Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 00:12
Static task
static1
Behavioral task
behavioral1
Sample
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral2
Sample
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe
Resource
win11-20240730-en
General
-
Target
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe
-
Size
1.8MB
-
MD5
b7578c50b713ab0f3de31c715e797f81
-
SHA1
80617bae8006230a63894226663dddaa4222d53d
-
SHA256
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412
-
SHA512
d747f1f9ce2c47c82032ea16fed4038b015d507cbfc9d5df6569cf254032657f263ab498fbc9b9774339494d486b50fdbfe4c5cfb8b24de432c83bb8a17755f3
-
SSDEEP
49152:ONXziFRXN7WWdJNAWuxfXXMaO/AgVTHLECfyFNnl4zpPyfxISC:ONX2b6WDNAWuxf5FgN9enloP/SC
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
exodusmarket.io
91.92.240.111:1334
Extracted
quasar
1.4.1
Office04
51.222.21.20:4782
374acc94-a8cd-45c6-bc31-752e0f83541d
-
encryption_key
5B2A5F50FABB3F6748116D7077D95758D0DFFC77
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\adada.exe family_quasar behavioral1/memory/6524-1910-0x00000000003D0000-0x00000000006F4000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5296-565-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5296-565-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
explorti.exe163804cad0.exeaxplong.exeexplorti.exeaxplong.exeaxplong.exeexplorti.exe11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 163804cad0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exe163804cad0.exeexplorti.exeexplorti.exeaxplong.exeaxplong.exeexplorti.exe11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 163804cad0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 163804cad0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exeexplorti.exe68e6782ad3.exe163804cad0.exeaxplong.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation 68e6782ad3.exe Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation 163804cad0.exe Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Executes dropped EXE 13 IoCs
Processes:
explorti.exe68e6782ad3.exef3c253d2b3.exe163804cad0.exeaxplong.exedeepweb.exeexplorti.exeaxplong.exesilverrr.exepureee.exeadada.exeexplorti.exeaxplong.exepid process 1524 explorti.exe 2600 68e6782ad3.exe 5884 f3c253d2b3.exe 4640 163804cad0.exe 3240 axplong.exe 4224 deepweb.exe 6772 explorti.exe 6780 axplong.exe 7016 silverrr.exe 5132 pureee.exe 6524 adada.exe 4456 explorti.exe 3532 axplong.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeexplorti.exeaxplong.exeaxplong.exeexplorti.exe11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exeexplorti.exe163804cad0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Wine 163804cad0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68e6782ad3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\68e6782ad3.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3c253d2b3.exe = "C:\\Users\\Admin\\1000029002\\f3c253d2b3.exe" explorti.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exeexplorti.exef3c253d2b3.exe163804cad0.exeaxplong.exeaxplong.exeexplorti.exeexplorti.exeaxplong.exepid process 4756 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe 1524 explorti.exe 5884 f3c253d2b3.exe 4640 163804cad0.exe 3240 axplong.exe 6780 axplong.exe 6772 explorti.exe 4456 explorti.exe 3532 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
