Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 06:27
Static task
static1
Behavioral task
behavioral1
Sample
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral2
Sample
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe
Resource
win11-20240730-en
General
-
Target
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe
-
Size
1.8MB
-
MD5
315c411d1c4b516df9aead3d0880d016
-
SHA1
01f5dfd8e6b9a28528e4b0106cf9898c4794bac4
-
SHA256
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28
-
SHA512
7d1b4bbba8fe34a879f99ef4749b29a4717d5af89110783771029c2f05961ed50f81f95df04b83618f9848f2f8e094a829f7e3759d963652177ba2b322263d56
-
SSDEEP
49152:SpZzsin7qH9R7BKbhY73LHdvFCoJdu2K:SpZoiu9R7BKb4XOR
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exeaxplong.exeexplorti.exeexplorti.exeexplorti.exe79621f3790.exeaxplong.exeexplorti.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 79621f3790.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exeexplorti.exe79621f3790.exeexplorti.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 79621f3790.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 79621f3790.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exeexplorti.exe000e8df3a7.exe79621f3790.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation 000e8df3a7.exe Key value queried \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Control Panel\International\Geo\Nation 79621f3790.exe -
Executes dropped EXE 11 IoCs
Processes:
explorti.exe000e8df3a7.exee1bdee8355.exe79621f3790.exeaxplong.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exeexplorti.exeaxplong.exepid process 1580 explorti.exe 4044 000e8df3a7.exe 5288 e1bdee8355.exe 5776 79621f3790.exe 6192 axplong.exe 6772 axplong.exe 6788 explorti.exe 6824 axplong.exe 2608 explorti.exe 7068 explorti.exe 4940 axplong.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe79621f3790.exeaxplong.exeaxplong.exeaxplong.exeexplorti.exeexplorti.exeexplorti.exeaxplong.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine 79621f3790.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorti.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\000e8df3a7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\000e8df3a7.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1bdee8355.exe = "C:\\Users\\Admin\\1000029002\\e1bdee8355.exe" explorti.exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exeexplorti.exee1bdee8355.exe79621f3790.exeaxplong.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exepid process 3176 c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe 1580 explorti.exe 5288 e1bdee8355.exe 5776 79621f3790.exe 6192 axplong.exe 6772 axplong.exe 6788 explorti.exe 6824 axplong.exe 2608 explorti.exe 4940 axplong.exe 7068 explorti.exe -
Drops file in Windows directory 2 IoCs
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe79621f3790.exedescription ioc process File created C:\Windows\Tasks\explorti.job c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe File created C:\Windows\Tasks\axplong.job 79621f3790.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5520 5288 WerFault.exe e1bdee8355.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exeexplorti.exe000e8df3a7.exee1bdee8355.exe79621f3790.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000e8df3a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1bdee8355.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79621f3790.