Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-07-2024 14:18

General

  • Target

    3729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013.exe

  • Size

    2.4MB

  • MD5

    4090bcb4c36bf660e37c44041456c55d

  • SHA1

    b2c2363a5b69c1393b62b03bac15e9fc4557c715

  • SHA256

    3729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013

  • SHA512

    0ce916ff673c9dedbfcdf3a5b29a8c0e46bfb87995c3fd0280a6660cbdcedc997ea974d5684c79edb726a5aca6e2631d63041d3d392d8f861d9a9a5b4e522182

  • SSDEEP

    49152:izS5HsWr2p7f3lDOErXH+W4BdeA2uViz9RRCyE9uDzW0C83M:izCtrwlDg3BJMGJ9u0aM

Malware Config

Extracted

Family

stealc

Botnet

Nice

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013.exe
    "C:\Users\Admin\AppData\Local\Temp\3729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe
        "C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:5012
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Users\Admin\AppData\Local\Temp\1000006001\c5a68fa3db.exe
            "C:\Users\Admin\AppData\Local\Temp\1000006001\c5a68fa3db.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:1520
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\5141bb13fc.cmd" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4960
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2328
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffdb21bab58,0x7ffdb21bab68,0x7ffdb21bab78
                7⤵
                  PID:1036
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=2332,i,13784495592477093680,8191285772852746292,131072 /prefetch:2
                  7⤵
                    PID:648
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2332,i,13784495592477093680,8191285772852746292,131072 /prefetch:8
                    7⤵
                      PID:2280
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1904 --field-trial-handle=2332,i,13784495592477093680,8191285772852746292,131072 /prefetch:8
                      7⤵
                        PID:912
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=2332,i,13784495592477093680,8191285772852746292,131072 /prefetch:1
                        7⤵
                          PID:4812
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=2332,i,13784495592477093680,8191285772852746292,131072 /prefetch:1
                          7⤵
                            PID:1484
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3780 --field-trial-handle=2332,i,13784495592477093680,8191285772852746292,131072 /prefetch:1
                            7⤵
                              PID:5968
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 --field-trial-handle=2332,i,13784495592477093680,8191285772852746292,131072 /prefetch:2
                              7⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:6968
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                            6⤵
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:3104
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0x80,0x118,0x7ffdb2063cb8,0x7ffdb2063cc8,0x7ffdb2063cd8
                              7⤵
                                PID:128
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2072 /prefetch:2
                                7⤵
                                  PID:2800
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
                                  7⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2520
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
                                  7⤵
                                    PID:1452
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
                                    7⤵
                                      PID:72
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
                                      7⤵
                                        PID:1636
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
                                        7⤵
                                          PID:1300
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
                                          7⤵
                                            PID:4108
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
                                            7⤵
                                              PID:2920
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
                                              7⤵
                                                PID:5600
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                                                7⤵
                                                  PID:5116
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
                                                  7⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:6252
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
                                                  7⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:6456
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8760525853614580427,7513527971007586795,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4620 /prefetch:2
                                                  7⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:6152
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                                6⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2004
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                  7⤵
                                                  • Checks processor information in registry
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1536
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1536.0.761312358\285505782" -parentBuildID 20230214051806 -prefsHandle 1648 -prefMapHandle 1640 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {189e4754-1216-474f-9b8f-da8e99d0c3ae} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" 1780 1e149a0b558 gpu
                                                    8⤵
                                                      PID:1100
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1536.1.863573405\1361848405" -parentBuildID 20230214051806 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bf3d1de-ac75-4803-acfa-f12b79f4c634} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" 2352 1e13cb86258 socket
                                                      8⤵
                                                        PID:2504
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1536.2.36605174\572466621" -childID 1 -isForBrowser -prefsHandle 3452 -prefMapHandle 3448 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbbe698d-95bd-438a-b783-fd5a20fff9bb} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" 3464 1e14c06d258 tab
                                                        8⤵
                                                          PID:2200
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1536.3.6206911\755016147" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3248 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f90d5e0a-558f-4943-9fdb-a4e769bca0d2} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" 3096 1e14f6f0a58 tab
                                                          8⤵
                                                            PID:2172
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1536.4.1562441266\2076937548" -childID 3 -isForBrowser -prefsHandle 5052 -prefMapHandle 5048 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {444a1a04-5e29-47bb-8b2f-0fd1cda641f8} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" 5064 1e1511f5f58 tab
                                                            8⤵
                                                              PID:5416
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1536.5.804066796\1907459623" -childID 4 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eae88639-ffc9-4d23-8d1f-a99129b167d6} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" 5196 1e150a49a58 tab
                                                              8⤵
                                                                PID:5592
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1536.6.8853062\961009525" -childID 5 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6677c354-86c8-4bb3-9e18-d07399de1bfa} 1536 "\\.\pipe\gecko-crash-server-pipe.1536" 5492 1e1511f4a58 tab
                                                                8⤵
                                                                  PID:5604
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"
                                                      2⤵
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2180
                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                    1⤵
                                                      PID:4808
                                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                      1⤵
                                                        PID:2676
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:5492
                                                        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                          C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                          1⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:6972
                                                        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                          C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                          1⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:1384