deepweb.exedescription pid process target process PID 4224 set thread context of 5296 4224 deepweb.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
163804cad0.exe11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exedescription ioc process File created C:\Windows\Tasks\axplong.job 163804cad0.exe File created C:\Windows\Tasks\explorti.job 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5448 5884 WerFault.exe f3c253d2b3.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f3c253d2b3.exe163804cad0.exeaxplong.exedeepweb.exeRegAsm.exe11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exeexplorti.exe68e6782ad3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3c253d2b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 163804cad0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language deepweb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68e6782ad3.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exeexplorti.exemsedge.exemsedge.exechrome.exe163804cad0.exeaxplong.exeRegAsm.exeaxplong.exeexplorti.exeexplorti.exeaxplong.exechrome.exemsedge.exepid process 4756 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe 4756 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe 1524 explorti.exe 1524 explorti.exe 2792 msedge.exe 2792 msedge.exe 2852 msedge.exe 2852 msedge.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 4640 163804cad0.exe 4640 163804cad0.exe 3240 axplong.exe 3240 axplong.exe 5296 RegAsm.exe 5296 RegAsm.exe 5296 RegAsm.exe 6780 axplong.exe 6780 axplong.exe 6772 explorti.exe 6772 explorti.exe 4456 explorti.exe 4456 explorti.exe 3532 axplong.exe 3532 axplong.exe 2888 chrome.exe 2888 chrome.exe 8188 msedge.exe 8188 msedge.exe 8188 msedge.exe 8188 msedge.exe 2888 chrome.exe 2888 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exechrome.exepid process 2852 msedge.exe 2852 msedge.exe 3892 chrome.exe 3892 chrome.exe 2852 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exeRegAsm.exedescription pid process Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeDebugPrivilege 2804 firefox.exe Token: SeDebugPrivilege 2804 firefox.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeDebugPrivilege 5296 RegAsm.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe Token: SeCreatePagefilePrivilege 3892 chrome.exe Token: SeShutdownPrivilege 3892 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 2804 firefox.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe 3892 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exef3c253d2b3.exepid process 2804 firefox.exe 5884 f3c253d2b3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exeexplorti.exe68e6782ad3.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 4756 wrote to memory of 1524 4756 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe explorti.exe PID 4756 wrote to memory of 1524 4756 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe explorti.exe PID 4756 wrote to memory of 1524 4756 11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe explorti.exe PID 1524 wrote to memory of 2600 1524 explorti.exe 68e6782ad3.exe PID 1524 wrote to memory of 2600 1524 explorti.exe 68e6782ad3.exe PID 1524 wrote to memory of 2600 1524 explorti.exe 68e6782ad3.exe PID 2600 wrote to memory of 60 2600 68e6782ad3.exe cmd.exe PID 2600 wrote to memory of 60 2600 68e6782ad3.exe cmd.exe PID 60 wrote to memory of 3892 60 cmd.exe chrome.exe PID 60 wrote to memory of 3892 60 cmd.exe chrome.exe PID 60 wrote to memory of 2852 60 cmd.exe msedge.exe PID 60 wrote to memory of 2852 60 cmd.exe msedge.exe PID 60 wrote to memory of 1456 60 cmd.exe firefox.exe PID 60 wrote to memory of 1456 60 cmd.exe firefox.exe PID 3892 wrote to memory of 2140 3892 chrome.exe chrome.exe PID 3892 wrote to memory of 2140 3892 chrome.exe chrome.exe PID 2852 wrote to memory of 1080 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 1080 2852 msedge.exe msedge.