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exeexplorti.exemsedge.exemsedge.exechrome.exe79621f3790.exeaxplong.exeaxplong.exeexplorti.exeaxplong.exeexplorti.exechrome.exemsedge.exeaxplong.exeexplorti.exepid process 3176 c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe 3176 c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe 1580 explorti.exe 1580 explorti.exe 2216 msedge.exe 2216 msedge.exe 2752 msedge.exe 2752 msedge.exe 2832 chrome.exe 2832 chrome.exe 5776 79621f3790.exe 5776 79621f3790.exe 6192 axplong.exe 6192 axplong.exe 6772 axplong.exe 6772 axplong.exe 6788 explorti.exe 6788 explorti.exe 6824 axplong.exe 6824 axplong.exe 2608 explorti.exe 2608 explorti.exe 7144 chrome.exe 7144 chrome.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 4804 msedge.exe 7144 chrome.exe 7144 chrome.exe 4940 axplong.exe 4940 axplong.exe 7068 explorti.exe 7068 explorti.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exechrome.exepid process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2832 chrome.exe 2832 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exefirefox.exedescription pid process Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeDebugPrivilege 4300 firefox.exe Token: SeDebugPrivilege 4300 firefox.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe Token: SeShutdownPrivilege 2832 chrome.exe Token: SeCreatePagefilePrivilege 2832 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exemsedge.exefirefox.exechrome.exepid process 3176 c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 2752 msedge.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 4300 firefox.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe 2832 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
firefox.exee1bdee8355.exepid process 4300 firefox.exe 5288 e1bdee8355.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exeexplorti.exe000e8df3a7.execmd.exechrome.exemsedge.exefirefox.exefirefox.exedescription pid process target process PID 3176 wrote to memory of 1580 3176 c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe explorti.exe PID 3176 wrote to memory of 1580 3176 c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe explorti.exe PID 3176 wrote to memory of 1580 3176 c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe explorti.exe PID 1580 wrote to memory of 4044 1580 explorti.exe 000e8df3a7.exe PID 1580 wrote to memory of 4044 1580 explorti.exe 000e8df3a7.exe PID 1580 wrote to memory of 4044 1580 explorti.exe 000e8df3a7.exe PID 4044 wrote to memory of 2844 4044 000e8df3a7.exe cmd.exe PID 4044 wrote to memory of 2844 4044 000e8df3a7.exe cmd.exe PID 2844 wrote to memory of 2832 2844 cmd.exe chrome.exe PID 2844 wrote to memory of 2832 2844 cmd.exe chrome.exe PID 2844 wrote to memory of 2752 2844 cmd.exe msedge.exe PID 2844 wrote to memory of 2752 2844 cmd.exe msedge.exe PID 2844 wrote to memory of 2296 2844 cmd.exe firefox.exe PID 2844 wrote to memory of 2296 2844 cmd.exe firefox.exe PID 2832 wrote to memory of 3096 2832 chrome.exe chrome.exe PID 2832 wrote to memory of 3096 2832 chrome.exe chrome.exe PID 2752 wrote to memory of 4232 2752 msedge.exe msedge.exe PID 2752 wrote to memory of 4232 2752 msedge.exe msedge.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 2296 wrote to memory of 4300 2296 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe PID 4300 wrote to memory of 3392 4300 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe"C:\Users\Admin\AppData\Local\Temp\c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\1000020001\000e8df3a7.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\000e8df3a7.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\94AE.tmp\94AF.tmp\94B0.bat C:\Users\Admin\AppData\Local\Temp\1000020001\000e8df3a7.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe4,0x110,0x7ff9de4acc40,0x7ff9de4acc4c,0x7ff9de4acc586⤵PID:3096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,5111545092435053062,17168723246816221982,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1912 /prefetch:26⤵PID:3296
