Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe
Resource
win10v2004-20240704-en
General
-
Target
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe
-
Size
1.8MB
-
MD5
8daf94b97ec9ab1d0cf61f9ef429808a
-
SHA1
4e1a9a1813908a0c794eafb71779fb60b8418836
-
SHA256
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437
-
SHA512
87447bd5188c56e67f98d0e6299bd3e4b486d8632f227b72bca9865985ac6a485253474eec0d9ff5fc15f142b4244059d0b79fc608373a104eb78490a0cdac48
-
SSDEEP
49152:uHqhQXkeV1qTH+XymZrQDoh/y5qYtRdm8E/V:PhQXZcb+4e/yEsRZ
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exeFHDAFIIDAK.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FHDAFIIDAK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exe2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exeFHDAFIIDAK.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FHDAFIIDAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FHDAFIIDAK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exeb53af288d4.execmd.exe2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation b53af288d4.exe Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe -
Executes dropped EXE 5 IoCs
Processes:
explorti.exeb53af288d4.exeFHDAFIIDAK.exeexplorti.exeexplorti.exepid process 2324 explorti.exe 3372 b53af288d4.exe 6868 FHDAFIIDAK.exe 6576 explorti.exe 2124 explorti.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exeFHDAFIIDAK.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine FHDAFIIDAK.exe Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
b53af288d4.exepid process 3372 b53af288d4.exe 3372 b53af288d4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exeb53af288d4.exeFHDAFIIDAK.exeexplorti.exeexplorti.exepid process 4276 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe 2324 explorti.exe 3372 b53af288d4.exe 3372 b53af288d4.exe 3372 b53af288d4.exe 6868 FHDAFIIDAK.exe 6576 explorti.exe 2124 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exedescription ioc process File created C:\Windows\Tasks\explorti.job 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeb53af288d4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b53af288d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b53af288d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.exemsedge.exeb53af288d4.exemsedge.exechrome.exeFHDAFIIDAK.exeexplorti.exeexplorti.exechrome.exemsedge.exepid process 4276 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe 4276 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe 2324 explorti.exe 2324 explorti.exe 1904 msedge.exe 1904 msedge.exe 3372 b53af288d4.exe 3372 b53af288d4.exe 2376 msedge.exe 2376 msedge.exe 4988 chrome.exe 4988 chrome.exe 3372 b53af288d4.exe 3372 b53af288d4.exe 6868 FHDAFIIDAK.exe 6868 FHDAFIIDAK.exe 6576 explorti.exe 6576 explorti.exe 2124 explorti.exe 2124 explorti.exe 6660 chrome.exe 6660 chrome.exe 6792 msedge.exe 6792 msedge.exe 6792 msedge.exe 6792 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exemsedge.exepid process 4988 chrome.exe 2376 msedge.exe 2376 msedge.exe 4988 chrome.exe 2376 msedge.exe 4988 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeDebugPrivilege 1884 firefox.exe Token: SeDebugPrivilege 1884 firefox.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe Token: SeShutdownPrivilege 4988 chrome.exe Token: SeCreatePagefilePrivilege 4988 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exechrome.exemsedge.exefirefox.exepid process 4276 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 1884 firefox.exe 1884 firefox.exe 1884 firefox.exe 1884 firefox.exe 4988 chrome.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
