Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe
Resource
win10v2004-20240730-en
General
-
Target
8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe
-
Size
1.8MB
-
MD5
5cc3a863d3a74972f71a6763c5eb3d71
-
SHA1
a0cf4d2ebc2435c9cf25916a0b6fa46588d321e8
-
SHA256
8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da
-
SHA512
f8773ce6145ec7732aca641da19c0a215db033f24f35d266ce4abae561657028fd80fd48923baac4237842b96c93bc2fec370843258aa60fd4a58117cc6d8ef7
-
SSDEEP
49152:cHdxg8zFspdvwbY+XZ4t1dd021ePoAukIqdnItjb:cHdipdK4t136o4nIt
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
default
http://185.215.113.24
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation explorti.exe Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation 8b99c69fe6.exe -
Executes dropped EXE 5 IoCs
pid Process 3092 explorti.exe 4972 8b99c69fe6.exe 5552 7f8ac5f812.exe 6528 explorti.exe 6568 explorti.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Software\Wine 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe Key opened \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Software\Wine explorti.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b99c69fe6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\8b99c69fe6.exe" explorti.exe Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7f8ac5f812.exe = "C:\\Users\\Admin\\1000029002\\7f8ac5f812.exe" explorti.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2076 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe 3092 explorti.exe 6528 explorti.exe 6568 explorti.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorti.job 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6792 5552 WerFault.exe 114 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f8ac5f812.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b99c69fe6.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2076 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe 2076 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe 3092 explorti.exe 3092 explorti.exe 1092 msedge.exe 1092 msedge.exe 5100 msedge.exe 5100 msedge.exe 3268 chrome.exe 3268 chrome.exe 6528 explorti.exe 6528 explorti.exe 6568 explorti.exe 6568 explorti.exe 6256 chrome.exe 6256 chrome.exe 6848 msedge.exe 6848 msedge.exe 6848 msedge.exe 6848 msedge.exe 6256 chrome.exe 6256 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 3268 chrome.exe 3268 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 432 firefox.exe Token: SeDebugPrivilege 432 firefox.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe Token: SeShutdownPrivilege 3268 chrome.exe Token: SeCreatePagefilePrivilege 3268 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 432 firefox.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe 3268 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 432 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 3092 2076 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe 86 PID 2076 wrote to memory of 3092 2076 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe 86 PID 2076 wrote to memory of 3092 2076 8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe 86 PID 3092 wrote to memory of 4972 3092 explorti.exe 87 PID 3092 wrote to memory of 4972 3092 explorti.exe 87 PID 3092 wrote to memory of 4972 3092 explorti.exe 87 PID 4972 wrote to memory of 1512 4972 8b99c69fe6.exe 88 PID 4972 wrote to memory of 1512 4972 8b99c69fe6.exe 88 PID 1512 wrote to memory of 3268 1512 cmd.exe 91 PID 1512 wrote to memory of 3268 1512 cmd.exe 91 PID 1512 wrote to memory of 