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\ProgramData\mozglue.dll

                                                          Filesize

                                                          593KB

                                                          MD5

                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                          SHA1

                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                          SHA256

                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                          SHA512

                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                        • C:\ProgramData\nss3.dll

                                                          Filesize

                                                          2.0MB

                                                          MD5

                                                          1cc453cdf74f31e4d913ff9c10acdde2

                                                          SHA1

                                                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                          SHA256

                                                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                          SHA512

                                                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

                                                          Filesize

                                                          36KB

                                                          MD5

                                                          103d7813f0ccc7445b4b9a4b34fc74bf

                                                          SHA1

                                                          ed862e8ebd885acde6115c340e59e50e74e3633b

                                                          SHA256

                                                          0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                          SHA512

                                                          0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                          Filesize

                                                          240B

                                                          MD5

                                                          03c653f0099f8af9e42512ebfd342d64

                                                          SHA1

                                                          48faa93957085aa6911bf655449cd7b53139a3ff

                                                          SHA256

                                                          07a0ceb69c0964b7f6ce5b771d1ab7abd4c3cdce7623bdb6417fe5d370b7f4ec

                                                          SHA512

                                                          94a4062abb4f8165c1e373e96a2d4dbf759a7eb2c6ed256941534624fb209c0fafeba17390ae4ff7964b2d9fa60115f61fb224d1927973eb3445267cfc805853

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          98aa7c4e9f66f4735d2624368b260003

                                                          SHA1

                                                          5d0f206cad58e653358d71c09c590029fab958b8

                                                          SHA256

                                                          7892a59b167c94c2b067c0f21013a0362784f05263245cf1ba1ed687baadc646

                                                          SHA512

                                                          fca1f1459566ec3ab8a0654a4d17f2204af99ee9c78c0de9d625f9f2d9e23ce9946895d11f2d654def06736bcd140e6d80fc6fb6a62bcd8428fa587971a4d870

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          2440dfc8d1a1f51d8c5d603c03e348af

                                                          SHA1

                                                          2d05d452c7fc8492d91dcac33d0e1f84c60bd113

                                                          SHA256

                                                          11f664fdb6e4064aa7f09b7047a7a99aa241e8175eba0ec60f7b103f61505240

                                                          SHA512

                                                          66272280d8f1fbd2c999f47b5aa606f301eba99a4e845adfd6ac736bf6edbbd8a2384e28032765b548c02b09f275cfac36e75021b2c1ad8ee716079f8fdc5ad2

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                          Filesize

                                                          2B

                                                          MD5

                                                          d751713988987e9331980363e24189ce

                                                          SHA1

                                                          97d170e1550eee4afc0af065b78cda302a97674c

                                                          SHA256

                                                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                          SHA512

