Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240708-en -
resource tags
arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 07:46
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240705-en
General
-
Target
file.exe
-
Size
2.4MB
-
MD5
510ef6656d676509abf2ff0e28ecda55
-
SHA1
0f61ea4fff3a4160ee5eadbec3ee35506c98b10f
-
SHA256
42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215
-
SHA512
08870978ef501a7dfe0a1f0042a5373ce70f50308f6929d1940434a27fdc61ec230ac0df4d80299ab82ec05ef6263a3bc40ebf82b17d32074f5ca6000764ba0a
-
SSDEEP
49152:TQ4wKF7TllIgRYTR+Y27rZ8xpIEHxHGfq779f2Ucsfly0RPnu8Cmvf:hTvIgRYTR/8wGEHxLn1TfIUPgmv
Malware Config
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
CGIEBAFHJJ.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CGIEBAFHJJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CGIEBAFHJJ.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CGIEBAFHJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CGIEBAFHJJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
explorti.exefile.execmd.exeCGIEBAFHJJ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation CGIEBAFHJJ.exe -
Executes dropped EXE 4 IoCs
Processes:
CGIEBAFHJJ.exeexplorti.exe360b7d9cdc.exeexplorti.exepid process 3096 CGIEBAFHJJ.exe 3812 explorti.exe 4028 360b7d9cdc.exe 3208 explorti.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorti.exeexplorti.exeCGIEBAFHJJ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Software\Wine CGIEBAFHJJ.exe -
Loads dropped DLL 2 IoCs
Processes:
file.exepid process 2644 file.exe 2644 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
Processes:
file.exeCGIEBAFHJJ.exeexplorti.exe360b7d9cdc.exeexplorti.exepid process 2644 file.exe 2644 file.exe 2644 file.exe 2644 file.exe 2644 file.exe 2644 file.exe 3096 CGIEBAFHJJ.exe 3812 explorti.exe 4028 360b7d9cdc.exe 4028 360b7d9cdc.exe 4028 360b7d9cdc.exe 4028 360b7d9cdc.exe 4028 360b7d9cdc.exe 3208 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
CGIEBAFHJJ.exedescription ioc process File created C:\Windows\Tasks\explorti.job CGIEBAFHJJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefile.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
file.exeCGIEBAFHJJ.exeexplorti.exemsedge.exemsedge.exechrome.exeexplorti.exepid process 2644 file.exe 2644 file.exe 2644 file.exe 2644 file.exe 3096 CGIEBAFHJJ.exe 3096 CGIEBAFHJJ.exe 3812 explorti.exe 3812 explorti.exe 2500 msedge.exe 2500 msedge.exe 1696 msedge.exe 1696 msedge.exe 2588 chrome.exe 2588 chrome.exe 3208 explorti.exe 3208 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exechrome.exepid process 1696 msedge.exe 1696 msedge.exe 2588 chrome.exe 2588 chrome.exe 1696 msedge.exe 2588 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exechrome.exedescription pid process Token: SeDebugPrivilege 4788 firefox.exe Token: SeDebugPrivilege 4788 firefox.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe Token: SeShutdownPrivilege 2588 chrome.exe Token: SeCreatePagefilePrivilege 2588 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
CGIEBAFHJJ.exemsedge.exefirefox.exechrome.exepid process 3096 CGIEBAFHJJ.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 4788 firefox.exe 4788 firefox.exe 4788 firefox.exe 4788 firefox.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 1696 msedge.exe 4788 firefox.exe 4788 firefox.exe 4788 firefox.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe 2588 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