5100 1512 cmd.exe 92 PID 1512 wrote to memory of 5100 1512 cmd.exe 92 PID 1512 wrote to memory of 1528 1512 cmd.exe 93 PID 1512 wrote to memory of 1528 1512 cmd.exe 93 PID 3268 wrote to memory of 3720 3268 chrome.exe 94 PID 3268 wrote to memory of 3720 3268 chrome.exe 94 PID 5100 wrote to memory of 5064 5100 msedge.exe 95 PID 5100 wrote to memory of 5064 5100 msedge.exe 95 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 1528 wrote to memory of 432 1528 firefox.exe 96 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 PID 432 wrote to memory of 1704 432 firefox.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe"C:\Users\Admin\AppData\Local\Temp\8298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\1000020001\8b99c69fe6.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\8b99c69fe6.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\856C.tmp\856D.tmp\856E.bat C:\Users\Admin\AppData\Local\Temp\1000020001\8b99c69fe6.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa6aaecc40,0x7ffa6aaecc4c,0x7ffa6aaecc586⤵PID:3720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,9150273258369317345,10086090819078213010,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2012 /prefetch:26⤵PID:5104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,9150273258369317345,10086090819078213010,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2104 /prefetch:36⤵PID:4164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,9150273258369317345,10086090819078213010,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2272 /prefetch:86⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,9150273258369317345,10086090819078213010,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3176 /prefetch:16⤵PID:5240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,9150273258369317345,10086090819078213010,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3196 /prefetch:16⤵PID:4520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4148,i,9150273258369317345,10086090819078213010,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=220 /prefetch:86⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:6256
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xa8,0x114,0x7ffa6a9a46f8,0x7ffa6a9a4708,0x7ffa6a9a47186⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,78892141819639993,17704655137484058664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,78892141819639993,17704655137484058664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,78892141819639993,17704655137484058664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:86⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,78892141819639993,17704655137484058664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:16⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,78892141819639993,17704655137484058664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:16⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,78892141819639993,17704655137484058664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:16⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,78892141819639993,17704655137484058664,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:6848