                                                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                          Filesize

                                                          524B

                                                          MD5

                                                          6e49cf10766ef05fcd5b75919c578033

                                                          SHA1

                                                          27d64ecbbb36585458808ce31461957ef4686c51

                                                          SHA256

                                                          860f0571e01dd2c4873906bea47fbb05df8387aa35c8f50ea3093217d810793a

                                                          SHA512

                                                          f65ce674d95d803a63f537d8f8c5f1b011ac439b5ce48daa535a90438cb666cb9ba5c32fbb41fe433e9a3c3277b545b4183af8de3695eadb81c8c97d2d02dd4b

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                          Filesize

                                                          7KB

                                                          MD5

                                                          b6fdb69168237df751b3be81ce406f5e

                                                          SHA1

                                                          35cb46efd4ec06895e35d2df6e184497570945a0

                                                          SHA256

                                                          88dd34855e92b897615a7572e8f4c47890cb40dbf340cf0c8a02e77d01467f6e

                                                          SHA512

                                                          b5a5994630e90fb8c49ed5df9daa7d6ccde4ffd3c9f22798c5f06691aad260e59df3bf8259094205c6eeb6445331b0777aabe2d60b5a92ad287faaade2bfb106

                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                          Filesize

                                                          144KB

                                                          MD5

                                                          eada8bb514b5491a11d2abf6411f2a33

                                                          SHA1

                                                          726d99d41bfd16c3c4a012b714a4dab957155f49

                                                          SHA256

                                                          dc2450e52c2da58665b14ed39b29687c1b0dbc5a741e26cdbca83cb848646400

                                                          SHA512

                                                          71802e10b52f8030ecf7e6c127ceeba6c418031707a36db35c82a126bffefe0440799400093b8d4eefb5075677e796d8d4d357803494b0bf26c6118e82d2b2cb

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                          Filesize

                                                          152B

                                                          MD5

                                                          640b9bae54d22b45b4d52a96e2f81f13

                                                          SHA1

                                                          b1c7304e9abbe1759f8df7f88ca2c6354b42fdf3

                                                          SHA256

                                                          834c17e205445d197a64177b76ae0bb718bfe2eb8ffe492f008946603edf80d4

                                                          SHA512

                                                          8baaa3339cddca01a018e9a0900426a7590f7107c55372d65fe932dd570bb4289238977396037c9bf73157d6bfd7f1f5795842df39c354200c2af1a84014e6a6

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                          Filesize

                                                          152B

                                                          MD5

                                                          b45c28d31ee31580e85d12f5ce5b6a46

                                                          SHA1

                                                          8bd9a23f3141aa877711fc7835446b8783b51974

                                                          SHA256

                                                          d944d6021a2fdf016911aa4d9e8b437431fa4f92b0229b9e3322b4354a4b19c7

                                                          SHA512

                                                          3628da551c52367a4b54ca0cb7c401f7d3a8dd37375b3b57d82adb06c96657ac55d593ffa7a9f000f74ecd7e6d35562a96013d0c70b04123f055a4d2af72aa3d

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                          Filesize

                                                          240B

                                                          MD5

                                                          a0c81875837cb6a01888f09aaf961e08

                                                          SHA1

                                                          4be4202077461a52d4a02b8b337cfbc25d9fe564

                                                          SHA256

                                                          b932dc562b144224d6597ea5b13666a158a5f8110e8b72612b86542e57c93b56

                                                          SHA512

                                                          873eff5967eef02111df08eefefaffa3f430dae196f1c79daf11eda73d1152ff86f60483391c169d77d75719bdee07e0244206f5506253c9039b16e80544c141

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          cf8c00bd5f882500e2d1a8786fdb60df