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,5111545092435053062,17168723246816221982,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2404 /prefetch:36⤵PID:3908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,5111545092435053062,17168723246816221982,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2416 /prefetch:86⤵PID:1584
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,5111545092435053062,17168723246816221982,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3196 /prefetch:16⤵PID:5160
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,5111545092435053062,17168723246816221982,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3220 /prefetch:16⤵PID:5172
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=844,i,5111545092435053062,17168723246816221982,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4628 /prefetch:86⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:7144 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9de3646f8,0x7ff9de364708,0x7ff9de3647186⤵PID:4232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10922246636206174699,10285874768940626983,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵PID:2992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10922246636206174699,10285874768940626983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10922246636206174699,10285874768940626983,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:86⤵PID:976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10922246636206174699,10285874768940626983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵PID:3236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10922246636206174699,10285874768940626983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:16⤵PID:1412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10922246636206174699,10285874768940626983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:16⤵PID:5888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10922246636206174699,10285874768940626983,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1460 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:4804 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {098328b6-9098-473f-905d-33e59787acf6} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" gpu7⤵PID:3392
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b777feba-8eac-4130-ac50-bcf14a441a18} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" socket7⤵PID:4188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3056 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a24bec2-39cc-4e64-ab97-f6828de6174c} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" tab7⤵PID:4248
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3256 -prefMapHandle 2932 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad393689-5512-4cc5-8850-53f29d380d92} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" tab7⤵PID:4724
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4264 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4252 -prefMapHandle 4152 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbac08f9-a6a9-4ba1-86f0-9347ed58a207} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" utility7⤵