file.execmd.exe360b7d9cdc.exefirefox.exepid process 2644 file.exe 2904 cmd.exe 4028 360b7d9cdc.exe 4788 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.execmd.exeCGIEBAFHJJ.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 2644 wrote to memory of 4856 2644 file.exe cmd.exe PID 2644 wrote to memory of 4856 2644 file.exe cmd.exe PID 2644 wrote to memory of 4856 2644 file.exe cmd.exe PID 2644 wrote to memory of 2904 2644 file.exe cmd.exe PID 2644 wrote to memory of 2904 2644 file.exe cmd.exe PID 2644 wrote to memory of 2904 2644 file.exe cmd.exe PID 4856 wrote to memory of 3096 4856 cmd.exe CGIEBAFHJJ.exe PID 4856 wrote to memory of 3096 4856 cmd.exe CGIEBAFHJJ.exe PID 4856 wrote to memory of 3096 4856 cmd.exe CGIEBAFHJJ.exe PID 3096 wrote to memory of 3812 3096 CGIEBAFHJJ.exe explorti.exe PID 3096 wrote to memory of 3812 3096 CGIEBAFHJJ.exe explorti.exe PID 3096 wrote to memory of 3812 3096 CGIEBAFHJJ.exe explorti.exe PID 3812 wrote to memory of 4028 3812 explorti.exe 360b7d9cdc.exe PID 3812 wrote to memory of 4028 3812 explorti.exe 360b7d9cdc.exe PID 3812 wrote to memory of 4028 3812 explorti.exe 360b7d9cdc.exe PID 3812 wrote to memory of 2452 3812 explorti.exe cmd.exe PID 3812 wrote to memory of 2452 3812 explorti.exe cmd.exe PID 3812 wrote to memory of 2452 3812 explorti.exe cmd.exe PID 2452 wrote to memory of 2588 2452 cmd.exe chrome.exe PID 2452 wrote to memory of 2588 2452 cmd.exe chrome.exe PID 2452 wrote to memory of 1696 2452 cmd.exe msedge.exe PID 2452 wrote to memory of 1696 2452 cmd.exe msedge.exe PID 2452 wrote to memory of 3860 2452 cmd.exe firefox.exe PID 2452 wrote to memory of 3860 2452 cmd.exe firefox.exe PID 2588 wrote to memory of 2376 2588 chrome.exe chrome.exe PID 2588 wrote to memory of 2376 2588 chrome.exe chrome.exe PID 1696 wrote to memory of 4852 1696 msedge.exe msedge.exe PID 1696 wrote to memory of 4852 1696 msedge.exe msedge.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 3860 wrote to memory of 4788 3860 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe PID 4788 wrote to memory of 1632 4788 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\1000006001\360b7d9cdc.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\360b7d9cdc.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\33ff68ef98.cmd" "5⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe8,0x114,0x7ffcc1a3ab58,0x7ffcc1a3ab68,0x7ffcc1a3ab787⤵PID:2376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=2204,i,9073871920818988928,12692420084278655731,131072 /prefetch:27⤵PID:1592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=2204,i,9073871920818988928,12692420084278655731,131072 /prefetch:87⤵PID:720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1980 --field-trial-handle=2204,i,9073871920818988928,12692420084278655731,131072 /prefetch:87⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=2204,i,9073871920818988928,12692420084278655731,131072 /prefetch:17⤵PID:3172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=2204,i,9073871920818988928,12692420084278655731,131072 /prefetch:17⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=2204,i,9073871920818988928,12692420084278655731,131072 /prefetch:17⤵PID:5468