                                                          SHA1

                                                          bae375ad6c6b4827d40b62b5db7dd2ab58d07c38

                                                          SHA256

                                                          54973792bb7fc6365fd841eaf39de32881ff3e0d7efc103757cd87c2e3ae9284

                                                          SHA512

                                                          3a49339d3d97de481daa5c788d1dad1965c85ff0c0c16b1d9d099aa870bec05b5b6ecdd989d3363f48b9b638515c41e76285fdcf9b30ca395230c92d9ea1202e

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                          Filesize

                                                          5KB

                                                          MD5

                                                          21b0500cd541bcc6c21f0a4b7860b920

                                                          SHA1

                                                          396739eaa61a99eb017422cbadcf7df70fcf82ee

                                                          SHA256

                                                          8b7615a89453a2056044548f9e61e64fe4b9e47919269bc3bb199aeb18b225e3

                                                          SHA512

                                                          50304af90ce89623aefceecb6ae4d0999768b5bd05d1012510fb5bb8c8b89a9c0225867439bd7e39781793ff4b26d453b2bd682c85173283aeadb6f7365eab9a

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                          Filesize

                                                          6KB

                                                          MD5

                                                          35647ef48165b8bbc9359684e9e0647c

                                                          SHA1

                                                          517d3dd9b0fe6b53ad31100f268fe81cd1f8690f

                                                          SHA256

                                                          bf4cc2993cb67d781021192f6caec12565b6c76004482bff73b396ad68a05c39

                                                          SHA512

                                                          acbfca2ee9190227cb39cd2d8d25d399d4cbfa4c2311714c868e598b0f6b196904a5c2bac3595eedb0235c9d0a3549f2202112da181ddabeb09e9f9a14b7486d

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                          Filesize

                                                          16B

                                                          MD5

                                                          206702161f94c5cd39fadd03f4014d98

                                                          SHA1

                                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                          SHA256

                                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                          SHA512

                                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                          Filesize

                                                          16B

                                                          MD5

                                                          46295cac801e5d4857d09837238a6394

                                                          SHA1

                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                          SHA256

                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                          SHA512

                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                          Filesize

                                                          11KB

                                                          MD5

                                                          1d215a6d6422ab455e77b5b901400c0e

                                                          SHA1

                                                          40cba8ca286440af699f27522c1e86d0a8890187

                                                          SHA256

                                                          1f2df92e5eacf00d85bbf6db96746ce5c7171254fd823a06d17370306d39b0fe

                                                          SHA512

                                                          8c4dde198672c8c768b6cbfcd2e610c2513994d02f35a37d6f0068016c9e503b35dceeb1195cd374682af5c98833987718fe97a0799f5283063c52fdda80a1b3

                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                          Filesize

                                                          11KB

                                                          MD5

                                                          c923e66390821399acec49111cdb0a2a

                                                          SHA1

                                                          1fefc7bccb1ce0c23fec03c11573528c5762a6e6

                                                          SHA256

                                                          59a850f0407b67ff6f2f7bc4d394b92938f73c9b2e514ee000227c3a7521dd78

                                                          SHA512

                                                          cfd75def487f70e0d373694ff806bdbf930ca7498c2150bf6801f0a5d1f74889b8e56795befbfc4e6b309107e9fd578be15e8339af223aa37a22a738479a9f1f

                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\activity-stream.discovery_stream.json.tmp

                                                          Filesize

                                                          22KB

                                                          MD5

                                                          54c997ec5e30079f63c8b6930ae6a28e

                                                          SHA1

                                                          be0d98e61e7c9f90b701ae29d5662f713fa762b3

                                                          SHA256

                                                          d8bb64d5b3c1e45cf2dc1d8e7f9dde378b935967f16f1842f9f704fcff533594

                                                          SHA512

                                                          468db39cb0666c4ae9fac5eba7958f771fd10f194cb64cb6c14df6308950cdeb25aa6b7b671a1c5c841f45600f252efd3f1aa6fa885df4d7184218dc187c43b2

                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\activity-stream.discovery_stream.json.tmp