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"5⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d15a6ac2-a7af-4b84-a09d-abd2552af85e} 432 "\\.\pipe\gecko-crash-server-pipe.432" gpu7⤵PID:1704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1ba0f14-e00d-437d-a704-5203bfbbe88a} 432 "\\.\pipe\gecko-crash-server-pipe.432" socket7⤵PID:2000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 2896 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a61019-e920-454f-aa4c-bb9ad32acb7f} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab7⤵PID:4464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3636 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77152ca2-9581-47c6-be98-4e3a7a3140d1} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab7⤵PID:5176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be0bfff-acd3-44a8-9c6c-6a5261c665dd} 432 "\\.\pipe\gecko-crash-server-pipe.432" utility7⤵
- Checks processor information in registry
PID:5912
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5232 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {063f9550-4985-46ef-ac32-ae07f9d9289f} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab7⤵PID:5700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5536 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc118c7d-3a9f-4de8-8bad-34011a4bfe74} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab7⤵PID:5660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d38d94f-6db8-4878-9e89-a941905556d6} 432 "\\.\pipe\gecko-crash-server-pipe.432" tab7⤵PID:5688
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"3⤵PID:3036
-
-
C:\Users\Admin\1000029002\7f8ac5f812.exe"C:\Users\Admin\1000029002\7f8ac5f812.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 10364⤵
- Program crash
PID:6792
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5356
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:5484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5552 -ip 55521⤵PID:6768
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6528
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exeC:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6568
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD5f10d9e7ad6c6bc87f96a796a36d5c36f
SHA17fbe22e16787464766f3119a3e21a77b6f73c2a3
SHA25622bfc2fcbca23aa128ce2e43580850b4dcfd249a0a3bc283a087a77ab8965f14
SHA5122e30174b055ffcf506c9d68fac202c57ba536e79ea905f4ac998325685525c638a21ae2885805d07a93b64926111dad0b5589866493df752266bfca1f696d881
-
Filesize
264B
MD54fa401fdfb210ee4aa7c262526f12816
SHA14762fb106de31bf8bbdcba7be5428ea15ee9d919
SHA2562dd350bb84d691a2c9c9eaeb532a9fe127c441c40e9ddeec696bddddb6bb8e49
SHA5127e41f6cce0cd7ee7e4bd130f857f1f2e4b91d2d1c7401a8b73b8e02ff72424f8cdbdbde1fbe0c2c690febbd04879c022c0b25dfe126a1f4a9b9c4d0b0b175048
-
Filesize
3KB
MD5596a924c45a3552f6b13ffbf5fd8ebff
SHA124541db20dcde1e7b0faf8f3ea7886e42df6a869
SHA256dbd78387124f5463903415228f197529f42f1bc8724e16cb5839d0321a1d66a0
SHA512d29d667d97fcf64490f5933fc5fb83a2367248d04ca5525699c28439d14ad8b0b92f7202e5252d662be358486665573c87dedc083dc3371142b5635ef3be202f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD55788c08cdc6c70029dd18fca77d8ab58
SHA1ab8fae705b9d778ec172a9c11ce55d93a44c94d5
SHA2567f242f3b4720bbed75ce0d978a8b134951d2cbf7f78f85129e9154480db05d80
SHA51273f67d06d5f6ac23708febcc80b1933bd99686d2d8b02a11af8aab45bfe92ecd84d2b2cd861dd54d749c5417d2aafb112840084867a557eaef2246f31b776e2c
-
Filesize
9KB
MD58d666118b982c615483e69e2a466cbee
SHA148adcb694fbd496346526019a4b8dce08a6e5900
SHA256bcacd0a48dae67dd4e94cc65b0bb7583f3ad00aecd56507202744501898106fc
SHA51264da5a44fb55ee3823e7c1df5209b28806a41b4233575b7b5b4771a7d48f8089f411dce7ffadc3e596f5718ade0b8df6ea16f6ae6a8fc5e83b500e30a6d21d51
-
Filesize
9KB
MD567735b5b77acef591bc8c4ed1acc9303
SHA19e811f23933dfd765f537b676bc922e7da7a06cd
