Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240708-en -
resource tags
arch:x64arch:x86image:win11-20240708-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe
Resource
win10v2004-20240704-en
General
-
Target
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe
-
Size
1.8MB
-
MD5
8929afa1a3457a891a9465298af056b7
-
SHA1
681f6f803d56189f8d1c432171d5e423955512a7
-
SHA256
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a
-
SHA512
460f9f93b9ff1b434ad6560cca6d25f7e96a16696313dde1f6a0faeae3e1b6f1771adc994b106c58760dd8ca7325ea22e50e33f76075c3879099a8750799a6dd
-
SSDEEP
49152:iXarkhVguZ1MX3ToNyjvdragK/a10cRUk1L:L+VPZs3TogjNag0cL
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
explorti.exeHCGCAAKJDH.exeexplorti.exeexplorti.exe11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HCGCAAKJDH.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeHCGCAAKJDH.exeexplorti.exeexplorti.exeexplorti.exe11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HCGCAAKJDH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HCGCAAKJDH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe -
Executes dropped EXE 6 IoCs
Processes:
explorti.exe04831a37bf.exeexplorti.exeHCGCAAKJDH.exeexplorti.exeexplorti.exepid process 4672 explorti.exe 2844 04831a37bf.exe 5920 explorti.exe 5356 HCGCAAKJDH.exe 5876 explorti.exe 6360 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
HCGCAAKJDH.exeexplorti.exeexplorti.exe11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1269406178-695547799-712080471-1000\Software\Wine HCGCAAKJDH.exe Key opened \REGISTRY\USER\S-1-5-21-1269406178-695547799-712080471-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1269406178-695547799-712080471-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1269406178-695547799-712080471-1000\Software\Wine 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe Key opened \REGISTRY\USER\S-1-5-21-1269406178-695547799-712080471-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1269406178-695547799-712080471-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
04831a37bf.exepid process 2844 04831a37bf.exe 2844 04831a37bf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exeexplorti.exe04831a37bf.exeexplorti.exeHCGCAAKJDH.exeexplorti.exeexplorti.exepid process 2528 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe 4672 explorti.exe 2844 04831a37bf.exe 2844 04831a37bf.exe 5920 explorti.exe 5356 HCGCAAKJDH.exe 5876 explorti.exe 6360 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exedescription ioc process File created C:\Windows\Tasks\explorti.job 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exe04831a37bf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 04831a37bf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 04831a37bf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1269406178-695547799-712080471-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exeexplorti.exe04831a37bf.exechrome.exemsedge.exemsedge.exeexplorti.exeHCGCAAKJDH.exemsedge.exeidentity_helper.exeexplorti.exechrome.exemsedge.exeexplorti.exepid process 2528 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe 2528 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe 4672 explorti.exe 4672 explorti.exe 2844 04831a37bf.exe 2844 04831a37bf.exe 4896 chrome.exe 4896 chrome.exe 3428 msedge.exe 3428 msedge.exe 2836 msedge.exe 2836 msedge.exe 2844 04831a37bf.exe 2844 04831a37bf.exe 5920 explorti.exe 5920 explorti.exe 5356 HCGCAAKJDH.exe 5356 HCGCAAKJDH.exe 6572 msedge.exe 6572 msedge.exe 6784 identity_helper.exe 6784 identity_helper.exe 5876 explorti.exe 5876 explorti.exe 5348 chrome.exe 5348 chrome.