- Checks processor information in registry
PID:5760 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5312 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9292ae15-9379-4c96-8efc-321e7b0e49a9} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" tab7⤵PID:4520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ab6f04d-b3cc-4d71-a539-d8c3fb0bec13} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" tab7⤵PID:4980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dc6cd7-6846-41a6-9cd9-c87568c7ba81} 4300 "\\.\pipe\gecko-crash-server-pipe.4300" tab7⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵PID:5700
-
C:\Users\Admin\1000029002\e1bdee8355.exe"C:\Users\Admin\1000029002\e1bdee8355.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 12844⤵
- Program crash
PID:5520 -
C:\Users\Admin\AppData\Local\Temp\1000030001\79621f3790.exe"C:\Users\Admin\AppData\Local\Temp\1000030001\79621f3790.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5776 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2912
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6140
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:5636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5288 -ip 52881⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6772
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6788
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2608
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6824
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7068
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4940
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD582a67973712487c52e18c518c276725f
SHA150912df955d605d4627ebf7b0a646d43bc0392e3
SHA256448b790b8681758f804617a226a995ebd9377d16b1d82d90b210bb82ef93ff7a
SHA512e00c403c49c116f93d20c10d53e4ccfaac3f3966280da32f6f997de4c87cf6952afbd8d162aed34ecf180db481a2cd2958690a8c0eb4644dcf12dd196f354754
-
Filesize
264B
MD556154792de9366652091c67a642d997b
SHA12c7191e4d11ea78b078e358a237defea7e2d3719
SHA256af1c76b3c0e251753a392de31eeed34ba940fa5eb710e0cde23449d2f59beb10
SHA51279ad3511586c3a247b32c49d6825e3d17f4cc55d22efa5e7adcd3af533b4bba4e0503f45a90c81f04f6254df3550950a2ad99ca53ce6035e44f8b9810abe81f4
-
Filesize
3KB
MD51647f214f72fabc9261f132cf6c97b1b
SHA1d657b3d02999dc9653106ec5a619187013a5ef5f
SHA2566b703bfdf521c495d3a1fc3239c73b75a6594aa2b794739c0d63ecef60ba01f1
SHA512590659a309df6c2e625aed8f7ce181dbb9cbb239f01c00dd0c994ec86698d0c09bba196923baf5e13c00a0a6b5258120be7277ab35209c045cef45008a884979
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5aa2e94308f2fecb40ed91f3961c37d3f
SHA1c03173610f7b4f45fe105add046e6226bc971a24
SHA25675f1203f323021666007bfbee78106be04a8006e0ecabba96892e1c80ee8b764
SHA512803dce3aaf4e3a6eb12f6281fe1651ff775e4498cf28763ea0c541d3c3ae796bc31387fb084aab1a344fddc01de0e8a4f153d5cfaa35940b3e17653d23c10117
-
Filesize
8KB
MD53b4daef951e7be81ed039aa58bade81b
SHA10d2bf12786a6ea9dcc476eb1d746e3a3bbcb5668
SHA256b7e7240da52ed6a5a28230bee4e52308b42000ecfe80cdc6c5b7f3b8183452a2
SHA5128abbf48e428332363cc9681d8af42915606f0815d88d57aa75c9b32e98a1451e58a9cdca2a73c0aa2d565fda435da1078b4225cc11267ad9fc57ff36eea04e93
-
Filesize
8KB
MD5f0e7e16ba1ccaa8431a91e1df55a922a
SHA16a10e581abb7c3fc68b8fed7f3bff9e5bc077390
SHA25691480d65fe0e4cbf6fd6c53fb0306014bf796942219f34b41974bf71a6a81ea8
SHA512dacc3c11dbd052f06c58d70c38880888cdc44ddfe46028033744ac36153e3ba8915ea6d85218403311b116d443c9fc4e0ae37874ebfacea8962f3db85592a588
-
Filesize
8KB
