Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 15:30

General

  • Target

    file.exe

  • Size

    2.4MB

  • MD5

    4090bcb4c36bf660e37c44041456c55d

  • SHA1

    b2c2363a5b69c1393b62b03bac15e9fc4557c715

  • SHA256

    3729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013

  • SHA512

    0ce916ff673c9dedbfcdf3a5b29a8c0e46bfb87995c3fd0280a6660cbdcedc997ea974d5684c79edb726a5aca6e2631d63041d3d392d8f861d9a9a5b4e522182

  • SSDEEP

    49152:izS5HsWr2p7f3lDOErXH+W4BdeA2uViz9RRCyE9uDzW0C83M:izCtrwlDg3BJMGJ9u0aM

Malware Config

Extracted

Family

stealc

Botnet

Nice

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe
        "C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4832
          • C:\Users\Admin\AppData\Local\Temp\1000006001\5c3dec559b.exe
            "C:\Users\Admin\AppData\Local\Temp\1000006001\5c3dec559b.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4492
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000006001\5c3dec559b.exe" & del "C:\ProgramData\*.dll"" & exit
              6⤵
                PID:6896
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 5
                  7⤵
                  • Delays execution with timeout.exe
                  PID:3964
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\fa9d6f4811.cmd" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1724
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
                6⤵
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:1348
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd4ddeab58,0x7ffd4ddeab68,0x7ffd4ddeab78
                  7⤵
                    PID:1216
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:2
                    7⤵
                      PID:2996
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:8
                      7⤵
                        PID:3520
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:8
                        7⤵
                          PID:1908
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:1
                          7⤵
                            PID:2588
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:1
                            7⤵
                              PID:4116
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3980 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:1
                              7⤵
                                PID:5428
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:8
                                7⤵
                                  PID:5580
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 --field-trial-handle=2072,i,12372136462127226621,8107319916379651319,131072 /prefetch:8
                                  7⤵
                                    PID:5632
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                                  6⤵
                                  • Enumerates system info in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of WriteProcessMemory
                                  PID:3796
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd4dab46f8,0x7ffd4dab4708,0x7ffd4dab4718
                                    7⤵
                                      PID:4948
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8821386420066789592,9108066363433165910,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
                                      7⤵
                                        PID:1876
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8821386420066789592,9108066363433165910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
                                        7⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4216
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8821386420066789592,9108066363433165910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
                                        7⤵
                                          PID:2540
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8821386420066789592,9108066363433165910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                                          7⤵
                                            PID:3584
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8821386420066789592,9108066363433165910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                                            7⤵
                                              PID:4300
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8821386420066789592,9108066363433165910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
                                              7⤵
                                                PID:5568
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                              6⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:3496
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                7⤵
                                                • Checks processor information in registry
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                • Suspicious use of SetWindowsHookEx
                                                • Suspicious use of WriteProcessMemory
                                                PID:1936
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.0.1809208504\1717901888" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8be33ea-5bbe-4395-b235-3a87f92aa7d1} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 1860 15934c23a58 gpu
                                                  8⤵
                                                    PID:2328
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.1.1556124468\22621479" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a1344fe-2c6f-48f4-b207-751fcc94ba12} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 2476 15927f8a258 socket
                                                    8⤵
                                                      PID:1468
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.2.1880944840\1175843049" -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 3184 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dac0b889-0686-4655-9bff-cd0111f5dcbf} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 3200 15933b92a58 tab
                                                      8⤵
                                                        PID:820
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.3.1169555674\880720065" -childID 2 -isForBrowser -prefsHandle 3348 -prefMapHandle 3340 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e068e33f-6bb0-4a43-ba6d-3ac1220ee018} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 3328 15927f7ab58 tab
                                                        8⤵
                                                          PID:5220
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.4.115402853\38300515" -childID 3 -isForBrowser -prefsHandle 5116 -prefMapHandle 5048 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d218482a-178b-4236-aa25-113e98305dc4} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 5136 1593b611758 tab
                                                          8⤵
                                                            PID:924
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.5.1885822354\691051906" -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25e38c68-8231-401a-83ab-816028fae089} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 5280 1593b612c58 tab
                                                            8⤵
                                                              PID:5444
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1936.6.1333099403\68180701" -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1304 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f2ab694-61f7-4a93-8a41-4e14f0b37152} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" 5484 1593b613e58 tab
                                                              8⤵
                                                                PID:5452
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBGHIIJDGH.exe"
                                                    2⤵
                                                    • Checks computer location settings
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1632
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:4240
                                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                    1⤵
                                                      PID:5580
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:5628
                                                      • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                        C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:5240