SHA256ac289c082c6dfe77977e3aa477356a488791719c9495103ae72ad63f5f312515
SHA5122e619fd3fed36bc9c83dfdec7aa6c6ec60b3dac295482e681a75b8134cc17c240f933df36de31ea34dbbf031498840bf6a9acc043513e9a9b23b1c6a5dae559a
-
Filesize
9KB
MD5c9b5e5e4ef9523f62e143951b14c6773
SHA164ad1ae8a80aec627c5fec5393a6d853d4b20110
SHA2560695c583bb265bf989c56d5a32195b7503f0597ebc80c73ae9cb4ba0a5750692
SHA5121d42a2c18a690d34bbd020be73e73c1bb68756abbf11eb523542525fb5bba0ef7d1a03a5bf10800def90e836ed53a74869b7de896d5ebcd1220e72141e7991cd
-
Filesize
9KB
MD554657216ae8f04484d19a4dbe6ab10ca
SHA14416d4878f9a5bbdca531d499049b4da96341067
SHA25645b85fcaef29b8866b956f9d99aa48e37e286c7f48006e6a12f8999a1569db5c
SHA512b1ae9986e28a7f885c2191473e21185e47a27df98c92b6953fff8bdd050f03a9f110573365cbb7736b298f8f38f7ca3f3026acc867a4700076e5d7d10ba22f26
-
Filesize
9KB
MD5883c78bb8bc14610b1eb729d627f7b9d
SHA19e735c70eb6d1f2a228cb6508416356dbc03e22a
SHA256862e6316d817f8d6b0ba0e23cfb67e7e8c4f16ab888d3ebe297398ad1f523dbf
SHA512d40ccde75dead7c19fdb515aeb8883916bdcbddc5832aa66fb761ed70fca3197991fb5bcf6a8abae366335f0f6d17fda7ad970e9463e7e7a22f5c11e4485741c
-
Filesize
9KB
MD5307c03ef1557a9d2a516b4c4cd02bd22
SHA1f6ff0263fc263b1a06f1fded2b846dceb5954483
SHA256a237f88a5879760c435ead9112ad24238ceac285792e063ceba84ea556e3b1a0
SHA5120424c7b1bc8ba2dc283a421b9edf0a4c1510353d539f6290c60438442896f6ab2a335ea85abd362c41b64de4004289eb1cd83465c7d588ef73bec617b1ba5139
-
Filesize
9KB
MD5ba39d04d1ebf5766253d5a5fd135e5c6
SHA12a2b7267b322f60f6682f5fcca39a9dd29ff4962
SHA256e3ad1bad4a06da664732b2a98ebbeda061efe59b5a8501c4a575d6c1eeacaae9
SHA512e2f8fd3d6a4e6cdbb5a6274e889625b07165965830f6947bd71b2a14ca671f390e057c5642df43961ac2f45658f5bafc787f6c26fc4f69e66ba94b9c5fc783f6
-
Filesize
9KB
MD5a29ace199ffae0a0785372c977680748
SHA1457546b933f1791fdc0f42d305e63b9f74d951dd
SHA256e94b152d1fbda188472409b9e5109bddfad1e4fd7db9f40e5aff053bc36464f1
SHA512dd5d51a9f83616d0182072585f6de261736de79ae218694c62e534958ec69a9cdc7b09323141ed559b1106dcb60130885108ee6c5b9cc50a6354125ea8d76e9b
-
Filesize
197KB
MD519ae058f5a6678689f4c7204544a01de
SHA1dd699f890488862c12f916e18061b2018fa57bc5
SHA25678a4f50bf46ec2686c1668792ff561be695cc3624f76e5d1b97462d2282ba454
SHA512b182b8d616c7b743410b762adcbae03052bae41b8924ee60188b14cd11f69d389b2567046ef162403bf1866cab3021b94bf7a8171dab99e0fbd768deea249565
-
Filesize
197KB
MD533c77acf57e5cb69d70e91d20a9356cf
SHA13e3a613bf186e8aebca5785c26606d64f1e4623f
SHA256d2ca27aff8d07bfa7a1683c9ad3227ab376269455f7a6fa3257aeff85704643e
SHA5126f853fec34dad4a80fa298bbc38d1b8bcd6954f68784def361e0d5238124c6b536e4ff837e85fc055e90e3e7e76cc371f42d90c9f3d98c39b264653c47cb1572
-
Filesize
152B
MD531f5155eeaa8631c1c80614efb4e73cd
SHA1aac054ba3a9bd71bb2644cc541aad11a5f119017
SHA2567e0833f04bdc7ed7a88940d793f110d199368d7c2ca55eabb154de84a355d7cf
SHA51294c43c4e59ae3745fee5157852c279110de2f89dd1562c47627ef960a70790db0b713155817ac7ac636e43f0218f73d35c915f9de61df019ba65c09730a21452
-
Filesize
152B
MD50dc31145339977b457eec605c4e1a567
SHA1deb6ff8183afdaafd849858c821af52f93936e1c
SHA2564b1ef876e1d4f2c9726b7b966222c336d0be026c588178ad40ab476be4d353ec
SHA512ef095404247530ade966bae7d6920f0ff060852e3dfb545f4bbca384f88d0e2a4622b55e4b856ab63f6e6c56196a8ad1257711b53a2fcdd89962d1252b6c4e17
-
Filesize
38KB
MD56cdd1833d5b7bf4d7dd2f4dac5b6a08a
SHA154ae217a93901471ac46fb4d3ef81ad0d4571c8a
SHA256dd3d51cbc6460eaab9f3d7af15c7bd23f76cb3889ac65acdeb33a0575532f0f2
SHA51247f5433c2916c84c28a8f48ea86150ffaf131ddb616d39e6d529fb07ef3fa8ade33bd8633fe3e015a6fa0b068d3e6a5a1cb69fe78ce0dbd3f2a8eeb0b61a8aef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD51a257d8a453cdc56ad50e375cac5e888