chrome.exemsedge.exefirefox.exepid process 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 4988 chrome.exe 1884 firefox.exe 1884 firefox.exe 1884 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
b53af288d4.exefirefox.execmd.exepid process 3372 b53af288d4.exe 1884 firefox.exe 6804 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 4276 wrote to memory of 2324 4276 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe explorti.exe PID 4276 wrote to memory of 2324 4276 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe explorti.exe PID 4276 wrote to memory of 2324 4276 2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe explorti.exe PID 2324 wrote to memory of 3372 2324 explorti.exe b53af288d4.exe PID 2324 wrote to memory of 3372 2324 explorti.exe b53af288d4.exe PID 2324 wrote to memory of 3372 2324 explorti.exe b53af288d4.exe PID 2324 wrote to memory of 1504 2324 explorti.exe cmd.exe PID 2324 wrote to memory of 1504 2324 explorti.exe cmd.exe PID 2324 wrote to memory of 1504 2324 explorti.exe cmd.exe PID 1504 wrote to memory of 4988 1504 cmd.exe chrome.exe PID 1504 wrote to memory of 4988 1504 cmd.exe chrome.exe PID 1504 wrote to memory of 2376 1504 cmd.exe msedge.exe PID 1504 wrote to memory of 2376 1504 cmd.exe msedge.exe PID 1504 wrote to memory of 3480 1504 cmd.exe firefox.exe PID 1504 wrote to memory of 3480 1504 cmd.exe firefox.exe PID 4988 wrote to memory of 1816 4988 chrome.exe chrome.exe PID 4988 wrote to memory of 1816 4988 chrome.exe chrome.exe PID 2376 wrote to memory of 1220 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1220 2376 msedge.exe msedge.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 3480 wrote to memory of 1884 3480 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe PID 1884 wrote to memory of 2060 1884 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe"C:\Users\Admin\AppData\Local\Temp\2f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\1000006001\b53af288d4.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\b53af288d4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHDAFIIDAK.exe"4⤵PID:6776
-
C:\Users\Admin\AppData\Local\Temp\FHDAFIIDAK.exe"C:\Users\Admin\AppData\Local\Temp\FHDAFIIDAK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAEGIDHDHI.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:6804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\4f925734ad.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe8,0x114,0x7fff7b01ab58,0x7fff7b01ab68,0x7fff7b01ab785⤵PID:1816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=2348,i,16204669358297779931,17005291241990697410,131072 /prefetch:25⤵PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=2348,i,16204669358297779931,17005291241990697410,131072 /prefetch:85⤵PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1964 --field-trial-handle=2348,i,16204669358297779931,17005291241990697410,131072 /prefetch:85⤵PID:2528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=2348,i,16204669358297779931,17005291241990697410,131072 /prefetch:15⤵PID:2516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3328 --field-trial-handle=2348,i,16204669358297779931,17005291241990697410,131072 /prefetch:15⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4140 --field-trial-handle=2348,i,16204669358297779931,17005291241990697410,131072 /prefetch:15⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3832 --field-trial-handle=2348,i,16204669358297779931,17005291241990697410,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff7aec46f8,0x7fff7aec4708,0x7fff7aec47185⤵PID:1220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1460,17021345796155731442,17552426700676684093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:25⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1460,17021345796155731442,17552426700676684093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1460,17021345796155731442,17552426700676684093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:85⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1460,17021345796155731442,17552426700676684093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:15⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1460,17021345796155731442,17552426700676684093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1460,17021345796155731442,17552426700676684093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:15⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1460,17021345796155731442,17552426700676684093,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:6792
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.0.142728596\147109042" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1728 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3ceafd5-4e96-4ee2-927a-d943507c4944} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 1820 118ddd0a658 gpu6⤵PID:2060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.1.997945239\1320466816" -parentBuildID 20230214051806 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3525aae-34fc-437a-ac81-e50541ba99fd} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 2456 118d0f85358 socket6⤵PID:3304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.2.2053606330\589560398" -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3312 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f351147b-dcba-4bf0-b2bc-a6a08d2deb99} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 3328 118e0b52658 tab6⤵PID:5044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.3.1188727214\440781790" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceb93061-f743-40a7-958d-beb54014042b} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 3660 118e2ae3658 tab6⤵PID:5328
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.4.1981633515\556236337" -childID 3 -isForBrowser -prefsHandle 5108 -prefMapHandle 5132 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4509d5-9aa7-4c86-b0f6-b35a85bd1d92} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5140 118e484ec58 tab6⤵PID:6088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.5.1178938948\205963948" -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16d33b3e-7088-4b96-99d7-d6887596a9a7} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5376 118e484e958 tab6⤵PID:1168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1884.6.813325291\315920519" -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1268 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76006b91-1243-4312-8f44-1043a6a4b0af} 1884 "\\.\pipe\gecko-crash-server-pipe.1884" 5504 118e484ef58 tab6⤵PID:5216
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5156
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5312
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6576
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD5f0ca3431b385f1cd5fe81f292f1324b5
SHA1040b8c5e662573d576d6aab7be860cae49ea9827
SHA25659d3ae818a9bfa22cb106ae7ca3ecc7701ed85bc80fd619b2fe1506206603dbb
SHA5121eb2cc6266c4dd1f1d051e44fe5ae4a9ff7e6177935d32a0869a464e054b492dc1c2eee8954c51bfb23c600a0a70ce33647a7ed3671ec8bff04ddda9065422a6
-
Filesize
2KB
MD59b493ccc7149534642051c5de9f1b717
SHA1b2e4887dc5552a1fc44d2864c2ebec346b388bb5