                                                          Filesize

                                                          23KB

                                                          MD5

                                                          9c4479b2c916451b6dd63db279189522

                                                          SHA1

                                                          a438516709eed6d89c81e505bf2e5d4ef86aa69e

                                                          SHA256

                                                          31addb8d8235c5b2fa0d5aaa0a862ec10c321de67f2350373c9bf41082b47dac

                                                          SHA512

                                                          0a0fa1c9ca06ef0ecea2243fa64e3461cee0b28a00fa25cfbff461ad63323f63896319b8ae48f151638395c7d5e741099fbc74028b87c5efbc35991f0c66a976

                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                          Filesize

                                                          13KB

                                                          MD5

                                                          ed65a8a4ebe4a8c61f044806ab171197

                                                          SHA1

                                                          6cbfeda006571e438d5319368271e2bbce8f6222

                                                          SHA256

                                                          a00f696838b3187e415e0e843e8e0715f3530f53a6c72006e0f0cfc9088e8032

                                                          SHA512

                                                          fa6348cc9957ee4422492aa9b961c234990af1de9eab354a2e995835fc52ce2579d2cf2b1a4cefbc838685e8d3178ec326db38b28d6f62a924c695fa29c85a82

                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\cache2\entries\CB4F0A898744713F17C3A2E0C804B48F9D0DD468

                                                          Filesize

                                                          76KB

                                                          MD5

                                                          6bc92aab4e9f934605417da0d1661633

                                                          SHA1

                                                          fd854bdebaae8254c2e75cd1a44d6b576f9414ba

                                                          SHA256

                                                          8ce8b90547fac02919687e8142103c3ba63f47d866f9ecc99d5ff182d989ba9f

                                                          SHA512

                                                          17e24d3239d7594670938af481b82ed195f3746df1c6b57630d10e615f9d63b8fa18024e5da0ddd4965e8842ea57c4d8432f1f74d408273f1c05fd7397c55102

                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

                                                          Filesize

                                                          9KB

                                                          MD5

                                                          8a4ea7e46dcb51cf22d53f46ccde7f66

                                                          SHA1

                                                          3d2da5d8445946f82b4f73e8d641066d1b18d18c

                                                          SHA256

                                                          d2f96075afb4408fe328253fce2cbf04275f40f48c6cb34d46bdc2d9d150deec

                                                          SHA512

                                                          5df6d316213d87ff15ac8b92c5babd4ae91e1203aa1c5a8488156efdb9a3a2d757cc8676270e56b1d0d63458f14c3402a72b69f732f4f8420cc7f83ba2e108d0

                                                        • C:\Users\Admin\AppData\Local\Temp\1000006001\c5a68fa3db.exe

                                                          Filesize

                                                          2.4MB

                                                          MD5

                                                          4090bcb4c36bf660e37c44041456c55d

                                                          SHA1

                                                          b2c2363a5b69c1393b62b03bac15e9fc4557c715

                                                          SHA256

                                                          3729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013

                                                          SHA512

                                                          0ce916ff673c9dedbfcdf3a5b29a8c0e46bfb87995c3fd0280a6660cbdcedc997ea974d5684c79edb726a5aca6e2631d63041d3d392d8f861d9a9a5b4e522182

                                                        • C:\Users\Admin\AppData\Local\Temp\1000008021\5141bb13fc.cmd

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          c1b73be75c9a5348a3e36e9ec2993f58

                                                          SHA1

                                                          84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                                          SHA256

                                                          a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                                          SHA512

                                                          fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                                        • C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe

                                                          Filesize

                                                          1.8MB

                                                          MD5

                                                          9a078876b23608ca0de594f4feb973fd

                                                          SHA1

                                                          63355749469f7fabfe986fb3ae33bdc83834c061

                                                          SHA256

                                                          149f34cc064bd94f468d0e3c2fcc176dcf3592b099b4cef85fb4d672cb0a5d6d

                                                          SHA512

                                                          45ecc1a2bb87619656cb9204aa9eb2955e4d502adb84d528f004afe038e256a68de46224602ccf7cc81cdb3e62e6cbf5111ab2e33e72b3d8c10f6f81ac5615d6