SHA134d6e9cf76d60a008fb49ecf284efb56524a01ce
SHA256d5fc115470cf301dffe475f223819a048ab20f186afb06dd27c401c185408c2b
SHA5120032fb435e75da676ebc77d5f7db87226a4c4281c38a80ebea9deb63b47c9f336a556ed209422047754130b18c23680f8add8426fe6a4625b7b3897e3f25ce21
-
Filesize
1KB
MD5871a9671d57139c208d858af316526b6
SHA100c64a7ec92076c796715b8c4ec894d6a818b149
SHA2568a0c5758971e324cea6270116b183474d96f0f8311ec3fd4a49cce73894db515
SHA5125016ae3ba26c22d7f8e4c1a44e49d2e57f88f1654a9a9aa98784b6aade0e9f4612330c716c09e39803a9c03e2484c0a857f61ad92fe9f22c7baf7c728a52572e
-
Filesize
6KB
MD57562a96a2fd2568c93105bf318c41bf4
SHA15a45f9e6b4ad50f532a112290041a392fbb62209
SHA2564a229cb6cfb883f1d03e7416582738a78198fa0a208097c76ea506a21812a78b
SHA5123ba34821182a89a348688156651be98470eb648155fee443154783e61da54f1b646345344c2c9d2b944cdd641e45605540bea2ab2d844481c8af4e88ae3af1b3
-
Filesize
6KB
MD5a97e4209cff1ee313a2c36d0bd7ac74a
SHA162c7ee3e7b49de3d655ad181d8707a864cd04944
SHA2563d507de3d28bee807653886ec719eba0ddde6a79bda25bdadc0c33b2b88d1c77
SHA5122f0d684f9586aa68503c95267a0413404039ad5b8ab2d0e6e7e4697f0d8a93869a413601d38fb0bf161fd206b247c3e287530e110c778620b38125bd48d06d04
-
Filesize
10KB
MD5890fbda54dd9e83eb99938439275bf17
SHA1f1b397b6507f827ea88b2be450cb919e080e5a03
SHA25629150f37909fde52f487f3dc007e0b106303eb1165011a13bf3f79833f0bbed7
SHA5122e0e6d9b4f8b6cab64de37b998f80c109de3c5ce311d2a7b8170009641599c72cc8c040ba5c991db7957996253215ada5f3d846b7c11b90e84d53835c2b611f5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nsycwc62.default-release\activity-stream.discovery_stream.json.tmp
Filesize19KB
MD5f217f1ed3ef588eab7dc4531fb391527
SHA1ee4e612558bf2f44f95aec7fd5e41808d4b7f109
SHA2561532b23f16869b842b072d322e9824f651a406f7c7066fb2a2453acb9abfffc4
SHA51226841496ab2f94e6ddfd55b0898aee362b99b9cdeb840f8e30301be022e632312b0362b59eae72e7fa3848542e85afa4758cf2ffc220f57adb19c14ac6e2fb96
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nsycwc62.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
Filesize13KB
MD5e88e634c355925963cf50ba31c26b039
SHA151bbbc8edf53a50d30a679b7548c50ca19a80774
SHA256c6a422f6f9dbac080851522446051685f2724e832cf56668387ddfebcd9b8800
SHA512cf71a77d055b1e8359b45beabd8652e1213cb859dff904ad5a8dac2548da739570508e965821d819fd68cfdc700ce04ae0ef269bee9287f8a9af4bbd97488157
-
Filesize
1.8MB
MD55cc3a863d3a74972f71a6763c5eb3d71
SHA1a0cf4d2ebc2435c9cf25916a0b6fa46588d321e8
SHA2568298e07859dd754ed841bf9ccf089d615c99781fddfe276384be906f2d12f8da
SHA512f8773ce6145ec7732aca641da19c0a215db033f24f35d266ce4abae561657028fd80fd48923baac4237842b96c93bc2fec370843258aa60fd4a58117cc6d8ef7
-
Filesize
89KB
MD56da5debc354565b9f24d089d331eb924
SHA1e0f1dd08abff4ffbf7d36a5e400a710356e2b380
SHA256594fa3e619efa25864db530202d37031533dacf0a0717c02c98c17e29f0e24fd
SHA512a8bac03b382e517eee50fcd566718dfab9e70dbbf0dbf06c549272aa675f1618cb3d7a7ee188bc0d066bd7a2ce2186c77a0ba530df59336213eeb6c1927c9317
-
Filesize
2KB
MD5de9423d9c334ba3dba7dc874aa7dbc28
SHA1bf38b137b8d780b3d6d62aee03c9d3f73770d638
SHA256a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698
SHA51263f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\AlternateServices.bin
Filesize8KB
MD57132e79db665db61eb89a0cf95b62ce6
SHA154424737b6304acd95b4829b925d5706c5f7ece1
SHA256b140d9016208efaf3196921a65357b377cd4642879108062d67e32e3d67ca71a
SHA5126a452de56e4ea2803875c450f19ec26fd38d5915a5f576d9e849ada7fbdd3a52bf21c4c35b58a11728a74668a5f4c0002a3a8881491d473490d125d6d77b92e7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5939a0c20931a34e4a3e2780ec00a4969