SHA256620efaed5cf4be4ca8a4cc6fba0baf19039f1e88eadd2c9186f1188e6b95814c
SHA512587be3fef9c38bafd94e3f67db1be87b035a90523befafda8d3370a249e281dc45aa3ca7c852e9ba9bfa3e9f4d4c314898e3f0237502ef7f87e5caec96595194
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5ae4cbe1406df737de81232b5a9a4e44c
SHA170ba8158527273787d23b82444ea4156bdfc1c61
SHA2567fadaf48dcf9d0a486cfdd344809b2138244e6f3b773d9377081241e05e31701
SHA512054cca8ce2c7fe3b99ea43dcd9423e39c47e2aaec161070e315cde0b3b04f39645498d8b16450c3bd4e74138563002d5eabacddbbea97dfa8b89ef4bc48ddaed
-
Filesize
7KB
MD5428e9b7edabae91d215a8f9c00c7204f
SHA1eab41affe8becca375ee8a64c3c2b680d664bd1f
SHA256e286ff245e5fb4bb93ab80f33d04de696be063899e58f839e2a79706b8db8245
SHA512a06d25b61af0e556d1ccdc6fbd2d784e739a778bcbc4c4ffcc3f2658f67914bd6addd3ef3cc746546abb1858fefe000c93c1a3f9bef1dc788240082988a24226
-
Filesize
144KB
MD508e989868937995960055c1e7be46659
SHA1b66f053526d852b75a7f3a07066a1f55d1112563
SHA2561de9564c7668ce747c016a821d9adea672159c4898d590f2a1330c6d59bd4d23
SHA5127b30cb91fea3334eb141b378178ad14a4ae16e8129f3e38814404e44224d60dc424be5c76bc3aae3be1d5ba7886a88729a5bc7e60261d4b2ad966049d4197059
-
Filesize
152B
MD5f060e9a30a0dde4f5e3e80ae94cc7e8e
SHA13c0cc8c3a62c00d7210bb2c8f3748aec89009d17
SHA256c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79
SHA512af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6
-
Filesize
152B
MD5a27d8876d0de41d0d8ddfdc4f6fd4b15
SHA111f126f8b8bb7b63217f3525c20080f9e969eff3
SHA256d32983bba248ff7a82cc936342414b06686608013d84ec5c75614e06a9685cfe
SHA5128298c2435729f5f34bba5b82f31777c07f830076dd7087f07aab4337e679251dc2cfe276aa89a0131755fe946f05e6061ef9080e0fbe120e6c88cf9f3265689c
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
33KB
MD51c0c8433626cac08202f23a1dae54325
SHA13a5700eeeacd9f9d6b17c2707f75f29308658cd3
SHA2567aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3
SHA512da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD527bf7297acb32c22b7b0160e8774bde6
SHA16547d71fe1f199725d857bed128337b4d78bc5fe
SHA2562e4e07e908c84fb0ffadf162ee7a4a605986bc4d32d83e0d7ca99b72135b014b
SHA51222282888d0529068c6ad16bb6f62598e7c57ac7b4923802c9c805108533981dfe1d4d6f0478c70f128e150d0d2930d59cf75a435f26b5a7aa375a3bdb1d7fcb5
-
Filesize
1KB
MD5c63a4483e1b17445170deb33ed2b5288
SHA1cce2b49141af5b6e8171bb0c1356a27c55ad5c63
SHA256acdb41567d09efcf248e6abe24b13bd9dff1e4aa9d14402a9b3650ffa3f3e7c6
SHA5123fc6253b785e7eb93c496a256c6eb46964d16721844062fcdd3c9710ba8d3c13d536e3858241c982c1b275bc191b1307ceadbccaf5a329f1c526397378bb2a9f
-
Filesize
6KB
MD5f3ac22235a45243432858de0569bee18
SHA1a57c8abdd9f30c372e7e912d0a10358f32f99f20
SHA2568361b53a4a24351870e202aaea27a3730d49ed3d88f62858c616cc7c2aea6430
SHA512e35dee56ce1d5116aac72daf0a8cf3af2d339ba936cf5a8d50c2372c0cf05f482d7af4e5a81de36fb515aa27e3f3c376570a37a712a890b9c8c25f0606404e0a
-
Filesize
6KB
MD53da3fd6f7b403fe9d28e65de1a12ebf0
SHA17060a03e8ca1f1e972e4879b4148f4e21fd7e3ad
SHA256e08d33d306aa7efdbc52cbe89a1e8fed6e1351a208c51b5a05edc8436b81f7f5
SHA512224f05f6f72836d9612a3bc33c92ccbc4346bf46abc7cb01d8cba282b6e99db6679d340b7c15acd9c6a61377eae873ee4a2098630f36a44dc72fb486378abba0
-
Filesize
11KB
MD507843f72ea507c5a3b7190165990491e
SHA15125088ccf959ad9bcd7fcf62d67612bf454204f
SHA256f51fec0f3f2cb2db5820c575bca8513ee18d2e53832a73cd8051c16b8d1a46b6
SHA5121c9be3c7fc743c7b0ec1922643514e2355798c1c5487442677d401abfc975508f4e21977ac85f5dfefd5870cb2dc4b3b35e5708a5ec93c4cbadfbcaaf3914f65
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\caju9pwo.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5f4bd97acd9399d1dddbbaee8fc4df094
SHA1bd2228244a41686b8d8d8701b9bc44766c26e175