MD5996a923c74dd96e6c44375ecf2575f22
SHA1f7e3afd7a38d9e8adf1cc8f52068d894b1c7f630
SHA2568917594fdaba9f1f978084c1d36fc6c7c1c5ee365feafcec86f68f1b7e27e9f6
SHA5124978f67da16fc2fbea8e987f055d250a79da54075bee625349b0a9ccb90f5528bd53355bb5c5d61335ae8fd2f2b06fc70cbeaf2020ed02e78eac08eac50460e8
-
Filesize
8KB
MD5ed6484d88d80b0ea86a7b83aa2250c2c
SHA16efae3bf6b4fef22795e0e908cc1c8f70e35de19
SHA25690a2126f3f6c95b6b23a6b422dfb3b98ff408b250669fbada89052e4f1c3eabb
SHA5124c3cedd59ccd937a43ba754dfa276c0b23f2f5024eb316f1a23033f168b3ae15c4d76f068a2af87c7b49bd8f1e280b1537b65c9d04afaf8b4e4024eb2196a64c
-
Filesize
8KB
MD5125dcdd36a7928f8380a598e7cbda1cc
SHA1e3bf6e39f91b2dbec80453aa7c160b5e268f7d10
SHA2568cb45e4b432dd04d14fe3fe00b8e5962c13652e743731a8d06575bd9fb723f3b
SHA51214212e20801e207a7a18e10f0c008b2f6f9e7a409feee655de30c25c5687ee8b418978d3669d057875b87253c8b430aae891d93b5b8e88260f87e90be4d8c02a
-
Filesize
8KB
MD591430222f685c802cd5d7c0ff2dd9789
SHA14c5de648c99209035a9a785a3ff368603ef18c55
SHA25665b535a5e69829a1b3c4c5576c763a62053351bcd205e246d77ffdb10deada3d
SHA512430c96d7ad4325d07254b661a584747f2e188be3b96949b9b760cc1a72cd04bbb9c49ee872d5aca7d5f2d7347f95a5456c387528b07e97db0b25efa57dfe6720
-
Filesize
8KB
MD5dca02b95974a0eea409b3c357b023e72
SHA1c0717cd37a197bcc4df35d9c1c04d03ddabcd8df
SHA2569adafdbc5bc9ace33bd5cc0a6d87ebc1f59c68943c7642d22172e322fb469f56
SHA51261157978b0d42d009db645d103312b6c71b2c838a77ec826979436021fffaff06222b42bf5e193caca97ab979be46a28564ebf4f6a072ea96b7288405e5d7678
-
Filesize
8KB
MD5bc224cdfe9ca1b23697a4f9cf203c10d
SHA121aa04859ad117738c5a55ae33b8e33e09747017
SHA256f30e90b68a89369a6443d5af4151db3f58afb5e0a03bbf2868d059ce53e22b06
SHA5126c830ea436cf351b5f9aa04bed38531de33ada866facefca4cb40224c1bbe17b2b519e0ca8b13d9800140daec601f5b240ccec5c95ff720c76d4af0d6982f3f5
-
Filesize
8KB
MD5c1cc7dd6b8c9d5b37115d235b1565f42
SHA1c1dd5f8ced21b0c48401367b71bfee49145d1223
SHA2564447c2b7728bd2a6bbab6c417d706ef97d82ff0840ee7e2f69bd87489a11cb95
SHA512dc53ce0a7846a004b387abf192ee397ab9de976cd55e961c8356941b4be84fc119cff08d3b689759dedb4078a129e33c0ec3ded323da192b6757b77279b05b2b
-
Filesize
197KB
MD5223af6cb4c98f7d175a86d4df3fc5cac
SHA18eeb603c52557d48f0ecf689ea40f1c0fecf2d5f
SHA256c10e826487ed323fb82b502f9128146a2c043cfdf205b49082df964d232051b7
SHA5122eb45849d41bfee7e3368b38c8c3f01ad130a784eb73c14036b46849865bc4764ea1b803e0baad1ef67abf12f1790a6fbc54925b17a206deb7b74569cfd4cb5b
-
Filesize
197KB
MD5c5f1922b02e73c873e61f4659edffff9
SHA124b5867afeb1eed461c4f81a872dda0516993b85
SHA2564e03bfb48abbcca58ddc9f577e331f158375cd54860a3405ee188c625738c813
SHA5126fa9b13dc4a67c314af8a36b29cc84f0238715d15307117daba59955f37dbaa9200816fb05458920ae88440ff96f3066a5fedefca73a8bdd8eb274463e8d937a
-
Filesize
152B
MD594c981336abc388ca817dab46e7fc547
SHA12d0f8d89a31adb0aad5c599a195ff40ecf4b161f
SHA2564d44efbb5447fedc3cb21311290fe6a9d0e5a0e682387a1a341bd214df820ef2
SHA512f1c9c98f6642ea3b90c8667a4871d5a3b8c05eb0c50d5dc31e32704e0eeca1d33add414df485aced130523d6be824c48e37d0022b4d58db60006efe3e337fdbc
-
Filesize
152B
MD5b55d2d2ff2a4d5d7eeaff5ebb96f3b4a
SHA112d94b9e84142b10d6347a2ff3b634a20f692c7a
SHA2563d249eae36cfc3837b043e4b8df670724fee5657b302c77d488f1da3d835f776
SHA5124dc2fe1eeaca5f9c91d548c70a44ffd12b806a385e22a3c5f724b6f749a15c9ccb3ac1a752c63225bd4d1d90f2b25d8004a15d3912ca6a3cb92fcba91248626f
-
Filesize
38KB
MD58ad98b9733d7cb5dba046cb0622b8623
SHA1ac19b48fcd3bd8d632b9c8b654fe6349d2eba513
SHA256d1a0b50df2150a0ac812bbdbb3a61f4f85dc9c226ec918464bf6d51e4a6ccc2d