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\ProgramData\BAAFBFBA

                                                        Filesize

                                                        100KB

                                                        MD5

                                                        8f8e71af2308c3f9bd9530010ae4c5ea

                                                        SHA1

                                                        7c25d610021bcfc978374b81e1e271eed12a6100

                                                        SHA256

                                                        64b34a4877400fa2c75b317a66732836d048798410b43890ab6db20036692a04

                                                        SHA512

                                                        d1394c033e6f4ebdebcc5b5256781cd22952ad346a314efd77e4bf3a2242dbfe98dc44af68b0e17d489e5873415c4bc8104451e18930680476a755e376a4f4ba

                                                      • C:\ProgramData\GIEGHJEG

                                                        Filesize

                                                        116KB

                                                        MD5

                                                        f70aa3fa04f0536280f872ad17973c3d

                                                        SHA1

                                                        50a7b889329a92de1b272d0ecf5fce87395d3123

                                                        SHA256

                                                        8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                        SHA512

                                                        30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                      • C:\ProgramData\freebl3.dll

                                                        Filesize

                                                        144KB

                                                        MD5

                                                        b19a288520c439d8090b7469d7ebbd7e

                                                        SHA1

                                                        f37b9d42c3e7540405e3e2410708c65b909b7637

                                                        SHA256

                                                        8a25a619a2962aa18a12936190f4c8ad5faae33ff23d461fa920257f6c1ee615

                                                        SHA512

                                                        bfa3fa2a01282eb20361a0ef2a778445583e9c876e9cc09e6a447fdb5da9db31b296d5172f68f9b1d03625477e18d322dd7102949f389e335a204eb75e29236d

                                                      • C:\ProgramData\mozglue.dll

                                                        Filesize

                                                        122KB

                                                        MD5

                                                        adc45775bd4d298fe76d4fedb40728f3

                                                        SHA1

                                                        88f9d2ecbf898029c013a3163efdd4471767d414

                                                        SHA256

                                                        52bb118f25cfd1586ef3a1dd87613f627af3fcb0799f51257dae81b292642c83

                                                        SHA512

                                                        e438ec62faa5e64e0d368244edf1208bfadd2bc9f200c47c290bddd03bcc30b7223c659c1bb1403e086bb587618fdd588193458c9a29534e9f74f93558de73cf

                                                      • C:\ProgramData\mozglue.dll

                                                        Filesize

                                                        593KB

                                                        MD5

                                                        c8fd9be83bc728cc04beffafc2907fe9

                                                        SHA1

                                                        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                        SHA256

                                                        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                        SHA512

                                                        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                      • C:\ProgramData\msvcp140.dll

                                                        Filesize

                                                        141KB

                                                        MD5

                                                        fa30734228621a28b76e0b9c23be1b91

                                                        SHA1

                                                        94e88c92702edb68cccd63791bedc345681b9f83

                                                        SHA256

                                                        b33581cd47e69d97c06f3a1494c075e34d5b60eeccfff7c3ee9b0f64ee304015

                                                        SHA512

                                                        086f69c093f227409f13fa6f630ef03b38b683cddff64b4eb16f6d60031f4a550cfecc3e5311e3a27d5c2ff7d0ed5cd557665267d43ca15dc2fcf9acf2976292