SHA256079983db8a51429250c60d389378dddde038bda12a33bd3e3d377804f6130057
SHA5123f579319ca91ef218ce9f9068855cf99736060b05be0932007ac6aa66c7720757fc486107c2a4e05f043568883ad3e2dad0062a050575b42fea3c8a23ca4378c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\caju9pwo.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5ef9e9b24be69597fa5b051fd8358d3cc
SHA1b46ff8f6cef0573d8769b3d129ded2f5e803f3f3
SHA25677c3cd086c41d0b34d0244834463ffdd9004e0e6f5ce31b31504a5e632011d8d
SHA5127eca5e63513de60bbad26106067138286457f21cf0ae3c97c2aef9914873be47e061da380554bf8c24421feced68fb3a700ab8b896872c136b8b49f623ad5146
-
Filesize
2.4MB
MD5d342b0b1abfb52f8238f15947684c901
SHA1822148d3b2b2663c25b865a1f98516095c5e01b0
SHA256c11e7133c481e34c3ac90d33416e85490b4e4b3b2af782fae22138298bb0e404
SHA512e6558c4cc35d8b1784602695a7febec0aef5c9b6fba90fe4a90a8da27592678da6f61655770f35fc425c3de1d970576117982cffb12a9f9d1942daf7b32e4f75
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD58daf94b97ec9ab1d0cf61f9ef429808a
SHA14e1a9a1813908a0c794eafb71779fb60b8418836
SHA2562f5a6e5ac6b5c85737a2b0572f346bc0908d8d5404096a90aa02c165dbfcd437
SHA51287447bd5188c56e67f98d0e6299bd3e4b486d8632f227b72bca9865985ac6a485253474eec0d9ff5fc15f142b4244059d0b79fc608373a104eb78490a0cdac48
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
256KB
MD52f4ad54470928c909b107c951b2cc98c
SHA10bb834609556215b9620abfb404307393913591e
SHA2568a610319ba650ee42ff9675be7277cbd824afcb5c41d8258e2771495a39d2ccf
SHA5126029e46f3077e1f993faf950ba7e9eb734033a5506046a6c4c91d455997d25c2e3d0eca675333ee589132401b7cdc2779c23c150ac58e9ee1be81855f116bcf9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5375d4882bd88d6497249d6ffa19c4eb0
SHA1e62a0217319325520b4a9567d323625f8ad78aca
SHA25677c24b62726be35a77ba6d9de877b9ee232ea2d2d51033237ef96fb08e665b47
SHA512a82e4652aedac3d7de91175fd2e071903bc79d71935d4a2062eb3d054d38d4dc6410833ad22c04bc593fbc92063627726d316710eb5b5792ec2f091e602143c5
-
Filesize
6KB
MD5d4d8e90d55466222cde0615bafa0e307
SHA11ae42aebaa7d297da9010c8f5c838e167059798d
SHA256055d610b4329176a054b700dff10c3e9b9c4f03a61c81cb78a8d37e3bf9ddde9
SHA5124e947ddc2410e789dae73456f30eeb487e42f514fa459bac0e3210947893f62bb79b0324803937aff58112892fd6bf6538ac7ff7d036f26c3374b91fbe1c7fa1
-
Filesize
7KB
MD5536af81134e0e6798143a64ddf132692
SHA17d65a4b6a578ec279bdd1032c3900b231a08c483
SHA25616285f1b77d27eecf6aef24f1b49b2706f09b01cc367d51c1356d8982e11229c
SHA51269563d52030088e68ad10ed75e4597eb4bf146db2590b9e609bf128175f232ba043d71d98224e857b8df1e2a72ad7733e1a18811e5e87e8d452522e3096ecd0b
-
Filesize
8KB
MD566b4a5a863b30ee6750b2a9a85dda8b2
SHA10df4b7722112b31410121ac68343fe7d3d502843
SHA256d6aded97d71724f7dfcc021a4fbfa01842ad76018d310db1730edfa26754e135
SHA512ca26d722116aa3eb3e0b1ef04bcedbe3bbc2b684e1610d909a9184fe86262155fa6f1e6a0238d8ae9b808a5fc565250ff53ff9b3661f564dd6226ef5db42e8fc
-
Filesize
6KB
MD54f22047ab79aac224980422b74afd18b
SHA122fbc65d775d4aed52b3b03698486bb368b2bf75
SHA256c7f90fdc6064c77e7fe9e4f9b5a468639473043be532dbe3e4931376d1c9896d
SHA512c1247701aecf66a0bac347a46da8b3ec821ded0b807ea4d6dd96a2aa592ec927a82ead5b9ce06e3ce3d453a55764f669701dd7fa69a021c2255eb0a95d7fa587
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\caju9pwo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD51191bc7c333769531689b356d2d68ef9
SHA1edd734836a0b55c13aa8968606bb761aa0d63ac5
SHA2566fe565eaca41e058a31202c14c7aa5d81b60b220371eb04d88a2441a120b32b6
SHA512a33eabbfb92392ae9f5b9af30e78f71b636a25aca19f0573543b3af232d4d96d2038eb1261c4ff5fddf44f830af803b175e588f7b1396374174d5ce0ade357ab
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e