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 6360 explorti.exe 6360 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exemsedge.exepid process 4896 chrome.exe 4896 chrome.exe 2836 msedge.exe 2836 msedge.exe 4896 chrome.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeDebugPrivilege 1200 firefox.exe Token: SeDebugPrivilege 1200 firefox.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe Token: SeShutdownPrivilege 4896 chrome.exe Token: SeCreatePagefilePrivilege 4896 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exechrome.exemsedge.exefirefox.exepid process 2528 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 4896 chrome.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 1200 firefox.exe 1200 firefox.exe 1200 firefox.exe 1200 firefox.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
chrome.exemsedge.exefirefox.exepid process 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 4896 chrome.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 2836 msedge.exe 1200 firefox.exe 1200 firefox.exe 1200 firefox.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
04831a37bf.exefirefox.execmd.exepid process 2844 04831a37bf.exe 1200 firefox.exe 6108 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exeexplorti.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 2528 wrote to memory of 4672 2528 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe explorti.exe PID 2528 wrote to memory of 4672 2528 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe explorti.exe PID 2528 wrote to memory of 4672 2528 11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe explorti.exe PID 4672 wrote to memory of 2844 4672 explorti.exe 04831a37bf.exe PID 4672 wrote to memory of 2844 4672 explorti.exe 04831a37bf.exe PID 4672 wrote to memory of 2844 4672 explorti.exe 04831a37bf.exe PID 4672 wrote to memory of 4716 4672 explorti.exe cmd.exe PID 4672 wrote to memory of 4716 4672 explorti.exe cmd.exe PID 4672 wrote to memory of 4716 4672 explorti.exe cmd.exe PID 4716 wrote to memory of 4896 4716 cmd.exe chrome.exe PID 4716 wrote to memory of 4896 4716 cmd.exe chrome.exe PID 4716 wrote to memory of 2836 4716 cmd.exe msedge.exe PID 4716 wrote to memory of 2836 4716 cmd.exe msedge.exe PID 4716 wrote to memory of 2560 4716 cmd.exe msedge.exe PID 4716 wrote to memory of 2560 4716 cmd.exe msedge.exe PID 4896 wrote to memory of 1040 4896 chrome.exe chrome.exe PID 4896 wrote to memory of 1040 4896 chrome.exe chrome.exe PID 2836 wrote to memory of 4932 2836 msedge.exe msedge.exe PID 2836 wrote to memory of 4932 2836 msedge.exe msedge.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 2560 wrote to memory of 1200 2560 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 2104 1200 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe"C:\Users\Admin\AppData\Local\Temp\11ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\1000006001\04831a37bf.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\04831a37bf.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCGCAAKJDH.exe"4⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\HCGCAAKJDH.exe"C:\Users\Admin\AppData\Local\Temp\HCGCAAKJDH.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGDGHCBGDH.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:6108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\48daab9f6a.