                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                          Filesize

                                                          442KB

                                                          MD5

                                                          85430baed3398695717b0263807cf97c

                                                          SHA1

                                                          fffbee923cea216f50fce5d54219a188a5100f41

                                                          SHA256

                                                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                          SHA512

                                                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                          Filesize

                                                          8.0MB

                                                          MD5

                                                          a01c5ecd6108350ae23d2cddf0e77c17

                                                          SHA1

                                                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                          SHA256

                                                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                          SHA512

                                                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                          Filesize

                                                          997KB

                                                          MD5

                                                          fe3355639648c417e8307c6d051e3e37

                                                          SHA1

                                                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                          SHA256

                                                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                          SHA512

                                                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                          Filesize

                                                          116B

                                                          MD5

                                                          3d33cdc0b3d281e67dd52e14435dd04f

                                                          SHA1

                                                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                          SHA256

                                                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                          SHA512

                                                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                          Filesize

                                                          479B

                                                          MD5

                                                          49ddb419d96dceb9069018535fb2e2fc

                                                          SHA1

                                                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                          SHA256

                                                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                          SHA512

                                                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                          Filesize

                                                          372B

                                                          MD5

                                                          8be33af717bb1b67fbd61c3f4b807e9e

                                                          SHA1

                                                          7cf17656d174d951957ff36810e874a134dd49e0

                                                          SHA256

                                                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                          SHA512

                                                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                          Filesize

                                                          11.8MB

                                                          MD5

                                                          33bf7b0439480effb9fb212efce87b13

                                                          SHA1

                                                          cee50f2745edc6dc291887b6075ca64d716f495a

                                                          SHA256

                                                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                          SHA512

                                                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          688bed3676d2104e7f17ae1cd2c59404

                                                          SHA1

                                                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                          SHA256

                                                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                          SHA512

                                                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          937326fead5fd401f6cca9118bd9ade9

                                                          SHA1

                                                          4526a57d4ae14ed29b37632c72aef3c408189d91

                                                          SHA256

                                                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                          SHA512

                                                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs-1.js

                                                          Filesize

                                                          8KB

                                                          MD5

                                                          e50bdddd33f9d60a3a4ebde42bef81b7

                                                          SHA1

                                                          dd82426c49834d639a02af67d250df2491761f81

                                                          SHA256

                                                          15f0db70a8c0a0e85d8a18309cd3027c9358b7375fde8b5f6852587afbf09d27

                                                          SHA512

                                                          d9073754eb37d820cedebdd1e036f5badd95287a5bb956f5177afa887a4a3c75c5634dcfa733fc9ca39cf7ddec2a787267361d3f8461c471aeaadc5ca6607666

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs-1.js

                                                          Filesize

                                                          10KB

                                                          MD5

                                                          8f44e14aa681206f917ea365805852ee

                                                          SHA1

                                                          6cdc5c17caa71fd12281dd4d5bac25f1544caf6d

                                                          SHA256

                                                          f43aee18c057ad0a72c45763446105c1bb2cbaabe626b3f11f62dbda0c5aed1d

                                                          SHA512

                                                          959263c27a3759ec7ddd0cf59a79a8a8794681512816d7c0a36eeb92a02e04585cfe07514d9ae75485114d140ca3404dd1db5a312aa86b443bd2a63743a194c7

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs.js

                                                          Filesize

                                                          6KB

                                                          MD5

                                                          1cb17c680648b8517f67c9917590d554

                                                          SHA1

                                                          55a23797784c543ef32c50a1f6dab8e741dff747

                                                          SHA256

                                                          c42defc1672f6192d06fc9a0f0ee9306d08bf41a78a6f6575f9a0efd3455ede9

                                                          SHA512

                                                          26095b6ed2e8b8f064b9e0fe92663bd299b08d6cacc8f6473d348173d96589821f4a709019fc5089ee3d18fad11df8621a0fe7f1dad7d4b7c09eecaa62e72f74