                                                      • C:\ProgramData\nss3.dll

                                                        Filesize

                                                        160KB

                                                        MD5

                                                        362b3777ea183372616b57222682d4da

                                                        SHA1

                                                        340794915ffee2b8f403bd0e5b1e7709cf73e074

                                                        SHA256

                                                        ec89276db0b113203d9fe5b6c30c6afd1adc22e73c5544d0e58b567b44bb1c42

                                                        SHA512

                                                        ca38fe5d369f20068cc91eed3add945fbd40692d918fd7d91f0dd4f53d96d158fb6c0029959b6854c49d3c3ab6006e312d5740d0de86384eca5269732882074b

                                                      • C:\ProgramData\nss3.dll

                                                        Filesize

                                                        2.0MB

                                                        MD5

                                                        1cc453cdf74f31e4d913ff9c10acdde2

                                                        SHA1

                                                        6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                        SHA256

                                                        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                        SHA512

                                                        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                      • C:\ProgramData\softokn3.dll

                                                        Filesize

                                                        251KB

                                                        MD5

                                                        4e52d739c324db8225bd9ab2695f262f

                                                        SHA1

                                                        71c3da43dc5a0d2a1941e874a6d015a071783889

                                                        SHA256

                                                        74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

                                                        SHA512

                                                        2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

                                                      • C:\ProgramData\vcruntime140.dll

                                                        Filesize

                                                        78KB

                                                        MD5

                                                        a37ee36b536409056a86f50e67777dd7

                                                        SHA1

                                                        1cafa159292aa736fc595fc04e16325b27cd6750

                                                        SHA256

                                                        8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

                                                        SHA512

                                                        3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                                                        Filesize

                                                        67KB

                                                        MD5

                                                        51c3c3d00a4a5a9d730c04c615f2639b

                                                        SHA1

                                                        3b92cce727fc1fb03e982eb611935218c821948f

                                                        SHA256

                                                        cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                        SHA512

                                                        7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

                                                        Filesize

                                                        36KB

                                                        MD5

                                                        103d7813f0ccc7445b4b9a4b34fc74bf

                                                        SHA1

                                                        ed862e8ebd885acde6115c340e59e50e74e3633b

                                                        SHA256

                                                        0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                        SHA512

                                                        0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                        Filesize

                                                        240B

                                                        MD5

                                                        3854af3401a23ac7346ec09db46651ba

                                                        SHA1

                                                        95bcde5f0de46b2dd03cd0673532d1ddd62468f4

                                                        SHA256

                                                        ed4f810000dd3d4cf6f0f81610f923fee89a69d6c35af9d717b30d47efafc0c8

                                                        SHA512

                                                        bbc82282cf9c84a640750d7353343cff3072a52cf60b1559810aaeb27e652defd427123a6ba3ac78c8a242a01b710fb8167b26b9a95031b0f6ac3b4650616b69

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

                                                        Filesize

                                                        152KB

                                                        MD5

                                                        5ddc3cdb51e011a6a009bea830e492bc

                                                        SHA1

                                                        2c3ba61ce17c1ce29e135a02735481f79af61412

                                                        SHA256

                                                        097c9e5881ee94a2cceaabc37c380be0201badf3286630280c507f022f8f1e2f

                                                        SHA512

                                                        582d9ee4e13ba3cb825218f648175a1c58dea88f9150ec8679b88fad6dd8f97706a5cabd717990ff6010471c28814f9cb06433421eeed0912916f483eb1b2169

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

                                                        Filesize

                                                        20KB

                                                        MD5

                                                        6e25a40984856db31929c70359b5b0cd

                                                        SHA1

                                                        1a6065cca11d084d5b5ef40167e9146589edaeb9

                                                        SHA256

                                                        cc5ff690b07008617bcad2764c8e93afb2194ba2d2663edbb1a287e2791cf197

                                                        SHA512

                                                        ffc71ed0204e0f586306fc586b427cd6029c90d8d5e25c2df2cf788b287d2f4d19329c713489149ce3f0fcfa2971212a8ece6851ca3320b1a7d2d2aad7a57b6b