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 1456 wrote to memory of 2804 1456 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe PID 2804 wrote to memory of 588 2804 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe"C:\Users\Admin\AppData\Local\Temp\11a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\1000020001\68e6782ad3.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\68e6782ad3.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B1CB.tmp\B1CC.tmp\B1CD.bat C:\Users\Admin\AppData\Local\Temp\1000020001\68e6782ad3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc1618cc40,0x7ffc1618cc4c,0x7ffc1618cc586⤵PID:2140
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,3677833631298529975,11792718041942399033,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1924 /prefetch:26⤵PID:1708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,3677833631298529975,11792718041942399033,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2192 /prefetch:36⤵PID:2668
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,3677833631298529975,11792718041942399033,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2460 /prefetch:86⤵PID:4588
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,3677833631298529975,11792718041942399033,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3136 /prefetch:16⤵PID:1828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,3677833631298529975,11792718041942399033,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3184 /prefetch:16⤵PID:5876
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4632,i,3677833631298529975,11792718041942399033,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4372 /prefetch:86⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2888 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc160446f8,0x7ffc16044708,0x7ffc160447186⤵PID:1080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2288,2996978076331287385,7558648772184205723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 /prefetch:26⤵PID:4368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2288,2996978076331287385,7558648772184205723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2288,2996978076331287385,7558648772184205723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:86⤵PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,2996978076331287385,7558648772184205723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,2996978076331287385,7558648772184205723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:16⤵PID:1600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,2996978076331287385,7558648772184205723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:16⤵PID:5252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2288,2996978076331287385,7558648772184205723,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4636 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:8188 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9543a6b0-e767-416f-ad86-8265f765a65c} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" gpu7⤵PID:588