SHA1b9b4a0034db5cae6ef59964c3cb38907faa9d350
SHA256cf1b7d73c68fde329c69a474f1f27219a6013ee1d60fc778395d4886190f2353
SHA51277524d2937a22de46040637d7ed6bd55a859ad0a10fbee411433674ed3918bcbf9efd66707c9d024b96ba2305cb0b68b13479d70cdd32345525c4f0255c8d4e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD58a514026e4447be0baaf4c2267d69b9e
SHA1b0f5cd3c879995a965fe98a3555e408c518a7203
SHA25667cf06cc2399dd4328de8e036a0f451e9d9c0bb0d42c60ec884c7009c1fb857e
SHA5124c06ffe40acf811796652d7a36dc15690c9802d1bf91ccfb38a4d0130e335bf34355a24d6c8c9f8ce6ed020f2519bd37e9bb719d8e761bb0238834c632076eeb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5394b21ba714377bbfba1e4b31353959d
SHA169b48c26cd4b87476b19597e4c98c33d1c9e48bf
SHA2569adf309a482d46b7fa6a527a046382a4270f6a6f41f7666c53cd821019c229a1
SHA5125a7a0f4bbbf8bc29f30b7e1562e3538bd14b7f9df967eb5e50bc6cf4009fcfa8dcec6e3fa5498b3b10a811793a4b3eab3dfd32c5ebb4fdd4a18168216bc870af
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\pending_pings\423d1a46-9bfe-4e3f-878d-92971b57d2ad
Filesize982B
MD5b843d863768e5fb9b0f421b18f9b6b8a
SHA1a3e2d5619ac987f2f05ffaa84b71dbd93ccded99
SHA2567da7f642b3e543a74116461007fed4d73ad341ba431a3c5e0033cf15862dc0ec
SHA5122d514bb8b84a880ae8cdf681aa31a3f8ffbdaf33d624dbeb7f3b13593e6b34e99df384874f830ad038d54be3f495a8055e6ee36a9ccf04d9d7b376438a4a1a75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\datareporting\glean\pending_pings\5488fe03-e3be-4f64-a159-3469a6974819
Filesize659B
MD5411b73823714e55c550ba1a9f717e355
SHA1015ae56dc8e26602d0f3e278c9c8989296ed9e3f
SHA256252db6a87ca13e2bd276b174a4aebfc82b303b50b3584eec38909f6fb8242e57
SHA5125682615b2526cd35322a69c8884435b2b017afdedec6d2e04259bc0993b24128c677436ad90fd7a7f65aa6ab10ce5554a67117efb32ef6d1a1748e159572aafa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD54f6cb3c59587ea4f97938a656bc3db1b
SHA1dea38cd5b3b455707e244961f490f181b57c0a6a
SHA256db66fff3ab15de79b0ff4f09ea5f1319aa8148272cad9fd2a3f195da04c284b1
SHA5129df0dc516bca208247af47c1d2d30f2dc4016ca1056f98a749c2d5d37c69e637d7f430c02be02c60b8abe3ed90e8bbe8419bac6c68b6912cbc328fbf2d0964b3
-
Filesize
12KB
MD5c167a6ae3fd7cf49ab85751d32f1ac88
SHA1fd1e8aa6dbdeddc74b25e07739492c91417f8dcf
SHA256082ea1104b623b88912bdbd75deb6da399861087a08f294ee4ac975a2feb014d
SHA512756d2152990310cb5791fa732657dd223853ff82a96ab1e0d3a2c76c1293842510e19995da82f180fe3d7ba096aaf71a92d9c31b14a1bef8441656038b985d68
-
Filesize
10KB
MD59c1101f3ba643e63cd5a74702ba15857
SHA1cf4215cdbcac5a062ad1baf5832aba56e7a45c7a
SHA256120ac2a05a8a352c37a97be6ae37efe839b8410c99ec71cfccf06fddbd8bf404
SHA51209324419d4f9763e6a93e1afdceede3485bd1d116347c674925411f31313a045104b3f844b681e0b6d9d1f6716d7a51d969bb79edc3c8e5ab367e157e7069dfc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize872KB
MD50da79bc446b78745f0906a615d0e3228
SHA1464acd5657a7b9b9f28e1ba8de0fd09ab39e66e4
SHA256830edda02aa54a6d1a8e1bd9529a7bab7bd5c6d6ad15f3675f19f153d59647ea
SHA512439fff58b15b600727596a7628014f7c4a240b390c7f31615c4caaa1733e5d65b0b273ae8d387ff9c544655da10db66aa47a24e222e1a4b226c1d8d8ed02541d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nsycwc62.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD5b605ef4faeb2fc037117f22a64fd7a41
SHA1657fa07fad63ce9ea4df1c3809efb57a981ddf9c
SHA2569b2fe2e61559c6fe16485d8cfc73433581dc413991634a85d44eebf77e02c077
SHA5124307e019fe940863fc15ed57073c7f1b09bc34eb1146863d4a5ba911956a9df77ec8dd39f33fc5eec523cc5fa6722bacff98c7f4b74d314b9d484cbaadcbd1ad