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        c57fcadc1e82d7a76405984a5741944a

                                                        SHA1

                                                        4e9dd5b56dd6898ebe88977dc2a8815199f42fb9

                                                        SHA256

                                                        72bd3f8c62c8eb370149d36e734f1934e38f92a22c6574529ec01c1cac651d29

                                                        SHA512

                                                        470a52496340cef78dc58e4a556d8ccfe4fd697b7e4fd19c62323674e769cf315fde496516fe31d9618fba8640f3902688ad7709a2cee9c9d78017836006c162

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                        Filesize

                                                        2B

                                                        MD5

                                                        d751713988987e9331980363e24189ce

                                                        SHA1

                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                        SHA256

                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                        SHA512

                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                        Filesize

                                                        524B

                                                        MD5

                                                        96be392415232d59803c99099b9351f8

                                                        SHA1

                                                        f0e433129fa204cd11c3073b022e0b337b54b73f

                                                        SHA256

                                                        c6bbb2a18bf22d616cc50df983df15021a00695f33a38c153a1d737c10f184d4

                                                        SHA512

                                                        ea19196b2ce6cda756a796a98b5c28c403a5f5a789e45193ad0704402ee68d9eed337344ab2cf89d799e315ea10e08bcc497f00e9755bd4f8d32f5c17d981224

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        6a5ac9a4aca19cb88a208fe2e7bb14c5

                                                        SHA1

                                                        275dd150145a90310151a94cfd838302025f7f86

                                                        SHA256

                                                        27fd82e00685fe9bf3dfb1c319c0390b633b43cf0796271ce4eb178a82e41d9c

                                                        SHA512

                                                        8b9a774e970ab6fa72d8e66f257730c63e60ad7a89a52157fd5d3bce68a38a496c5d28b32770224452bd2c88367bab8b5f4a6ed9d827e68c7d6249f58de86635

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                        Filesize

                                                        146KB

                                                        MD5

                                                        a79f2e53b18fdb52ee78a2d33f138d7d

                                                        SHA1

                                                        6d6957682642cd06985c2e2b599b8e534273dcd4

                                                        SHA256

                                                        c5732564af541fc40d6a4d4d00256848d9b5adc6dafc251f7513332f7bc0a5fd

                                                        SHA512

                                                        a42471297b882fde0ddcf134dfefe3e8b4542c6c61141dbfe89094f66dadca07ba35d7699f86e881d065b65bf05401068da44503e2e3a06c87045dcfc2ff8980

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                        Filesize

                                                        146KB

                                                        MD5

                                                        e2031b94db93ac82dbf04b71c19614c4

                                                        SHA1

                                                        813ed7434ff9f53390ad9cc0380400e0b2339608

                                                        SHA256

                                                        624e475ae2fb8a81438d2974a070cb9ced322356aa3bf8e9ad88f4540502f7b0

                                                        SHA512

                                                        9689ee7d07bf8d595079839ee46694dd7b499e3b83d9d3697b8dec86f2b9a12f0ebcbf96201951036197a09bba94a8d5d3185bf4fa724f7648df6daa3d8c3443

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                        Filesize

                                                        145KB

                                                        MD5

                                                        1ca9aeff13aa0b9c74551b531534201b

                                                        SHA1

                                                        7e7c32e5288c01af319d21fceb5ed1e4aa32428f

                                                        SHA256

                                                        d7cb8c6fad2e7e12c5e60ce774411ebc01f03c0b718a5fa29283199734198301

                                                        SHA512

                                                        d74f2a0b0f38f462dd3b4ff38cb8800f663922816f5eac6c49845408731555ba066e73ecb7091a7d7fadc19910d373f623300d1abedc9c493688a970a1380be2

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        0331fa75ac7846bafcf885ea76d47447

                                                        SHA1

                                                        5a141ffda430e091153fefc4aa36317422ba28ae

                                                        SHA256

                                                        64b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a

                                                        SHA512

                                                        f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        f0f818d52a59eb6cf9c4dd2a1c844df9