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcc14246f8,0x7ffcc1424708,0x7ffcc14247187⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16197652547206511000,10220604050895503790,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:27⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16197652547206511000,10220604050895503790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16197652547206511000,10220604050895503790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:87⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16197652547206511000,10220604050895503790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:17⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16197652547206511000,10220604050895503790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:17⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16197652547206511000,10220604050895503790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:17⤵PID:5236
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"6⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.0.1806468969\1262569577" -parentBuildID 20230214051806 -prefsHandle 1644 -prefMapHandle 1636 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09d8ceb6-2ae7-41d9-a449-c877d99eeedd} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 1768 2ec9340cb58 gpu8⤵PID:1632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.1.479519813\747318815" -parentBuildID 20230214051806 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3415adc4-79a1-47e4-9623-2f789e1ca03f} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 2404 2ec86585f58 socket8⤵PID:1140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.2.1770496739\1049260896" -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3288 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b17c1a01-e41b-4417-8557-a04a060e4070} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 3308 2ec95b47158 tab8⤵PID:1488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.3.1847370081\2024101374" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 2976 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {518a17f8-9250-4b75-a375-46d385b49fa8} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 3080 2ec8653e258 tab8⤵PID:1628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.4.1620562378\1280373035" -childID 3 -isForBrowser -prefsHandle 5268 -prefMapHandle 5264 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c56e77a-065c-4958-979b-aaad650ef3d2} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5276 2ec9a24fa58 tab8⤵PID:5576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.5.65728105\1456048352" -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5256 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9646486-74ce-48f4-89ab-9ecc75c01d38} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5152 2ec9a29bd58 tab8⤵PID:5768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4788.6.1015121619\1788492683" -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b94065dd-d8bd-4d26-9d3d-6e75e7057c7d} 4788 "\\.\pipe\gecko-crash-server-pipe.4788" 5556 2ec9a29b158 tab8⤵PID:5712
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKKEGDGCGD.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4568
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
33KB
MD51c0c8433626cac08202f23a1dae54325
SHA13a5700eeeacd9f9d6b17c2707f75f29308658cd3
SHA2567aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3
SHA512da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