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b45c428-b4a8-4895-8f77-4fee214afb80} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" socket7⤵PID:4556
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3076 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b71ed17-c52a-4d96-99e8-3f044895aba4} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab7⤵PID:4832
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 3116 -prefMapHandle 3228 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca928c96-1ee7-4137-a0f5-4bcda15eb83c} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab7⤵PID:4536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4284 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4228 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a522ec77-0573-46cf-a21d-0362540bf5e6} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" utility7⤵
- Checks processor information in registry
PID:5840 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5460 -prefMapHandle 5468 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9680b762-a070-4604-9f0d-c6bd49c1235d} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab7⤵PID:5632
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 4288 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c401b7a5-4467-448e-95ac-8fb95dd90322} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab7⤵PID:5624
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5876 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea0f9d86-4291-44ff-b673-626d06f920fe} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab7⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵PID:5800
-
C:\Users\Admin\1000029002\f3c253d2b3.exe"C:\Users\Admin\1000029002\f3c253d2b3.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 13724⤵
- Program crash
PID:5448 -
C:\Users\Admin\AppData\Local\Temp\1000030001\163804cad0.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\163804cad0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4640
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5296 -
C:\Users\Admin\AppData\Local\Temp\silverrr.exe"C:\Users\Admin\AppData\Local\Temp\silverrr.exe"7⤵
- Executes dropped EXE
PID:7016 -
C:\Users\Admin\AppData\Local\Temp\pureee.exe"C:\Users\Admin\AppData\Local\Temp\pureee.exe"7⤵
- Executes dropped EXE
PID:5132 -
C:\Users\Admin\AppData\Local\Temp\adada.exe"C:\Users\Admin\AppData\Local\Temp\adada.exe"7⤵
- Executes dropped EXE
PID:6524 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:8236
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1896
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5980
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:6048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5884 -ip 58841⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6772
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6780
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4456
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3532
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5e70b307e33e856cc9cb70a59a32102da
SHA124b6d3e99b0e5ee94b7b591c40f7ac2b0ba6f555
SHA2568d7e591c16734d05b2b7d4b074a16ce05dc89d904d63e6de9add91aaeef4cccd
SHA5120c59c31f54214c1875a9314f689346c4755371bfbbfd245f3c90a00cd32b3ff8a378fdcd1b4fd597a956b39d310e3b31993103990166013ff5c61c15e63aa50b
-
Filesize
264B
