9
SHA1d0965420583ef6a4d64e470debd26977b919968c
SHA25678ab46e2e959c2a67070c0f2f17711e8b20127f191219b7b885da43215b44b06
SHA5121baa74b6d1ddc0ee8bcce486a32b6d337a12c966589d577c7c680c80f18d5a7a25ba9a946a0f599b0d403219a79d6107fde6adebb1d1cc245d54fe2c68621aa7
-
Filesize
1KB
MD5fc261f2392914d80262501e81b8813cd
SHA1b242e6f09b0709286e9b98f28f5954eb7342bcab
SHA2563d2879a203036eac52f565c302d45bba1eb325a1bfe4395ac843f2649fb45bbb
SHA5128ddeb4be515a06d7ed760d53d8d464f5e44f4767cbe7c62a7f2698ab97da5942d17b7f1a328e6acbbb8b427986e52ee65ba6b2a7dbbdda18d845c6194e2dfaab
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD509847b3c3b528189cea0a56cffb13423
SHA118bbf491e0fc7797d58d5ac76c0e3228d59247c5
SHA2567ada3df98e0d799eb2235b0050bdf9459672a4725a7c1cfb1dcdec8444ab0349
SHA512426eb151bcc769d3a11c6dd4fd25768be29359b917944598ff13af1d45e99d3617b55c181fd8c56368e5481e8ac46e1402e3112d2ce7e337efd3649426e7517f
-
Filesize
7KB
MD52a45dd646fca3d63036f436de999d495
SHA1d9116f475b2fecc7c200fcd7ee2e407fecbb34c3
SHA2562afd4b61a93e4e56e7103c0dca7ef5e70b328e4449a4679456903a991edf493b
SHA512473f218548bb9081b313308d1d21b90ce8d6a61936381ccb80fbf3e7b3823e11994905f2cae5991c0d7e6a33440c03f4158ebe48386b6ae156185e29bf5abd51
-
Filesize
144KB
MD5c9ccb79fc56e0a8abd01131143ca116a
SHA11f171019466d5e0d153a7c2e3e738ecd736fcd7a
SHA2564917b1220948173d1190d8ff396075e0f5e0e8a4be0a5eee7552a93efec4a231
SHA512e000d554678885bc5f40b07711d618837e0df62bd1b40afbe280be135c8f62c324b6017c888e1b146f7960684eca2b2b86efdaa3c55ba78693bc1a68da4b2934
-
Filesize
152B
MD5b03d35a1e3ffb7a9f63b3f24a32b8e85
SHA1878b3c3c4877e1f132819392c12b7de69e1a500a
SHA256832cc8b01bdcc3a2edda654aed8b35bd35b4b308f2843187157e805c61c90435
SHA512fe947eea87acd7d8052bf802f5e1e0105379f07f84160ac51b7771c9d03ae0822b5d56e2ef09b13f0a16b53071df3001f4fe4f255307096477d3db2c9671ee23
-
Filesize
152B
MD58db5917f9989b14874593acc38addada
SHA1e2f1f19709d00cef4c7b8e1bca9a82855380a888
SHA25669518d96a22b831de7923bc73ef0ce86cd8394befe8e1c20bf4f95285a15cc63
SHA51239a70a4207338e819b5dd8dcb5b2b4edaa136a27d51edadac3f76f7de224c54753173a13a55667129f0310b3bbc9f258da0a5b9a7f8b7be6c3c45b64a04e40a2
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD50aca08489f75cdd3f21f3244eacefa89
SHA13c05d2bfda8e51c29d8936bfdf8732d881b46074
SHA256b3f81f65afb244f18c2f7b57e86f5edbbdf4ea553b7ab09694c47414fc51efd7
SHA5121dc3e8e273ac2460ca9857af6cd4f8180b7840931e94b05b91abf96f7de1768c378c6d2cef505bb9f6431328884430e7371555474df5d38c18f4abdfe7021d4a
-
Filesize
1KB
MD58f2e92f3427f26180271c3d6841ad7f9
SHA16874773ffd4912b5c0afad286361f3d8c1101ddc
SHA2562004202cc8f02f3f2e3aee08a123a54f20e2154ffc2d62200c332cb7ac0690df
SHA5120a658e58c6a3fe6aeba04435ff7375d48015a7205367ac630170fd1e5140df449f862230644b5d3da1af329020c48b5b4dbc4710e4ce9492554f46750154532b
-
Filesize
5KB
MD54add588fb908fa31cab4ccf382938ac7
SHA13e368ee5a9e3a757893d5f7826c097158d21a293
SHA25691c342312a3d4cfcb4d41318b37e6fdc3ceaa8dff659274ba63f6b5ff957579e
SHA512471c86cca87545673d4c4e1ee91aa6ec71e7082957218d5674c6a7f022aeb8a0c5dd56c580805dc61e33a321ffa0eea45fd58dc29abe899666a312547b068319
-
Filesize
6KB
MD543c17771042ac9449c61b61c9d4fd25a