Filesize
216B
MD5d12fcb0e5046323843b54f182ae8ce87
SHA1fa987a4ae8a0ad2cdf23e0549c0e664c101b47fe
SHA256984a7593cfbd659df70c0c34814b4d58fdda0f65507d39ae1d907c1502cc4d13
SHA5122842ea9fac86f3f4af01367268d2be58ea09ac303bb5399b574400610019448724868eb67a07ecafd071b6bed288e32b85e7592faefc45b9ecdc4a76b6f86a0e
-
Filesize
2KB
MD56964393b2124389647b55d501f4df37d
SHA18d3ac22c55394420a24f5494e4fec89b3113ee51
SHA2569946c3f61c1b8358860b3a020e2dbdb7b4f0af9d1d225029f8f92e68a40849b6
SHA512f3a85fbd21e2b7712be62a36a3a6702f19ad081aa884c48029981ad205c80528fe3a9673ed77ddb11780d66d68eed135d3dbd1521f218dd7355970ec2df34d1e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5f12b2000e901c3698a1557644365371a
SHA1611feec402cec8165e55c59b89057a112231f8ae
SHA2564602ef4e918b5c3c323b0d02a3e068047b3f8794c4ccbd495b7a601d6ca08394
SHA5128460576846d5efd0fd76ec61b6466b0d0f90a965314d05e13c732429dcdfc71241991f5249fdb55601ec9bb8cef3026179d5833967ef4c4628273f5cb04e730b
-
Filesize
7KB
MD55c2419faf1f7781a2b661640c89009cf
SHA1dd98d65472f032dd02fd6ba9a10525e7897560ed
SHA256aad980bbefc2370f461e1d23016d82861df6cbd2fb743b4931acb0067763a047
SHA51200c5f8f9147bce29c8ff50865ea975517b5754b064dea023aa30adbdcb9dfa07e0f0628d96af97e14f319cb8cb010597a2c950688a86d0a68d10c169105897d4
-
Filesize
144KB
MD5d4ae15f3299922f35858d36616806ea4
SHA1815c59cf5c915cf1b80433df7068e0e5ec72cb5a
SHA2569716f8eee9dd21b375e3dfdc0d9ec96b83511b2d9f408bb971f0498a48e3238a
SHA512442d1145ed25c5298718eb3ca4cf4f1ee677edd83b4238771ed1c96c6dd165080cd57c29638f3292e23c4bb917b24f19537ea2f7acfa9f8a543a9d7921cb7652
-
Filesize
152B
MD56ae84fc1e66cbbb7e9d28b0e12d64550
SHA1100430bb653c896c11b94ac0bf2297a389ea5ad8
SHA256856a9c0ac8c29f738a3501b6bd007fd8cbbac211e461b91f4caff52dd41da75c
SHA5127fe7a8639d96118b843e67a6a6d397271b181dc6b049e6f7de77bee9c9214690b1b7f73164f7e463e117406dc978334ea02397fd639140598f60f89c6aaddbe8
-
Filesize
152B
MD597f8be9c465b0ed67c2415868506c354
SHA1cdb221d6debcf55615d3b5f30796e32065046dd9
SHA256b606a1ee10b65eb9077e7d2f3b34a0d7a1ed6a4802a169fe55449c975332ee02
SHA512a0fe0ed30624658127316873137f4fc488a5916005e5e3f1f55b7d6442b54010c08d7037b94d0cf3c3316b1bb4acf91bad9e64ee6d15302e3cdd62bb18730542
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5c26c4d340466bdc32341c0ad7db273e6
SHA122ea8379e99e792a2a584123a1df45a93969e122
SHA2565f733ae04dc3bebdd23c5bdcff838b965be8c86cf19f588be95405adb58f4dfd
SHA51267f4861c653b1b104b47d4cae5a9e5f7b8bd524db60ea24735b892ae4c2fe98db91da69c2da4fc96a01683dbd7d1c78a2eee0b45083bc0f1f44a50bb4027b721
-
Filesize
1KB
MD5efc07f3cfabd3289f48ceb174b5b7bac
SHA131f0ae1ddfe18a0f1d1de57f91f8422d13702891
SHA256a073cb6a24531459969022e3fae389c02f31a20af921ea6c487a0138b3937a2b
SHA5129c665b285c04444b5cffd38836f09c1e59c1807604a5fd882f72d1385e49449406f506941beb2ec363b75ac4c30a37c9e76f39985367f162bfac8c2fce35a480
-
Filesize
6KB
MD574dc3562414b9821082b8d0bed9b78de
SHA114694bbe4ecd9650b10b2e16575cbe8463791d1f
SHA2567b1c5e2ed503e84ef032cdb8c6992798343a317ac4edc3c3902aba0fa45b9cfd
SHA512f4eae5bafe3af367632be3a03c996ee1dbb166ff0a7dd014a68ab390b4cdfeeb2a72eed1767be3112dbbf9a7beb141d6d4b91cb5518672fe653e3dde86b93f01
-
Filesize
6KB
MD53f92b8a4aaaa0ae6a2ebb220860171d4
SHA187731637e8fe12aa6fef3bb7178d66eccd5a69db
SHA25663654100f017b1b5b83590c906da26ba7db72d33e91ff78098ea995d22014138
SHA512639f8de79cc474d53512be968487014e0ae343ee83b9bb9222c0d9d977dd13132c4f85c6ae3b108327a58d989be870ebcfe52ae575f111ffc05aeea0a510baa3