MD5e950dacbfe3d53666b9cda730493e794
SHA10a63438c57bd83a6479f900709110ba0b9816a27
SHA256d8ca60c122dd66f0d2ff012d4e1c6387be4116d4fd7eacb80cd3368841d94ce6
SHA512735c8ea03918a0a24a1867a3c60f30129f52024aabe75086cbb8c7a19c87bf6eee9f7b0a09887d50403751e5c8771383d19e939fecaca6a408058f79a7cb6fc0
-
Filesize
3KB
MD5ace50afcc38bbcb087d135e6295240ca
SHA1c2f85f44ccf618f65cf9a2b66bc7a172758d87a3
SHA2564fee3531837cfd1b73d73ddf7daaa55659f494eeee3c2676e9bd5ae6a3f26547
SHA51218a4ba0843c05c241a6274822c1d855f8a48f460a40b95bff6f41586fa2bd2da40bea2feccfb88d1ece988a23f361da6ccbe0fd68ffee5e17f9ff8e7535c90c4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5bd7cd84505283c6b65bd061f0a7fb387
SHA1807019e0cf03cbe00e98f8d13c09bffbca9f7212
SHA25682fde32a1775ee585294478ac1c87d970f139aed1872f3523d01dd85d73e5f02
SHA5127ab1189aa908da06ede0a007b40eb36b1d74eb99b5c522fd4f782b430cfeef051fbc1fabe1d759c2fa295bb63693392864cf409fb4e1e3b75efd55db34100afb
-
Filesize
8KB
MD57a3068f6e41467a8d9f1a858b9b3dfd3
SHA14325c0094c4c6b1972e510925d552a5fabebfd0e
SHA256015e4aabfef2c8e5ab433d6d602b24aa438000a70f9a15e84186f2477ca70343
SHA5128091c6f418fbab3d50dfb69ae408c7f08ffc244ecdf87dfe5a4238e038ff4855836fb327589d477ecc6c3ffab460beeddddd1741dc575fa4651e1e9c033c58fa
-
Filesize
8KB
MD53f82caf57a5ee21421f9238734e8936e
SHA1dd15fda77b475c5005f0428f71c7893a27016944
SHA256b44d7885cfbc9b41bde138c423b8ad4066e95ce650c101ee3663bf1dfe9f2750
SHA5126cb45bced73cb7682a6f09fea2d7841ed2751354830286dc0dc41e1fd6772ab72878b1dc5c637ba4d417113793c7785c508116ac0823d5d0ab0350088c01e77f
-
Filesize
8KB
MD5b33c01a0daf36a2b0d13b99eb3f0e767
SHA17b0ae8f3cfbadbf39d91d627a56bdabf0ed3bb68
SHA256ebfccc47aa22cf254b9d0d81188785e4694965c5ca24c5baad04cf26fad55fbc
SHA5128758ac42ae1e269809f4ffa414ca2a296ad213a9ac0c1e08189a22c12fc932fa8096b666778dc7dde097618857873de8d00ce9d8473f62d5a82ac51efd5724d3
-
Filesize
8KB
MD5a69129efd193ff2808b6bf8269edfcf1
SHA124316c49e2bffe5eed6849540f055d043950e70b
SHA25650c9d9815f475ca0cf6d91d9256a68e5682011860c7c521e5662ba3b38b2b0b8
SHA512a69f1881c3baa7c4e892f26690d3dd9ec2103da6b8ff40c566c6cedbf3ad2a2f662872c00cb2a36747c246f1f9f0e0f9d5db2c089a63a6a7a08c5d495fcced08
-
Filesize
8KB
MD59995c41a053c2df114fd992bb9224747
SHA14332fc63938d624f145782b6de24cd4771b855b2
SHA256f961e64b59582f83345e45742e74216544ebeb9dfe78821f2de4f2ce1037ef4a
SHA51282734fc5e7ebfa68e032c88963e462068532f78c9006b405329ba6c5ae43c9e69e9b69811bf97f89d05382cc38e346a7eae4c3af8ffdeebe2f9934c618ba1fe1
-
Filesize
8KB
MD54d0403a5d33f3d15c1789e3033324b68
SHA1d5d5198c4a76365da9cc317577c82614cda5ef6d
SHA2561fdacd27d1f41c026d93c9106be545e010d3e0471fcfedfc0b7c574050dbf9cf
SHA512bf9bff8732a7acc6309f8916126d72d71ac943fe2a655cb6f6bb9f3974729135a09b2651695b63c9cfbf8734a025a652913b16cee07234b113e84fb85bff631c
-
Filesize
8KB
MD53a2c3f10423832ac190a39a5746d78b6
SHA112005cc526392082ddbe5146f8aeb5f76346db64
SHA25606e792737bac27b40300fcc0ad5ac24dfbe311017113b40b94ea096279f456d8
SHA512ef7a55c0a28c628ca8aa80cdd2ef612992ebe8cdcbd43e718f5430ae0f8b90fa44d2165a7d86a9acb076414cca7f38f4d3c289a1ad7a9a6eb5290980c0845dbe
-
Filesize
8KB
MD59a2b96c980ef0d87555932672ac6ab45
SHA1770d609cbc9158221cb5e2942addda92cfe7f1e1
SHA2567c5ede58ff78abb027a990e3f3b4fb857d030fd2bf9ed9fb982b91b29173110c
SHA512e4a2341ead539ea782df09aa847c3f6f9c70e8ccf16cd62c0eb0df74ae3219f00ea58fa1a8a38912f7da97d64f80a87a886410d610299cecc4bf38f732f04f8b
-
Filesize
8KB
MD56fc6dedf8ed839de0c3ac7ac0cca3520