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9765dab58,0x7ff9765dab68,0x7ff9765dab785⤵PID:1040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1820,i,9996127189842747136,5038451710593419755,131072 /prefetch:25⤵PID:2792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1820,i,9996127189842747136,5038451710593419755,131072 /prefetch:85⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1820,i,9996127189842747136,5038451710593419755,131072 /prefetch:85⤵PID:2476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1820,i,9996127189842747136,5038451710593419755,131072 /prefetch:15⤵PID:3940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1820,i,9996127189842747136,5038451710593419755,131072 /prefetch:15⤵PID:3236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1820,i,9996127189842747136,5038451710593419755,131072 /prefetch:15⤵PID:5228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1820,i,9996127189842747136,5038451710593419755,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5348
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff975ed3cb8,0x7ff975ed3cc8,0x7ff975ed3cd85⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:25⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:85⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:15⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:15⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:15⤵PID:6368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:15⤵PID:6376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:15⤵PID:6848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:15⤵PID:6856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,7983966863581069645,6768850570533737398,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5044 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"4⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1200.0.1199407674\969351373" -parentBuildID 20230214051806 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {097e7715-cd65-4ad0-9856-5af698782770} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" 1784 202c980ce58 gpu6⤵PID:2104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1200.1.2092929033\1230440486" -parentBuildID 20230214051806 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd1488a7-111d-49f1-8ff6-ad7e0e05c9ca} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" 2372 202bcb86258 socket6⤵PID:4036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1200.2.1801557497\1777026923" -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22867288-14f9-4e7a-b640-e05c34523f24} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" 3300 202c8793c58 tab6⤵PID:5480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1200.3.140552901\1802248005" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3728 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4018625c-9d69-4eed-85d5-63156fbdbff5} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" 3016 202cf337458 tab6⤵PID:5720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1200.4.1877403024\2054361909" -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 4764 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6ff1b9-411a-4e1f-817f-348d4f222e85} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" 5228 202d1931f58 tab6⤵PID:832
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1200.5.44109622\1603212003" -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5372 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c992c8-0fb5-4ac5-8a20-e6b4c3fd60f6} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" 5368 202d19b6258 tab6⤵PID:5916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1200.6.1507196096\80454450" -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5644 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 928 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59c3536c-7e0e-44e7-9341-367bad5939ab} 1200 "\\.\pipe\gecko-crash-server-pipe.1200" 5572 202d19b6558 tab6⤵PID:5912