-
Filesize
11KB
MD5493dd3dc1ba5a9d0a68cb1cce18cafb7
SHA19b102905970f2007552cfcc2666cedcfceb79ac1
SHA256c4702776dd16dba7eb969b6fa2ab02a2ff5ecb4c6f8293bd2bc0e601e17b7cd2
SHA51214ab5f421dbe41988ba0610a78a50977cbf1567b4ea83e56581e9cb3fbf26f834bd15756d06109917a7e5efcff87adbf9e4f593a092661e5c258df258f55a39e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5e91537d6edcf45d8a6adfd856840a99b
SHA19bd5dc659b7ed418105b33387f25be39241556d4
SHA2565ad9e79e7af905c54ad98fb84e58aaec5001a4ba5d4fefac17a3f57b163ba029
SHA51272a323c8756ed97d9d68208e5cfc23895df3fe0dc44894da1fba0ac5980cfb3ca3127dac4574199852b9f53af07f54d5a2e782ecf56d3d503e265292ef34fba1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lfb0fknb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD5cc528ebb62584395e167948736457921
SHA1fe7e93ca18b0634ea49c32dce5096de30062de89
SHA256b3a4a388052d63134111e6eb55d901423c03e876cf4a0f7a637e82d48bc591f1
SHA512351f37b602767903624a2bc2e1dbf64e3df5277604a367f81995f6b6f442b0a02d1eabd634d14686fb92a5e6eccdfde93f5dab7ad4ca36d10b3627f6d19f6563
-
Filesize
2.4MB
MD5510ef6656d676509abf2ff0e28ecda55
SHA10f61ea4fff3a4160ee5eadbec3ee35506c98b10f
SHA25642925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215
SHA51208870978ef501a7dfe0a1f0042a5373ce70f50308f6929d1940434a27fdc61ec230ac0df4d80299ab82ec05ef6263a3bc40ebf82b17d32074f5ca6000764ba0a
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD5845e518c85f1b978cd46242946ba6d4d
SHA12c9134231db03c35b788ac7b454b4cdf5698db22
SHA2568d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578
SHA512b5c2a52db82c0467eff9f58406a62926b8a91a332853fb7774054eabba3e02adcc18dbdd2151cb6bdaba160cd74a9adea82b0add80da0dd164324b3d552bdaa0
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD58565c63f0ecf958f4a8f4729d480c5f4
SHA1a23e8a59fa8d4df5e1c1a3f373469ca47b58c7a5
SHA256c5a10295a02255d3eca1966f6905c8eb1b59cf90e7ed54dba26fd9a147137349
SHA512d9c0111654e000f71875d0dd45210632040ce2fad8f1900901cfcf88ae777ef3b355a491ea68f76bb535118f304009a16b7fdffc30d2e9d8f60c5785fe5e5ab7
-
Filesize
8KB
MD5dfa03105aa1b0e81892e88a7322d8f84
SHA1a84e542c9178dac8d7c0d9bdbe87c4f9102a744e
SHA256c93b725f9ea9924aac88abd05f8a6878931c7ff8b627a67fa774b2abda455a1c
SHA51287b92d8001f5e6f2b0ab922605734837a84e1b9667bedf4c654282b37976144833383a0b14d5ddfeec25421aaedc2b510a8ea35b178967fcafb0a4bf0079d2a3
-
Filesize
10KB
MD53dceff0621cf5facd76cf0968e610a6a
SHA13fc1643bfddbccda5805ffd94c397c841377e75c
SHA25613e72925497b0e075f46ca4b1930de5e55179ce930545ab0a3a45abd1fa9b373
SHA512bb40a646da0d67909e03117b761764dfcf49bfd6ea0d10914ff50b060b36fef97419c413cc02b350084383c0709b535f35fc49a3da91774aef91dc457e39203b
-
Filesize
6KB
MD5052756ee94342a111f333de9bed70476
SHA1b861a263a0eef64d99dbf34916dcb1070b85e092
SHA2560d882365102335adda40fe0f7c037224a959baae55194ae9a8432c3f7f35bbdc
SHA5125e25cc0aeef778178c1c09ea1be4b4472e5e9f2935466140503a83e0a3a3698163fa0681099021958e8e30698c015b063af4c851adbb5d053af31b7cb43de04e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lfb0fknb.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD586a705f5eea6a3520c49ae9868484a4c
SHA1ca572cd26bf3924f5446f2ba3c33f83ddc5b9e67
SHA256a1f5d1bf4af5e0563b1ef369d86c731561b4e3ff32780e77c6b94fced2ce8967
SHA512066101efe8b6df90d918c4f1bd9266e9e4e457c1a2a53e0f36f35362b2e27514c1a93d225be75cf757601970ecefa95a0fc016a82eadce54281fbd30f29d6fc8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e