                                                        SHA1

                                                        26afc4b28c0287274624690bd5bd4786cfe11d16

                                                        SHA256

                                                        58c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61

                                                        SHA512

                                                        7e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                        Filesize

                                                        216B

                                                        MD5

                                                        d5ebab1cff954951157a6d0b5b862fd5

                                                        SHA1

                                                        52096082a262faefa478dc005afd1b3845e758a3

                                                        SHA256

                                                        33962c4caf06df52278a1ca010f187bf4d736a32af2f77f243ed4e47549fbb25

                                                        SHA512

                                                        6a5decf3c2d24e536fa76841ab5ab3dd3291f0549618886951fac7997f284d5f7fb7402b266e60f7797e41e667e605a9aa6e5c359e07a96e747c2af905c747e8

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

                                                        Filesize

                                                        20KB

                                                        MD5

                                                        67fb5a85ca161ad95485bb2e3f8878d3

                                                        SHA1

                                                        6453dc8f366915c8904e31b303f24391a779c412

                                                        SHA256

                                                        0802d8d171c204197ae03055a100fee000336283517a809977d9ab085443cc22

                                                        SHA512

                                                        91792171aa8aa244953190ec01b037188fdc89a6a2c2a509e9b097630f702464d15e31b63c8e57fa831471e4a8cf47d02d635b270d2aaad49322d96575b5abc1

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

                                                        Filesize

                                                        124KB

                                                        MD5

                                                        688ae44e737931a7414695d85477a713

                                                        SHA1

                                                        6d1bc414a35fa63c0d1d325e62190b3cefcefe62

                                                        SHA256

                                                        6ba2a52f7c66e5661ee24101adbdf8f601f8e78555869e9646b3eaaf2ff83bd5

                                                        SHA512

                                                        9a6c207c1ff2d369833aac8310db9dbbea3f70e6f8a4845a2e3620b64f9a4c8a4f304203a4e16542be20b2406cf77ecd1975953c46273335fe7ac5e17f692238

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        48a7da075ef77851d6a0a1633256c41b

                                                        SHA1

                                                        371f5a2bd29966d4ff88aa5cd5c0e402e6719862

                                                        SHA256

                                                        8cbbcbbe6f17b414a84416975a9ccf9d0bdfe2e4068d24e8df6d298e546168ab

                                                        SHA512

                                                        750b10d0cc370cac98411e9e417dc40cfa5d9d36bfeb02abb5bb15f1ae9c9eda4dbaa1161d67545b72d9befc1c9738c1a9727e9d3f6acfcdc1762805a55b7335

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        e9f27d7bdd57ef8773dfb61e195817b4

                                                        SHA1

                                                        938ef084de7e1b8d76e2b20d7fbada458919cf9c

                                                        SHA256

                                                        f30c21e2edf79f89616613439b3d9c6a48682db1ea1cc12c4cc5ea2782389177

                                                        SHA512

                                                        f4fbf325b77eb423777ea5bffc36385c68fdefbe96aa196da9ebf0ae352defd37e7fc36c2330053bd741dced8cd8fae38ebdaf14c40d8d7b08479b31bbd088b9

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        6e5c786391545a3080f13708368767ab

                                                        SHA1

                                                        b4f033d790dcb5c8d15832ea034409b27dd79d9b

                                                        SHA256

                                                        9df03f21ccf6b4a55aa70c25eb474ae24ce9c69bebf26798b28f05f77d2b516f

                                                        SHA512

                                                        484d913848f40c8912bf58ba9a1c51fb46bb7657c4cc1e577e31a43c5e85b18541aaa653154db1d91c619bbdd8b6c221b741faa403891de47b0285aa2a51cd1a