SHA51265f7befc24a499d72b07ceef592e49ba3c7b8a55a5c4b651e7fdaad61418bd8167b1950faef7c275bea997dde94b25461f1fd5000985d7a19f38cc75907a37e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5a7efaba56f942c4088b89708fd7b7aba
SHA12c79a1b9396e792eabd320631754b76593bacee2
SHA256ab05593282ab87d7a9d36e40d4a4e0129bdfbdef4401a968a694916767c79a4a
SHA512bbe0dce37036743487fa8fde4fa77c0050da838bff457bf40eec8698de2757a0f980ef11d50a33e91dc01b69c3743b5050c24e6caf33c8bf8256d71da824fc4f
-
Filesize
1KB
MD5e74242504bcb3721aa02ee8c90ceaa72
SHA1d6bf616e1de15cce1d979125971e7b6e1fd957b3
SHA256915feed4e4015fb64f3a7ac089a2a704af5c671b12ba0687e78d0c44179f571e
SHA5124ac3ea8a13e90e7f5d16eb641ee243abfc62b34d123c3df1af316618194ef96c7346922338e057837b213cb8ce84a7ceffc599f529b5f1f07965f58c0caf8c54
-
Filesize
6KB
MD5ffa313511c38e091365876c146618cf7
SHA17e04b1f8c69b5680be2261737ae42bf959816aa8
SHA256df3beacd02f1944c6fd1b48661586bd9ae13ff7926e4fb5b8fad9075da5a0fa4
SHA5121f0ac42f98dec1a02c8a43743c21e36539f7e9c5faa9e6ad12545c1e000e3a8c0764f2678d5aab3ba74231c02a909976de793de948d5ea92bca53a8086091a9f
-
Filesize
6KB
MD54e89790f67658fe2a32df3da54cd0cdb
SHA192725cd784d50329eb086c3f2fabe44bc20ab006
SHA2567e18ee18e73f99ee297e6f06b27bac741bebb2a44d9772a8662865cea32c2506
SHA512328c7324fdbbf934c4fff047cf0581fd5d24d923ac56b881f48e5ff92ea03b49360c2eea2310b66411c54120e9d7674078b310f96738799aeefe91a65ab16d1e
-
Filesize
10KB
MD5c8b5f3e29dc9179ef9e016c584ff62cb
SHA1b7eedf0452aafdbadddc401f6445215e2f6cc009
SHA25661fe85f65749b5f1cbb98c95a3ce658470f2752afceda7b27b7eefaaa313cc69
SHA51212bc375164b6a42602a1fe1876e88abc90d83a4eea4c3553e89fdf5a36d8be68fcc382aaa1cfb3ab0e0a5a3487c2a1dd1928cfdc4eb4c7976b4c248fa9930ae6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\23yzs2h6.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5091bee77dd4dd902ba9d82700f057471
SHA149e4f52adeee2738d3c56b2f7818d84600e78e7b
SHA2564a40fdc99266eedc4bede2c27301c88244a975184dc69faf9c45ceb651175c1f
SHA5121fc87114de8a709c5f8c19beeee409474a006df3f9da14c9b0cce1d65da404d1cbf1bc2d2a0d00ec71fc23f6f5735a6951ac33d4e17b2089e176d68f7dde7f90
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\23yzs2h6.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD5f7f90c737963b82f4ee72075952fe90f
SHA15cbcdf73e7c9e03e3bb796d5e1c3ae432e8cf0a2
SHA2568c19fdfae3f2dc2688cce7d904fcccdf06eabf9c61e3caf977a2803f49db603b
SHA51263273dab0e54d5beab7ce1decbd240f7f18315234e173a7152e9cd3a0f15d1062ede01049e6bdd56ce9d4bf0423aa19c33bb2237e630232912fa266b9f767772
-
Filesize
1.8MB
MD5315c411d1c4b516df9aead3d0880d016
SHA101f5dfd8e6b9a28528e4b0106cf9898c4794bac4
SHA256c6d326bbc90f6093783753cd0b1253599da2e685e39ece331b04fd73450eea28
SHA5127d1b4bbba8fe34a879f99ef4749b29a4717d5af89110783771029c2f05961ed50f81f95df04b83618f9848f2f8e094a829f7e3759d963652177ba2b322263d56
-
Filesize
89KB
MD5162df2ad410933832d7016d5e213edc8
SHA16bd5e2db70dac611d87ecac403c72ca66800890a
SHA2566926099d47358b3729226b09fe1ad79e1c41588804e2642b286ad5393e02e1cd
SHA51277583ccea4de3d306c4e8ebaec67ae2569aae0da63d87e692d2d1f3f326dfa8b6f49297bf97d62bb09ba8bdeebe3835adbb26765e580b9a83d11ec68a0270cbe
-
Filesize
1.8MB
MD56d9d932ae6f9643f08fd2461247684dc
SHA1b5a6bf4e80e97109f62ea6b7358c29e0f405dffb
SHA2563535c4993590cafe9b57f30b6c61f9320aff5025321e645eda50226b60e75a32
SHA512e8be9a4be0f14eaaf95102f7b815b1ca2066e0a0b119055d9035f3b9641f233490f808e5804422d7d12695e8653ba6e366470988e2dbf576ee4d1bd0ecde4709
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\AlternateServices.bin
Filesize8KB
MD5f93c5dc0b7c9704ae3021d4f3a2ea760
SHA1f95e7ba9f767391c13af37faaab155733bbdf12a