SHA1dfc39ddd662c589476e8de5cee2989f2df40014a
SHA25660ac0e52e5c714902c4309d8dbdc97e93f8ea93d4e981cd2856bf2cfec7e306d
SHA5120c13360fb7d7e6c0492c32595e9407f9736d075825445b7285c22e6a35ee6086ed6d3eca65940c03d317f1f1fb466c6c3a01e0649927992870bf21830481111a
-
Filesize
6KB
MD5a8afcc0ea51f6ecdce1707cf0d2bb2d5
SHA170a33969e070a3c41d1b0e10cdea9413c6c314dd
SHA256ee0b9b622292a38c6af85b95ea6d764bed380df41779cb3316866c5a9f73adc8
SHA5126f5c8e7ba3ac4fb3d94520d6b76f846bb7fe18e7346cd4e5535acedf505550d38bf9ea96f7a4fe5bbfd9e2d57b8c21c7c60132ab7d4922642181d9a234294e64
-
Filesize
372B
MD55666315ff0a3a9caf077f11b9f27e1a9
SHA1f32c5939f58a4476a5bdf0adbf111022cae9b668
SHA256b2669b395436b8c60c9a2a7c7573572093c01b07e45d7bea027858e58f6a9758
SHA5125e89003c8568007583f66d019ba31730353f0aa7c959d51d692df8ae6b76903c81d798547406fc1a49f504f0c322ee58caea7e1abcc895b22336bc869c16c99d
-
Filesize
204B
MD56d476492a3b23aa10ef267f3a22b6a4a
SHA136e728586583f1d2945b885859ec2b671cd77b3b
SHA256f0d15399d1edfa571ffa375c6beeedd2d50419012bf07f84757ac2295ecbdfd6
SHA512502f60e417cc96e87ddd13e0bab90ae98d70c0fa9c612363751b49b121f85bc5aa36de6107a8d371d33b2428478f85beed73464cc5d424debe9c79589fec4290
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5ff6d906f7ec423cdb90270bd3d005a32
SHA1cca91e70d871950576a571fc4a03787a5b84643b
SHA2564c863fc6b77d0fc2044bd6d2d877aca34c52bd88644868a118394840dafa7763
SHA512345ee4ad40b7f1f755aaac6e4d383dfbe0b715a9d12eed4fa48625c656a9449c0485e1c284c22d69f77b409f2f75a0fdb1cb29d0a8b28e4588b86523828f9a07
-
Filesize
11KB
MD5fd6ba7683d393c2600f632c4d1bcc540
SHA12075ad47ff06f478a6161579f2fbdcaba088cef3
SHA2569fa7faee013361ea9c12735e4e408ddba190240acb05b08235bdc0abfdacbea0
SHA5121d21fef4dbd193f63b258916e0fbeed277e8cb376d5c97d77ef761e6347fbbc0fdbd8a8f8bd4b75e9c5468eee0c2a02e76152e5a705303606e5e83fad8a9b483
-
Filesize
11KB
MD5fcba8598a0dbb5b0424ff286c792d9d4
SHA1ad4d69ac91d2c380870ded66e9ebcc61b050488c
SHA25600247b22f0a9a6663a6aa880c3f1660a8f9284d47c50369b76bbc4bacbf84f83
SHA5125dda3dd883f0654165e976b505e47da44b0feb23ca0fab58aa9cb37d09eabc4d9483731189e231395b5c3d6b8032a829cdd9b639ac50d45b19bd138c4f902598
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vzqinq9r.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD5f8a4bd32e113ae63402d578e99ffbda2
SHA1a7678ec6e065b031aa4d4e75006ec8e116cc09c4
SHA256f0df51fa7a9eb1ecaca47682f021098e57a672a26ba578928c767c203c47ac6c
SHA512a460a0fed8dbfeba1dc08ba61658ec56d17402d3f83c50bee396155b6cdaaa064b2a42dbb2223e708b287807cc9060d1fa2e73e6afac5a97d9966297927390c3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vzqinq9r.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD53857fb7643039d2eb83611ceab85f457
SHA1be9399e501d00965dfb526f15a9f13c07f48ff73
SHA25664f2757a97a4b130229d24ba9c71cd396830dcfd55fe25a9e7579ab350ecae3d
SHA512f2e1b537d16d370fa6afd1d13c98af043b2bf1f585eea656c2b76c66420b0e0b6f8cf7eb1eaa4e7150d0355d6d7725a7dd22c84c5f5ad92f3794a0a484eaace6
-
Filesize
2.4MB
MD54090bcb4c36bf660e37c44041456c55d
SHA1b2c2363a5b69c1393b62b03bac15e9fc4557c715
SHA2563729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013