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        11KB

                                                        MD5

                                                        6113bee5c408f6014d6a0cdb00b87ce7

                                                        SHA1

                                                        a262f05ed9ef94b338ec7817dcde401193591fb9

                                                        SHA256

                                                        2017760eaa84a103513f7dac50be262081906bae81446cc8cdeccf7920ec0049

                                                        SHA512

                                                        27ba14f5a8b6d1ff2ba8b1f9c9730490e9e2f18501fae2bfddafb2cb623df32e83935ef01bf861c0931512130a52f8961e149b704298d271a27b3e5f975a7f34

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        11KB

                                                        MD5

                                                        e948ca436aa3c8ec17fedbad023ed459

                                                        SHA1

                                                        37dee91f533030544a114b652bbfc8fc2da20906

                                                        SHA256

                                                        56fde0af88e3c1a8a4d225a3d2f6568f406d50f521dfa5dd85b7b2709e3c5094

                                                        SHA512

                                                        685ac91815379c2a9053ed9426301d21efc8179de7cd599ec6cf2bbac51b529feb0203b389f02983673a50db36f3edb3ba38ba40399b3fcb50302450a11cbdff

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp

                                                        Filesize

                                                        26KB

                                                        MD5

                                                        6d6b27d694f87eba3adf395450474afd

                                                        SHA1

                                                        5d1db75bf74378f43fe4d4a512d751229887de49

                                                        SHA256

                                                        3faad3e4b2ad811a2b5d961c6e6eb2c37d465c2ccf0e52ac0936b4666e83ce0a

                                                        SHA512

                                                        9479c721d46f5e3f91289b9cad478df84709bfeb0ae88a5bf5eaa4a014c301b4d203515fe6d9453fd598b9d3c2e6e55a6dafc3d7ef11a2896d6ec8991f52f33a

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                        Filesize

                                                        13KB

                                                        MD5

                                                        6992de5781ff31b6c06f6e72bbe86211

                                                        SHA1

                                                        2759dc05bb4e3c0b5c7d492dfd8f98ea77164ec3

                                                        SHA256

                                                        dd8b6634b36fb39998603cf57d9e1cffe1a7969afb9f670b2f16a4ca610d618c

                                                        SHA512

                                                        d18700134b5cc290a1a155fff5b18117774ea50aa7a50a2e91e22e7a77438978fdf5c7f4d7af15fce6fe7143f271c94f6b11a6cda4dbdcf5338ae881acf3d8c1

                                                      • C:\Users\Admin\AppData\Local\Temp\1000006001\5c3dec559b.exe

                                                        Filesize

                                                        2.4MB

                                                        MD5

                                                        4090bcb4c36bf660e37c44041456c55d

                                                        SHA1

                                                        b2c2363a5b69c1393b62b03bac15e9fc4557c715

                                                        SHA256

                                                        3729d0a825685cb3f1d22da6a41ad8f23ea9a44539f9e9f6d2bb9fcef1723013

                                                        SHA512

                                                        0ce916ff673c9dedbfcdf3a5b29a8c0e46bfb87995c3fd0280a6660cbdcedc997ea974d5684c79edb726a5aca6e2631d63041d3d392d8f861d9a9a5b4e522182

                                                      • C:\Users\Admin\AppData\Local\Temp\1000008021\fa9d6f4811.cmd

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        c1b73be75c9a5348a3e36e9ec2993f58

                                                        SHA1

                                                        84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                                        SHA256

                                                        a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                                        SHA512

                                                        fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                                      • C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe

                                                        Filesize

                                                        1.8MB

                                                        MD5

                                                        bcde09af967815e43273739df8377583

                                                        SHA1

                                                        89feb480e257720c9724f18bfd74b9ee5e309d18

                                                        SHA256

                                                        3f03c856798b5f3dc6b9234586980889e29913b1946932d2411cedc3c42f371f

                                                        SHA512

                                                        47ef547940bde740dc9f024da5c16b94ed262e8e4e44e05501386407f737d39d707c9893546748f13577fc6562222faba0ed583cb094a0cbc8dbdf8691104ca5

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                        Filesize