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2352
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5920
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5876
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
36KB
MD5103d7813f0ccc7445b4b9a4b34fc74bf
SHA1ed862e8ebd885acde6115c340e59e50e74e3633b
SHA2560ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b
SHA5120723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f
-
Filesize
216B
MD549cbf4d92d288f2fb94771774166e25a
SHA1f026abae9e77ccb7e51e517b3522f7d703a05c77
SHA2561df20123d5c6026db0d102c551b61691b887beb145fe350d8aac54dd68672dd8
SHA5129f20129db5f3b23db74f6838dd7f5b21bf54700d3ae59fee984e2514212847c95f375bdcd20b6b6694038b53098d42ea4a801061df15c15b604bd01f819aea30
-
Filesize
2KB
MD5b8897e3b30388c001d82307571ae8b40
SHA14761f2e4a2fc887b8d83a51fa8e6ce4295ca1918
SHA256ffc47de67ac719b6a988a7d34942321dd3824555ad4e1c276c968cdc2f526571
SHA512f5b0f49122a63c94914ab7d4b85c4cba10ec805308f9eb5d80db216a50fd8f34e7cfe0909bce270eb83012bf4fb1b3bf232c0ec1b0db12babb92f3ef0111cdc0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5e91b64092e2936dd520d74c32a04d092
SHA1e255ba0a93ee2bbdffc6c889fd2c44bbc598a8ff
SHA25689f731254c7a165b966b0cdea388c64c0778f7ef763b89479579f81d5318f27e
SHA512ff5b8b9abe078debc76f9a6828eef886375e48edb5f050fec08b60225bffdb2a5f1d90bfe3e5be695f9c55e4770203cd20fedee7b8d5798de75f1688d513401f
-
Filesize
7KB
MD510423fc473da8c79e7b8f7a1d1b32d6a
SHA15a36e2eb01b47caf0e4f7d045e7b285466fe45d7
SHA2568cf145bf55ade8f54aab20fa3a68a91c628d8836a95d3e6089908d85e436a699
SHA51200757e0fff6c7cc7becb6ee1fc1c45a5e7e519219d505581496db21ad3e41b0a3432b5004ddab6cd31b57ed6f06522ebffab7cdbf40469c56b7e88375c717dce
-
Filesize
144KB
MD5d51f6b4cca2e95ecee8e52217c8a04fb
SHA1d829de46e23a09c9dced494c9d1d4f84819bf09e
SHA25648d25d0e450265309eb5b68bed0ada90380da5de8f1b1cb25564301dc571510d
SHA512d2fbe789cfb9e97c0e005f1d7986770971137f4b2276f13733bbeb655359f216ce22731d8b3f62208b55aa403180d43e52f9a60cf722b2b8ff1b1e91ec71a9bf
-
Filesize
152B
MD5d0a8f40f33118468a476a3de89083e38
SHA1aa8dce444361f4af1889d2c628ff16845b429501
SHA2561bf43edd437565d5914b98fdecc2b5b87f65aa2b272a23be802a1624e46ae0c2
SHA5123cbf521f39d37eef33eac879ac7022ab366f3ec34c13347b948f079a4710a2032a639a8203b650230b8ee30a42b18613b12f2c20cd882465c8c7d0cb0af0b7ca
-
Filesize
152B
MD5fc7dd47bb1bf2506cc2f018a6ba14d27
SHA1cbb6a67d6082103dc39f9209a2076c6a3ee4cc6a
SHA25660abb485eb3be1c2ac30d945bc7cdf0a2facf37fee8b975494961ee4b5eb8919
SHA512263e8899b26f06bfbbd18653ef65049458928fb5d44ce943200e2e9e5b370903e3d1d9a493fd52030c48f6a8837985999f4e13fac18dcf5f9f773c1803b2426e
-
Filesize
67KB
MD551c3c3d00a4a5a9d730c04c615f2639b
SHA13b92cce727fc1fb03e982eb611935218c821948f
SHA256cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f
SHA5127af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542
-
Filesize
33KB
MD51c0c8433626cac08202f23a1dae54325
SHA13a5700eeeacd9f9d6b17c2707f75f29308658cd3
SHA2567aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3
SHA512da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5ccd6b13c03e1eacb844e2271ad571dc2
SHA1e9b2257927852a5fac51ea82631b8b7dd3114ee8
SHA256657fa8cc67f25423f7c273934be05031182e7552b67c3624b99b2687ade8cf14
SHA512bfae2d7fe690feb7ce45a22588bcb3e77bf660ad4c6a3b8c3cdfa48f42e99200f166de23e120100571e237d0b973ac6255b1422cdae3ae6dd358526c2971588b
-
Filesize
1KB
MD5aea2fdcaa38c539f1633f1db567d2af9