SHA19b87fde1f63e4f1c23cfc54394200891dd1413a4
SHA2566c5dfa845863cbe6f8e3328455395030463167fffb8adb0b9fcd6f645d107b30
SHA512731a7040a5e9f00aec6b729f7119d3d1a519c193178bdf6ab5704fe5767f82076783b02e4a154eef0f25deec61eb8a9d49accf39df853128639712304ac5eb1a
-
Filesize
8KB
MD55ca31554b89e885f67925b69eda57fa5
SHA1ca743dec62e1eecc75d3efe12a972273c6f89aab
SHA256d57fff02e2293b16faa8f61bc0684c90ef46f2daff91cf8199e40163d3d841b5
SHA5127731aec0553279af6c89d12119c5272145f4260297197f8b88f1bddaad72e3da5b2d7cfb01eb877432cbba87921887baffe9c32e4631df3a64986a7988c493ba
-
Filesize
197KB
MD53d3701988d5f6889588d152a0e21c4e9
SHA1d6ce88f98d7a88094bb5526e0e60eb80f5ed733c
SHA256de83f44c1b69f103fda6fec9c34278c35ff4eba050047e07537d77d18fe1043e
SHA51215f3e6d818ad9e40ad02ce6608686301a41d3c22dda9ca85c67364a3989dec6dabc1b155b288daf4784be42e70af1270f20433d01c5522530fbd40d51cb7604b
-
Filesize
197KB
MD52fb78ff6ac162b5013d6b085b9a8a3e1
SHA1fd2d0feaea8df8bbbaf879daad002e885d7b880c
SHA256429390cf3e239a617b93427b9af28e22828ee5e28d3c3e481838fef9033657e8
SHA512a8680c82dfce104e9b7b95322a1f6df2e570a1524fbb570c59bb26496d34251ed92dcb2e58edc999d32f4b63a7517f89bc8e227c59c9c0a06815230e41f3013f
-
Filesize
152B
MD5d3901cd618f65d66fb0643258e3ef906
SHA1c9b42868c9119173ff2b1f871eeef5fa487c04f6
SHA2561f74c3d5f4d41c4d5358e63ad09f8cede236eb66957f9888f42abf98b238c086
SHA51289c122ea72ae3f26c94e34040e0f0a856506c8490ba36fce371a731b3f0588407c6356cca2ebea37ac829a67c2b398e298a64d5a72712172f69071264ca58e98
-
Filesize
152B
MD554a5c07b53c4009779045b54c5fa2f4c
SHA1efa045dbe55278511fcf72160b6dc1ff61ac85a0
SHA256ff9aa521bb8c638f0703a5405919a7c195d42998bedc8e2000e67c97c9dbc39f
SHA5120276c6f10bb7f7c3da16d7226b4c7a2ab96744f106d3fea448faf6b52c05880fe65780683df75cca621e3b6fff0bd04defb395035a6c4024bb359c17e32be493
-
Filesize
33KB
MD560b8b39a48e099a79b96aa1cc1e0cfc4
SHA1fdf8cae154235a990f757624591ec05b3891ac26
SHA256cb5000e7cd62ab7f1fe45f8eb4ce9c4187f7b211436fa7dfb3aa2fef44400854
SHA5120976939732ffc39a891c13248508fb2473c402a0f83cd1abde02db00c71404ae442537f71b596e6ac64e91f16a9f15d49f3af583d60f87812dd0916468534b58
-
Filesize
38KB
MD58ad98b9733d7cb5dba046cb0622b8623
SHA1ac19b48fcd3bd8d632b9c8b654fe6349d2eba513
SHA256d1a0b50df2150a0ac812bbdbb3a61f4f85dc9c226ec918464bf6d51e4a6ccc2d
SHA51265f7befc24a499d72b07ceef592e49ba3c7b8a55a5c4b651e7fdaad61418bd8167b1950faef7c275bea997dde94b25461f1fd5000985d7a19f38cc75907a37e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5a57d46b1b8a2d998751e5ed105dba419
SHA1817dd54025737500872dcb3e56e4c23fde6b77be
SHA256c5b6c7adb35721996625a602f69a391e3f0be1919decd35432ddc06c0f4d4513
SHA512e0ff235d2188b715fc6797bac6475dbb2af69f6d9fb17dcf6f6aa85ac35916498643fe1f2f7651fef731ee1e0e864b583dd523f63af19acf651d08aeaae73f82
-
Filesize
1KB
MD5ef7795459277b30fa29f2dfd34689c0a
SHA14f7fae91e1473836cb40008579b0bbcec1159a7b
SHA25649acb95f3ffeb83b750c5f5b5d3c0aac4e33e624d6040df6e0d95fd7d31dff6f
SHA51293d70108251e4ddc2b19c201cf1feca2b95378bcac72f031367b9512b42918487b51e94a2ae50716759ad06613c42fb2d625bc4f25d40d00066683659dc80efd
-
Filesize
6KB
MD55b1dab6f107904322e222be4a542ae0e
SHA1869e7ba139d5ae74ce99d27740242e70c07e2fe9
SHA256189b09731aa1765d1278cbcd0f015f7ab12196cfbf7be32e295b83a3edf809cb
SHA51282d6b7d905c615cc7fab84d4aa5d4d8fb764866e6252bfc0f0a8323a145003bf62d1ea777be3e39750f45dda1ccb7f5a13e415d666d0317f5de3cb14909e8883
-
Filesize
6KB
MD57e4cbc34d0f45c10575f9cbdc3901e2d
SHA1400c841c1561290765fffdfa40b2566068d2f2b3