                                                        442KB

                                                        MD5

                                                        85430baed3398695717b0263807cf97c

                                                        SHA1

                                                        fffbee923cea216f50fce5d54219a188a5100f41

                                                        SHA256

                                                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                        SHA512

                                                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                        Filesize

                                                        8.0MB

                                                        MD5

                                                        a01c5ecd6108350ae23d2cddf0e77c17

                                                        SHA1

                                                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                        SHA256

                                                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                        SHA512

                                                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\cookies.sqlite-wal

                                                        Filesize

                                                        256KB

                                                        MD5

                                                        5fb6b3f3031f6f1fccca943727a4c4a5

                                                        SHA1

                                                        e29c7af33eb2f282dbbdb7184abaef0a4e38e2a6

                                                        SHA256

                                                        4a79ff8274af89296b04b9621f4bad6683b5424ae673b8215f60df87471dc73c

                                                        SHA512

                                                        80004be91ad395f5c477c870e24d7cbac280cfaa8980f325c72b7e7111d67c86cc6e36abef954aef7f8f10d15d4554dfedb88a6434fd3f764fbb95df791aff12

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                        Filesize

                                                        997KB

                                                        MD5

                                                        fe3355639648c417e8307c6d051e3e37

                                                        SHA1

                                                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                        SHA256

                                                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                        SHA512

                                                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                        Filesize

                                                        116B

                                                        MD5

                                                        3d33cdc0b3d281e67dd52e14435dd04f

                                                        SHA1

                                                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                        SHA256

                                                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                        SHA512

                                                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                        Filesize

                                                        479B

                                                        MD5

                                                        49ddb419d96dceb9069018535fb2e2fc

                                                        SHA1

                                                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                        SHA256

                                                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                        SHA512

                                                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                        Filesize

                                                        372B

                                                        MD5

                                                        8be33af717bb1b67fbd61c3f4b807e9e

                                                        SHA1

                                                        7cf17656d174d951957ff36810e874a134dd49e0

                                                        SHA256

                                                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                        SHA512

                                                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                        Filesize

                                                        11.8MB

                                                        MD5

                                                        33bf7b0439480effb9fb212efce87b13

                                                        SHA1

                                                        cee50f2745edc6dc291887b6075ca64d716f495a

                                                        SHA256

                                                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                        SHA512

                                                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        688bed3676d2104e7f17ae1cd2c59404

                                                        SHA1

                                                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                        SHA256

                                                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                        SHA512

                                                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        937326fead5fd401f6cca9118bd9ade9

                                                        SHA1

                                                        4526a57d4ae14ed29b37632c72aef3c408189d91

                                                        SHA256

                                                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                        SHA512

                                                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\places.sqlite-wal

                                                        Filesize

                                                        992KB

                                                        MD5

                                                        30151322216d82410615e6a8cc3cf5d6

                                                        SHA1

                                                        17f6ea4945e373cce2e29621845ba25bdf35d662

                                                        SHA256

                                                        b6ae79af84961b7183501d619e08426556dfabe04462d1303d5faf7d3464b42e

                                                        SHA512

                                                        41f49758fcff8cbc654eb151ae77695dc2bfc68532b11d39b952633ad7beccb3c3247f467a19eb580a580182595538e4b6fc520ea61f89cc0ec377bae7f257db

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs-1.js

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        1437202ec9acaedf0a008755e8d64af1

                                                        SHA1

                                                        aa4d2c5324981aa886af7e7b869f98b30fff61e1

                                                        SHA256

                                                        6f70afc941325b08828135ad124dee3954b106333c629a49a0b2db8613ef90dc

                                                        SHA512

                                                        d8d77afb1a9a16874474c90ef7f7e0c21460bf6040e157326c1263e4630a928afdbeca4b1b4efc2dc2a8a51816c203e349d2624f49f61ce40c92abee0f550da1