SHA5120ce916ff673c9dedbfcdf3a5b29a8c0e46bfb87995c3fd0280a6660cbdcedc997ea974d5684c79edb726a5aca6e2631d63041d3d392d8f861d9a9a5b4e522182
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD5bcde09af967815e43273739df8377583
SHA189feb480e257720c9724f18bfd74b9ee5e309d18
SHA2563f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f
SHA51247ef547940bde740dc9f024da5c16b94ed262e8e4e44e05501386407f737d39d707c9893546748f13577fc6562222faba0ed583cb094a0cbc8dbdf8691104ca5
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
192KB
MD504222fca21c772e24edb178687b91057
SHA1fb5e541df4aa864a141f55463c3173a6a1bcc1be
SHA2568e967003aae1805d0fd8d543ddafa8f35315818bb531203962886857b3fd98ad
SHA512c48f0d86fe408e326162d0763b680e1b0148bf1b7b628702ba4e91a78d46402a5a5f7d8fb91e61500c44cb64e86cc802096f9c57652f5da8b8f38de1b5ea8870
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5aa9ccbfd9e28573bcc733bd59e059f05
SHA1bda904cc2176011aa7fa7987be4e36b1149fb22d
SHA25646eab4df709e20a8f9f442efd56c3132c725dc679146b0d4f4b4fc9690939560
SHA512ec3cda4e77d160ee4428ca630fef66ec601f3d69a65fc3932e354de98fe2c8fbbee82e2047eace7b994fd017765561e42a25538da2cbb2f784713be095fc59ac
-
Filesize
8KB
MD533f7132fe2b3cba07780fd0ee854803b
SHA1bb6c59d78f9ecc7d7e4504d3062f9250275dd40b
SHA256821782cb040bc59850cbd8f1f7cbd3e592b2891dfa69322fb8cb901a8944c48d
SHA5124d27c91670174ecf60c9a0ec79bcccd194ac668d398964d06285909cd8ab376077c1ca431094ac28a837f03dfdea22274a83a2b690862e168af5c349d641a379
-
Filesize
10KB
MD5eab7e5be9f45476e40194dd19cd77fd7
SHA11ac000a8271c33385840ca3c92dc7e71b93f066e
SHA25606fbd422ea38034bce421e4cdbd8527e0f6fa71f6ea744ed5580da77170db20a
SHA51259ceae8255446813f1a7a49f71c06d41ec15fe9574a61462ac83b5341196d9bb80c5cf51d17d2f8f55d3a97312f4140f137e9062781538d79496631e4e8e532f
-
Filesize
7KB
MD533f1573469927521be7d3bc46446bf92
SHA17c10198098080bcd6fd07769e88cf5991aa552be
SHA25603c29474b5a52e8d1b527cc78862059b50aafc175528d16812017f481fa1d204
SHA512cbf9eb5e4c03fa6385dced31d661b90915bd633072fb89ff480d5df93044962d4cb42f14eebecda229c5eea90a225996b252fa9f39de3b60070361721cf61470
-
Filesize
6KB
MD55fb5ddd396efa46b02026bfbb57a8d57
SHA181cadb382328569ba78d37cf2d59f5d20d861e04
SHA2562679e6ecb96e4957c0527c12285d28b6151458682569966b31783f42df57c493
SHA512737f2daf59651af234ceb4a55a448c0892405ba99a50d34c186ec0f6def76ff7ab6916c9134b233733e4fcdd9751955bde2b0b2e9062dffd19b4d0ab818f4ed1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD50ca72e6a583e4be5a52aa2350c24e7e8
SHA1abbe7ceb20427e72fc4d61b8703612147053df53
SHA256bd49fe63798e93696d959ca983862dd03165ae074b2c121f8255272f51251be8
SHA51278d17de3683bfee4f321cf7452f875645263e19bc81599e0d1d265aef739024d0ed38404a6cb8561d7dc5febd83ffb61d475f12f5163037a8ff3f930916c5ee6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD59f120b62844ae3b72af0d95ce4710b33
SHA134e72ca8d2ade66006f56a82f6fe1f413e983b78
SHA25628d6086fc8b79ff8eeadb5eac563f54e4ca428afe794d85b29b07f4019e7181e
SHA512e6c596e15a70d295fa4a3b6aa63b117d1fc99dda53154c556e9c3aac76e85d428c5f7c046f3f8337dedff60e45f061551b8fa581eb7d1bac2ff9b39364a957d1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e