SHA256b7fdf4e3e8fe95970dba83c0a6b5f6ef7e9514f35033295f3ae0d7aadc1e8dae
SHA51215f8f5fae92f3f8df06bc4ec1916db2424314a06aca78c4e832faba71bc9906d95a5f7b1b7b426ff324a6559c3140b96892464cc1d4b90292523daa3bb5f2dad
-
Filesize
10KB
MD5983e051ecebed1c552a6e030dbdeb5cf
SHA112c0a5fbea72ec2684b71bbf4b6aadcd0b1864a5
SHA25673a7a5c2263458408922a76bd452c66c7dbf729f14358677b1848bd2577a348b
SHA51269d3edd65cd449f85accae972cccbd0260147f3697f406e124bef1786a2227f9f6c42d2b4354c8dc3fe35dc69a6285daf7cdb8a512d26255c10455008d290d74
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\myic1olu.default-release\activity-stream.discovery_stream.json.tmp
Filesize19KB
MD530c0afc4c8cfed47ef15e1a97c8041f0
SHA10b2cd9d81be3a1f9817eedd0a064454ef6ae7f46
SHA256041368f706ee562a6bc3daeb132b9113186ef578929fdefded3fab3abdee8ba1
SHA5126b0bca41cb2ad1689cc85da0e27d309c82e1b9b0998c9f5b93a1ba46d74f86cea1aff3c6f4d75b86e7beb12b63975b5396a4155065a834ee06a71fc0fb20fde0
-
Filesize
1.8MB
MD5b7578c50b713ab0f3de31c715e797f81
SHA180617bae8006230a63894226663dddaa4222d53d
SHA25611a012a9ea53a482539cf9a42ca1d67882785692ea96b046e1cb2b3e3f7eb412
SHA512d747f1f9ce2c47c82032ea16fed4038b015d507cbfc9d5df6569cf254032657f263ab498fbc9b9774339494d486b50fdbfe4c5cfb8b24de432c83bb8a17755f3
-
Filesize
89KB
MD54b67af171faedf1786697467acdbc63c
SHA1b9bf249f79a7af45119326475533ab5fadd66b6b
SHA2561dab3f3893bd28640fb2baa2caa5ccc03de88400c03b01ca2a1697e2c9f51428
SHA512f5e7dfa827cd578dd0b4cc3f798c98ecc2081d214f7c04f70b82373ed54f9d1018435b54395b3a013b759bddb4dc1a9521cfcdd49c93be486af3d998e580265a
-
Filesize
1.8MB
MD5248d72640b5697bedb167b6922f7d9ec
SHA1232be32e0792a7308654b29f2001b4ece7c2dcbc
SHA2566ea68397c9ada660d60cd92137460f9ec823d57374a5ea490b834362d1641227
SHA512002d4f34ac151a89a9e778ca2f80d69572af44ff8c936ca8c2b383706d07598729b1908ed5f49921dd9fca9c4f920d5c2660cb8da2ad0514097dc7ad6291d571
-
Filesize
294KB
MD558ccb4c9da26dbf5584194406ee2f4b3
SHA1ae91798532b747f410099ef7d0e36bffeca6361c
SHA2562f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
SHA512dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
3.1MB
MD59c682f5b5000cd003e76530706955a72
SHA11a69da76e05d114a317342dae3e9c7b10f107d43
SHA25636e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA51233bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f
-
Filesize
662KB
MD50006ad7b9f2a9b304e5b3790f6f18807
SHA100db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA51231fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db
-
Filesize
33KB
MD52753d87e4b9887ef89c00c9940b61ad6
SHA1d787408f7f335f71844b963c8e35788ba238db62
SHA256ab0486b2252a7c4c577ca2d3082084418b624f6c28a5ae27aa22add6236d05ce
SHA5124c1646864c6fdbb2fb6d9b681102712278ebe80a6a539fde2fd87835c283e48dd0b4229deed68046cb33a14ca0780ae1ff8fa2de0ee79ccc75a99d3cb90611e0
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD5546977e3a641a2d2bf27e814c867a744
SHA1052e8088dd0b04932eb5b6ba6e91de840a80ebd8
SHA256c31c7ef19ea4b531cfc0068e961e380b9fa2bd1539926eae55db0802a8f59cc9
SHA5121bc8fc811dd692cf0520046e75ab53331d29f0cc7285b0e8f018c116caf984b8aa48fe839a0a0d593b67b7b549c5ef1bf5a80940f14fcc05cded3141717bcf8b
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\AlternateServices.bin
Filesize7KB
MD593129d8acecdcd6e1c8d01d98a12b3af
SHA1148712774c57492d071db3669970b2cdbf352f60
SHA256846ab722881a7e5bcb4a35e1a908f38b559d66b07c69f90cf7b4876fcbab362c