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs.js

                                                          Filesize

                                                          6KB

                                                          MD5

                                                          c23f8334b8ff778a55557105c643ac1d

                                                          SHA1

                                                          2ca18eaf41b94daefc86741ecca77989b457ef28

                                                          SHA256

                                                          2fae5f4b165c1da18f81ac0049323780e6793b9410e6dea87928e966a3d5a342

                                                          SHA512

                                                          b37285ddcc89c7796e12cfbbdda63bebaa9474efda9d03c1ab7bfe6b82e887d283f229d6a2c86d8340792395f441144907411742cf65b0cdfa9d6a86546bed0d

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionstore-backups\recovery.jsonlz4

                                                          Filesize

                                                          4KB

                                                          MD5

                                                          0972134bb728615b11407efed68b865c

                                                          SHA1

                                                          4e426eb9332e435ce4ffde2edc6bfe8ff3d33733

                                                          SHA256

                                                          e64483a9b8532cf6a4287aff19d15d05d9f56dd0a3de65ec8872e03e635a0446

                                                          SHA512

                                                          04d3ecf5a0d6f6c49bbf8ebd2eac35d9bc77f5ed5fad834ec474f436dd827320d0a2776775399bba55980508cf5d019b9520c7db05e30a679f11e48eed4123c7

                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                                                          Filesize

                                                          2.1MB

                                                          MD5

                                                          11aec29643f7443a5a3eb4d21e3d8597

                                                          SHA1

                                                          df4c1230878d880cbab1e17e7a63d31717512023

                                                          SHA256

                                                          267ac5d725f5310ef6ed225f1e62b806553a0a9ed923937a1131ce2d747ae71e

                                                          SHA512

                                                          ef4398d6b9c7dc54ecbd99eebc08c1fecf32b0e8882171cbf117df51d5645c42728d91f8c2e9dd90f64bacbdb900ac72f5e05d7041c72174c8a10b17268146d6

                                                        • \??\pipe\LOCAL\crashpad_3104_TBONGWVNNGLFCDSJ

                                                          MD5

                                                          d41d8cd98f00b204e9800998ecf8427e

                                                          SHA1

                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                          SHA256

                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                          SHA512

                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                        • memory/1384-2488-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/1384-2487-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/1520-112-0x00000000007E0000-0x00000000013C9000-memory.dmp

                                                          Filesize

                                                          11.9MB

                                                        • memory/1520-203-0x00000000007E0000-0x00000000013C9000-memory.dmp

                                                          Filesize

                                                          11.9MB

                                                        • memory/2304-0-0x0000000000B90000-0x0000000001779000-memory.dmp

                                                          Filesize

                                                          11.9MB

                                                        • memory/2304-1-0x000000007F5B0000-0x000000007F981000-memory.dmp

                                                          Filesize

                                                          3.8MB

                                                        • memory/2304-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                          Filesize

                                                          972KB

                                                        • memory/2304-78-0x000000007F5B0000-0x000000007F981000-memory.dmp

                                                          Filesize

                                                          3.8MB

                                                        • memory/2304-77-0x0000000000B90000-0x0000000001779000-memory.dmp

                                                          Filesize

                                                          11.9MB

                                                        • memory/2932-2483-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2412-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-386-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-1026-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2391-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2502-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2489-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-410-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2440-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-292-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-377-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2482-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-96-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2484-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2932-2485-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/5012-82-0x00000000002D0000-0x0000000000790000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/5012-95-0x00000000002D0000-0x0000000000790000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/6972-2408-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/6972-2398-0x0000000000A20000-0x0000000000EE0000-memory.dmp

                                                          Filesize

                                                          4.8MB