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs-1.js

                                                        Filesize

                                                        8KB

                                                        MD5

                                                        f690e923c1a73a5fce5838a1e5b6c714

                                                        SHA1

                                                        18a8181788f3055fcf7960bae1e68b1abf38cfc4

                                                        SHA256

                                                        a4ecf4ea330a60a3f89d42f62066962b5f5b4014f7bd39fcf5653f6e66defdc0

                                                        SHA512

                                                        4e87171b4112ddf2c17462b4d51c39a4db5d5608831102462722a0497d7df737a212c597f475d42334e1ade1716d984b830c468d2db622f27af2a048a076b233

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs.js

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        d2d2dee86acf7b86cfce6e1c937e2f79

                                                        SHA1

                                                        b0479d48c79bc98c6e96c94967395c705f684ac0

                                                        SHA256

                                                        4c84caeb48ecb1e430a9a2453e13ce619dd765a39271c95af7e35982eaf98385

                                                        SHA512

                                                        a047b6edddd9945f75e305454cfeaeb6b9e3209a0ce8c22c4a9f3c83768194a10e6d6998915c8a2356520124201e3057d2a94c2257d2fb536e2ee9b9c25d280b

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs.js

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        8109d4311a94b3b53e459abf30f4a9a3

                                                        SHA1

                                                        c947f01b54ea86a2310f0ff5db1716f23e29258e

                                                        SHA256

                                                        59ecedc74007a24aa7a841f2621b1aae2946be5492021172ab7a7de89691f7ef

                                                        SHA512

                                                        988e38ea0773059dc098bbe09540ecab2267c582fbc47606d1a69f1255bd2fcf4bcf87f327687e72eb6c9001ec561b594d6ea9712abdb6b20d6d556688d51583

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs.js

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        e054eecd3f9d479fcd215851b5f14935

                                                        SHA1

                                                        a880285b4d72693b4de4dc46cd5249a7e00cb013

                                                        SHA256

                                                        3a08e91586c5d2f68bfcc0f865de63094cd895700cb766674c85719dfce0b4bb

                                                        SHA512

                                                        abb91afe7264edbb110f24e7073500596be6058f60d904b556a351c65773f16794e7ced5123da98c239f04ac574a3fced354deb5517b841fe6558bf895e0a1e0

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4

                                                        Filesize

                                                        4KB

                                                        MD5

                                                        28cbcc778a1328efc26e5d90583bf63b

                                                        SHA1

                                                        614392129e905a2556fe9745ba19b129bea7c92f

                                                        SHA256

                                                        91c91107e7f8494efdebf8d616ded916bbfd46e99a9f15fcd9f910090fba9bb6

                                                        SHA512

                                                        0e38fbd73aabdfe6676b7bbd1da313e074b1f58984095e6d20ddf7e6f68cd011d42877c030306cc59ae9013456b87a05789bfff76ceca633dcf695fb5c9c81be

                                                      • \??\pipe\LOCAL\crashpad_3796_BATKOSRDTURLBIFI

                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                      • memory/412-78-0x0000000000CF0000-0x00000000018D9000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/412-1-0x000000007F480000-0x000000007F851000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/412-5-0x0000000000CF0000-0x00000000018D9000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/412-2-0x0000000000CF0000-0x00000000018D9000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/412-6-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                        Filesize

                                                        972KB

                                                      • memory/412-0-0x0000000000CF0000-0x00000000018D9000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/412-4-0x000000007F480000-0x000000007F851000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/412-82-0x0000000000CF0000-0x00000000018D9000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/412-3-0x0000000000CF0000-0x00000000018D9000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4460-86-0x0000000000880000-0x0000000000D36000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4460-99-0x0000000000880000-0x0000000000D36000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4492-425-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-400-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-116-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-392-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-1807-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-345-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-1069-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-1939-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4492-711-0x0000000000060000-0x0000000000C49000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/4832-100-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-2436-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-393-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-399-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-1377-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-2553-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-2552-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-387-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-966-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-2538-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-605-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/4832-311-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/5240-1053-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/5240-1068-0x0000000000DB0000-0x0000000001266000-memory.dmp

                                                        Filesize

                                                        4.7MB