SHA5128ad67f06d17fefbafad9a17b831f67541c04b195b1bdb3aa6e0aadc8db92a563f106c038d30e5052243d8e5ce57356e521e2d835b56af570aeb22e912609eeab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\AlternateServices.bin
Filesize11KB
MD5dfebe094182ce5589f9f3f398209ba66
SHA10b128b399597f1fc24c3f88a423d4df10f3d1ede
SHA256bdd73c2b0f9f58f2c2e081889a2b91cfa81c5ff065d9eaa6ba918d6a02a5157e
SHA512e2c889ce566d311076d5554f054ceea6d1100df7252a4dbb758b77f4c2af401508f40a217b03c32c2edf04a132fe3808d0b0e390b54c16b0314769b889ace890
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\datareporting\glean\db\data.safe.tmp
Filesize33KB
MD5e42afd34d4eceadd93e412d9c98142df
SHA1af41e6f1f8bc18613cfd27cfe82a9ee33e368f0b
SHA2562c00b50958da77cabab63c6be98e94e15f156b6169109e4fa61483b3bd47d6c4
SHA512b0fcf6a861017eb11f8b81282070394d68768cce0afe1fd3c091d8861520bfd16b140cf115667acab97d66c085458ed422465cc410d951f29cdc52f01a4e5123
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD53bef1931863b21f7c0f7d542c45dc753
SHA1339b530426f88e9c1858594679ee0c275b40a01a
SHA256eb808dfb922a23414dd78d8bdc882ed5bb352e8d97e7f527fc99f2d2b542f1f7
SHA51238ca54b606cb16687d2aaee56b0b527bb486a319c2e13ebda0eb8b3f351ed6e6b3eea2c8d99ed538cb5e438f195fcd4a427b09338c8fa00445265db82b52573c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD583d7d38a0d93e58a7cae82ff6019e43d
SHA1b66c6199fd96ed7f76cc1562c3d9906d4f58cf81
SHA256a882de1ab47d8d949c8d56cf860bd268b26ac0542a44173a5415a2405697b066
SHA512b3cef70c7dbe34bf374146d8af11e42be70549bf73783566e77e605b28e0448b43d37528b086040b7b9cf784a7b2c4bfd9916173166659bde51970f933a976a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\datareporting\glean\pending_pings\7c8dcce9-bedf-4333-bbba-2b038dd0e39e
Filesize659B
MD5a8896382776cb79d4cd07fcef90fa94b
SHA1151cbcbeb160137453083065ec741a551a270718
SHA256e313475cab4a60f6ac8b8ff873ac27b51df58cc100a8271541ebd9c5bf3e82f4
SHA5128d77fa74f0b97b14ae67e6785ebeef77aac3e7a43dea3bcce320c984ff6b36a8249a0e13fd375eeee9f319d7695f6b7a086e1c91f0931481f18ad3a1f7039d41
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\datareporting\glean\pending_pings\fa78222d-60d9-4c35-934b-26c5171687f3
Filesize982B
MD56e4141340aa00eb84f9e738868f03529
SHA1b01ce8e545682c37f44bee0823efe798dc5ca9cf
SHA256985b3f6dc511409baeaf21fef991eefbcf8ea33506fa36cc8d87ad1cda9ee45c
SHA512a746e8e108673fe830217924298e2f385ca4e0e0e2aac7306ca50e9a96a7ba82dea512472e140133b793dfb88ea7b7c28fe4f9076238574b53babc7c7f8da520
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\myic1olu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD55e9888f7786784c3d17554b7d6537259
SHA13d8c745a57b306e5dfbcbcc4e3e82895f4e8ff78
SHA256ac934e88eefcb0ab7c7da4d71bd31a93478aa6b4f2b4dbf755923d46073e0746
SHA5124897051ee68025ca7ebdb33afd38b8052a8917d67757463dd303db192f6706c95fcf881902de54e6273f29b856e1d9997c8563da5668e1143a98db156b02ace6
-
Filesize
10KB
MD5d574916e06040269821aedab9f218ccd
SHA11ec5aa2b104c8a447a51b6d15642d598d68207e2
SHA2560a0ef20b133c10219c9570ae4a327df1f7f94916fb297896d1bae47d2493e85c
SHA512f4bf0dc3fa16e72963579816dc758d19495d0852923bf0a297ff7462c5946835b2b96c030db34703faadaa2959865cfa9d6009037a4a7c9b75101bd7f5be2a09
-
Filesize
10KB
MD5ec25d8f09e24421235c7390cee75a116
SHA1e042c8e8d9d35af6846d80670a8a958da6896c04
SHA256cfee61cae3ad8bfe957dfd8ed13840225e96de2435eeaf8173f2b942264bbd98
SHA51233f5e9334eaf975bb008d7015a6042610f955118b8ebb94c523f700b445c09efbf06ad0b08b42aac1760de99b9ded123c9fcf94499a026f2043479e65954b01c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e