SHA1c7f56975dc129b527d83b7b65edd77085ce91e3c
SHA2562fa4af52da47726eaf6b1c063df78f35f29bfab92a6973d7d83e09e669e0d21f
SHA512fe54efe143ca714914d121a84b30a92c50520fa1c6f519235c01f37daab31965282c5c337dd0aa2310115b29bfcf904d49ac1f2c6382195c5546a8fd9e3817ee
-
Filesize
5KB
MD56afb8c3e82a6f2bf95b9532f06c33d87
SHA1fb9b90a2ef44b6e1312b8118a60e43249e56b08a
SHA256f5752a1232cacd7a3baac0eb0aadfb5a023e3e58c32e78f9a3e3b1de4ffffd56
SHA512cbf0bc8cda607b1ce6bd4c39ec68b4ecd32018e3b7223c36c1452206b4200df82e5f9062776b8a8fd8d873e9d09acbc9fc01409d5f03dd553dbcd0a4c428da1c
-
Filesize
6KB
MD564456b0f65e9aabc1ef7abb11c1d9007
SHA177a70a8be93b791e63e4624034337026da60108a
SHA2565ab1d398bd3fd847ac6ec59176c3273f5140affe06c7c24a4c3ed4112e4f3cb7
SHA512fa6652293d6ec45c9162c5d0510f681b41f4372810f68ab556a7a6ad35b21dc3eba0af51ec855f278fbaf073e54e3bddde78ca0ef183dee1334c8c5a82ab643a
-
Filesize
6KB
MD58e7bec90b0e39d60ef351ef383f35947
SHA181d697afaf0ae7ba729b39e841357f55cf7a8527
SHA25661cb9fca96fd7c08c7b7be790219ecd3e297c831e097b3331db13d905ec580e6
SHA512f19dafa824c8010217b8dd28d3174826c308f5f7fedbf0b9fdf95fa910fa538170c541810b761f86da1273363a04dd19611de6c4bbb3765c3e84cf8b3fd3cfe6
-
Filesize
372B
MD54066b17dcfdd7ee7456bc5dfd8a8601e
SHA1206cdfc15cb88dce9ee1df9d064320246402d844
SHA256f77f4a07c684be6ed785a6796b35de71228e7b00f18383a5d59915fd1c465a7b
SHA512c12ca57d4694555b6df9adb94746cc06d349e664fe3942f0fbc63a555a6339318974e6c83a1c93254bfe04ac210417f7adbac00ca477dc2d8a276524b0adfcce
-
Filesize
204B
MD5595e4945d26e72d2b59ec2054e06d1c3
SHA10cfd7acb0470e4a000608b4e4ee8b6b954a28812
SHA256fd2721236334e7e7203ca43e9089cf1574df4f2af00116be7a4656b571faba26
SHA512728f02c1a2744fc3d1cf0cc04da6e75f866c5cea220ab3f41ba035597639469de5b7ee45d195d23ec6f7d3d197852aa99b59f71f4821f2cb630e6744cd10fe3e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5938f1aeed80feb5f371909d0230c1162
SHA1225dda2c8f41f1e7f0cd5e312c813f93b19d1fbc
SHA256f49a680ae9ccecd9453eb7fd62303443fe7cd09bdd5b3513896989e40e7569b6
SHA512bc62b0c4cfca3f56ca615ab0a19e6c01213034c8a0f3b546fee0856b7b02c8a8fb4fcb0418ca94384cdf1008cdf87d72c723652141259903d6b9a732d7dd85f9
-
Filesize
11KB
MD563549da1b250248888086a9e4899383b
SHA1404daaa6a0895aa591d4243857ba629c97362540
SHA256564c6f1a0405549c60653d36c4517da5d9f2ca2aec54ecc89ac5b59e6ff97fe1
SHA512daa3f9109ad5224e7aa120e1d2cc6d252bf103915ee58b4ff63c72e398daae6eec451957ec46006e0caddff443aac1236648d13f7d55293f878460872f62fd9b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\347a66gz.default-release\activity-stream.discovery_stream.json.tmp
Filesize31KB
MD5cb931677f2c0aa10a75386ac990e8cda
SHA173a0cce165a5e24352a4ceda41bf56dc020e721b
SHA256f07af69399c74e5abf409888a7df892b139a24ed628f01b1f9e03cb7410e9450
SHA5124191d454ecb2ec91676da25defe04801ad91ce6cbfc2deaa98635a84efcdbd535a7d9bcb94e8ac2ae5f728fe09324bddc19ee68d74bb108e562d90308c81334d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\347a66gz.default-release\activity-stream.discovery_stream.json.tmp
Filesize31KB
MD5fbc1c33aa2019740dc5979d91bfb6c8c
SHA181b05861c71b205f72f585112cc65f6cf37a54e5
SHA256377c0f9da63d6e58ab896d895a9c3386127259c12e209846ff0268dbd2c7cca2
SHA51266ae59bc48512401ee313cde9af9842edd8bc75c617214d6ad9467ea22cd3e0a5074fc83091bc3a16ed52be98349795ab8ed590717d1462918fbc609d77df8a3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\347a66gz.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD501df9236af8d9dad2c4a5c5c5db12d68
SHA130984bc05eaf74a2e551df320e9c9851a68553ed
SHA2566ad05723fd802ec73ef548d86f188b6e8754ab1ece813a1036a1ba6701bef868