SHA256fcb5b494956d6053792283dc026511240c5bdfe76e3b82e37729605bcddf535b
SHA51237ea959e48c79f3b5d4bcdee2cee48fc75550859e579d945ed0f73cdd9a17aeaf75e1737d4505aaed87d3e1c1aadfd4beb92c99fc17b13aaabcab78735bb3fc8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\AlternateServices.bin
Filesize11KB
MD5b0249afb4081dd6410fdd7fef4477cf9
SHA123e9239e0ad5b0df5f53d98a3bea2d1b58574b28
SHA25659764f9370af5821dacfea9b749de3c370802738dedeac27491a63fafd3db9d0
SHA512b0bac9a54ee34d7c1322bb3a2467f6b9f3187b57f4052a7031faecad30a557f0ecf6d79120b9c3f0a678c54301763cf2ae4c5c333ebf8a8691f413460af10aae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD531696b8558106590cccb0ec55a37445a
SHA10e0854479ec57a09cafa6d215ec19a43fa5208d2
SHA2569470e6c8de73d57d1dd8c9d3fa194f95fef042d89531178a3a9a0be8ec5d7268
SHA512ae2c89d4e47c8c09fb2ada210759df2ab76702dc3e0d3d9bf05207660dd678e5813b6d09b3723513a45bafa5944a24b86c2b46a67daf7d6ce37ab098af3c512a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD56366b9cff3219e4e3283768c36caa738
SHA15100f5d913db589bde8d69d642d4e557d4b954e6
SHA2566102e97214da31625b2811becbe3768641fe50116c27c95f02c2638236d85f99
SHA51226b5b7f9d2c14dd6e333bb0c076aa03d05226497a59b1f74ed80134f4e7e018a6978acf40267516a5c9e5b63af28a3393455c45dbea09fc61aa966cad5a13209
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\pending_pings\06a07fa5-4f4b-446e-866c-7a10102e9b14
Filesize29KB
MD53a81b47519d0d49918e10754be72faa3
SHA1ce950463644b2548bf408e068a72c1a415111177
SHA256097b4b61a296fbde6abd4c5f20941ef5874191809cb75f4e2cacab4e69e4fe16
SHA512301a6b5f9ae79d0ebb85fe2c5f0cc8c5473f0d896362f1c32b6307c17908ae66e04cf62ab64b4234e3ed53585235a8ef7839384ea2ee54191b1533fb8e1cd4cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\pending_pings\0fd3eea4-2dcb-47a8-a296-71585b1be0ec
Filesize982B
MD53069ccfe1f7bef46678fcadf8a4311dd
SHA1a39761d7077e920568908663fd12f6a5a00d19cb
SHA256fad29a841bbc09053ae44b0c651923b70c758e42344db3391e764852586396b0
SHA512d40ae5a94213e8d59fcad56a3caa013a4888b075d5f322b7ddbde18847057dc36e0d1f05f5a81ceb032b73b950c19975500275e81ab3a284686fac2cda2274ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\datareporting\glean\pending_pings\f0ea17f4-0933-407a-b762-250b6ca52749
Filesize671B
MD5ebf2a37475d00cea50e5e1bb548be455
SHA11529a98c79cf189f6273d3cf2a9f8f3e3eb7d58f
SHA2568c33abf1ff4c7b16517ea7ff53c4347acb2eb3ccfd54f47155247fd8fb7d070f
SHA512bb71642d624080aa49f0e8abb809a3d6a42a8579fbaab4b04e1ca97abb545bd3f1ac05fe52aa9633d8caadee4cfce9d5b8217f1fc0cd203888a93c4bb65076ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\23yzs2h6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5809dd0d599a7a3ab850847f3cefe5e26
SHA1de41e4e8382cdf11e7d0a7c0bc38297e4a27310d
SHA2565912d2454354f6de7a36f79108bcb0822fd8f9804856a1963aefc0bf1812f717
SHA512a73b0221ee4e44fffd8c4a3a5fa6e05ec8b655e5f000524b954d6e443e943a9c82aabfa50aaeb1a06605ee7dc7736fb9b2d7a87013e73c089f995286b1e1b7b7
-
Filesize
15KB
MD5fee0e12bd012b82f0caf779663e27c42
SHA14173e3d2accc4e0dc5c0020fc1461511e88ce914
SHA256d5e027dc3fbbf972b0082bcbca428382ca9d0eda3dd5acc046614b98210f196c
SHA512576d974c2eb434003fbd070b9b675444ed6a83437f6511418fe7e35d37b00f20a65ef4e6c145a8357611c996c56122c5b741584e7d78a97363c3f853552c3efb
-
Filesize
10KB
MD56ffb10e824cef2a9e7083554f53f70e2
SHA1a494ae9b68c8a93ceafe8e16c64902ecf80f2c7e
SHA25679c2df5485f9386472fa6885f01577ce43531367cbad2c271ebc7a827f51411c
SHA5129b63767ecc9bd52429e560d52c810a6a78ea4c2f57ae6551476888cbafea5f279f2b2e9ed5443a30ba0acb22b9dd62b82e265b02b155ba0b4429d7cfac639d92
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e