SHA5121ac7906c63601ccc998b1ddf6748c74076be331cea066a6d7df31a1e5e4ed1875180b3bdbbf18b94c7ccca283327aa2db0d363c7097f293a23551097b56170e5
-
Filesize
2.4MB
MD5510ef6656d676509abf2ff0e28ecda55
SHA10f61ea4fff3a4160ee5eadbec3ee35506c98b10f
SHA25642925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215
SHA51208870978ef501a7dfe0a1f0042a5373ce70f50308f6929d1940434a27fdc61ec230ac0df4d80299ab82ec05ef6263a3bc40ebf82b17d32074f5ca6000764ba0a
-
Filesize
2KB
MD5c1b73be75c9a5348a3e36e9ec2993f58
SHA184b8badeca9fa527ae6b79f3e5920e9fd0fbd906
SHA256a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0
SHA512fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3
-
Filesize
1.8MB
MD58929afa1a3457a891a9465298af056b7
SHA1681f6f803d56189f8d1c432171d5e423955512a7
SHA25611ea15fadb25b1d7ce680f38c7e0f3e58e4a5e42409ce8b6ea9bcd2c03e08a8a
SHA512460f9f93b9ff1b434ad6560cca6d25f7e96a16696313dde1f6a0faeae3e1b6f1771adc994b106c58760dd8ca7325ea22e50e33f76075c3879099a8750799a6dd
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
192KB
MD5508a7ec63edae3d8214f9039faa0606e
SHA12d160885fe0ee30ec74687f208ad744ac8dd9106
SHA256553a72b7ac8bf82065b087a5e67301d87ac57bca88d3cde091cfcea15184e696
SHA51251cc8c576cb7755fd9b957c808c36d33dc506d43c845677ca8f2cadeb80ecc6d4c6374b3aba65ac311ede9e5f5e7532552b7e61bc4c8859927e10ae4d8314b64
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
992KB
MD5d932afe0e84c913050790be1149858b6
SHA18ab44360218666ea086960106a5ed14249a826ef
SHA2569909485349b84a15dd02f18a3816991c6eff3e7dc51d74650bb2ac7861057f56
SHA5122dd3dc3145de4bc2f21b4754d0ea0b3ace8807f6a2ba676daa7fb4c7f2b3aae2062a5de6b7be9de62e1ef262e134fe967b7663cc579a3f702ff7ea792e758a0c
-
Filesize
8KB
MD56a94648eac4d98fad40bd51e40192ea0
SHA1678095447b3bd8aa488bc3704d8fe097334e5a1a
SHA256129b9edcfffda3104b342f9cff20408649fc3b8c24a1828f6ded18d9753dd99b
SHA512797e1b3f83a74bf4a40b51b33bdd7ca1a4d533431c4b10ce9b887f53eb767d42baed07eb4bbdcda80b84bdcc3843a72c082b59598080161a4ce7d0873937abaf
-
Filesize
6KB
MD503fbe5040da75ca90271bab2e0db1886
SHA1936f03b6fc726f2a959e5803a7a761c148caf6f9
SHA25640087c6fe9fe56e28fa343588c0fa6cdfddbe97cc4b253cb23d6be8da6aefe44
SHA512823231d4861d23b8730bae0655c9e12185b7dc49c119c106cfdf372a1a2375caa3db13f228537cb181e2354c9aef0e77f56b847eb0d863a43b1615ab513f0d71
-
Filesize
7KB
MD550ef4d4b8a05edb446ea712146962ddc
SHA1f35c1bced0a864a106e22f3b5cd9ea724f6c5a0d
SHA25665c7870b23d2a564a5b9378163dbc88a73cae25df5e55cf35a352b441745c91e
SHA512d6cac3c65d1c1cf5cd6dce56e731ee54c74302c8f9552479a40675b49339c472713c71b7f2a7bf4cd11be464193ba569c99dd1b326de4fbc2553543ed7463c65
-
Filesize
6KB
MD5e3437b437753d354f2de99594bcde502
SHA17c6dee4d7c641c4c142b523bfd58fdce2ad4c31e
SHA256a51e24d828b9e172db70d289054c1bed1a3df9ab965cc8ddbeb5c6b00730498e
SHA5126541bf7472eec66e64afc1d5b1bb581f93dec5482adf0ee23f9bb1e706d028a11c102778881517762e90cdb91a9440da26916db8292191c361003b6f11d97cbe
-
Filesize
6KB
MD5dc5c888a81df7b057214d9d08d4a0c5b
SHA158e48160bc76e1a1a38a20bf41c4c72fbe009a96
SHA2566ef2270ded92215d894c27406bed3b347d5452d3638084023ef587b37e243f4d
SHA5122e2606eb8c00ab38a220a02b826d16c3ab4c457094fa6d3d8654b44f469ef73486586a55706aea5ee7c19405faeaf86c237f62b898b98baa55f45e3467d83903
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\347a66gz.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5e9f0bd8d7adb52bf6e2f565eaf564a98
SHA15e0daaa587646323152e3cd9d70e6b902fd0b004
SHA256a8e062e769dd56390a49802f57be3fd3495a1a6af7e9f431f98f68b8b0d87bbc
SHA5122e6f7fc30b85b71d9b2b4b1cf6f1007567a1186759b6acf3c9f42764030763167c51230c54480c4e69e0cdc1b0e92884bdc1c05d4432a522c3d4f4ec148d3efb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e