Analysis

  • max time kernel
    51s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 18:14

General

  • Target

    10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe

  • Size

    1.8MB

  • MD5

    d5d3a63a0c127480a4f3c3acde73a130

  • SHA1

    6386347bb05c432a70895ba02cfbaec68a9067f0

  • SHA256

    10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7

  • SHA512

    c7bd14f45005b1ff14a5cdf6b80777f97ee901445607e09da25c1bd4123c662f72ecd122578eccaca846b455fc04510cddc9f25fed6405d915cb04ea9a239180

  • SSDEEP

    49152:lggNvcrdnJUUUFTIb8TDHbhqDxX+aPGILatdM:qgFcrdnJUUUFTq8nHbhoOaPGILatm

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 7 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe
    "C:\Users\Admin\AppData\Local\Temp\10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Local\Temp\1000006001\17ffeecb0a.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\17ffeecb0a.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1556
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe"
          4⤵
          • Loads dropped DLL
          PID:3452
          • C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe
            "C:\Users\Admin\AppData\Local\Temp\GIJDGCAEBF.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1928
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BKFBAKFCBF.exe"
          4⤵
          • Loads dropped DLL
          PID:3988
          • C:\Users\Admin\AppData\Local\Temp\BKFBAKFCBF.exe
            "C:\Users\Admin\AppData\Local\Temp\BKFBAKFCBF.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\9445e00051.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1684
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68d9758,0x7fef68d9768,0x7fef68d9778
            5⤵
              PID:1184
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1292,i,14598095974659882509,9944368324458793878,131072 /prefetch:2
              5⤵
                PID:2484
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1292,i,14598095974659882509,9944368324458793878,131072 /prefetch:8
                5⤵
                  PID:1656
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 --field-trial-handle=1292,i,14598095974659882509,9944368324458793878,131072 /prefetch:8
                  5⤵
                    PID:1676
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2008 --field-trial-handle=1292,i,14598095974659882509,9944368324458793878,131072 /prefetch:1
                    5⤵
                      PID:1612
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2136 --field-trial-handle=1292,i,14598095974659882509,9944368324458793878,131072 /prefetch:1
                      5⤵
                        PID:2568
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1292,i,14598095974659882509,9944368324458793878,131072 /prefetch:2
                        5⤵
                          PID:3252
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1776 --field-trial-handle=1292,i,14598095974659882509,9944368324458793878,131072 /prefetch:1
                          5⤵
                            PID:3524
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                          4⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2936
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                            5⤵
                            • Checks processor information in registry
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:1616
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.0.1395587404\1875009969" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d91698d-7c34-4602-affb-8ef208cee2da} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 1296 178c7858 gpu
                              6⤵
                                PID:2040
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.1.1755785814\995929720" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4503d08-2094-4a28-be29-88e011fdf472} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 1508 166eb258 socket
                                6⤵
                                  PID:1212
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.2.1590127442\2123955675" -childID 1 -isForBrowser -prefsHandle 1644 -prefMapHandle 1088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e19a0a4-b9b5-4a48-98f3-3c7ed10af73c} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 2228 21cd6f58 tab
                                  6⤵
                                    PID:2012
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.3.190362892\354031151" -childID 2 -isForBrowser -prefsHandle 2792 -prefMapHandle 2788 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13e2a214-79db-456e-afeb-cc96c4cd99c3} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 2804 e62b58 tab
                                    6⤵
                                      PID:2104
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.4.1119320964\1684760170" -childID 3 -isForBrowser -prefsHandle 1132 -prefMapHandle 2712 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a47f60aa-fdf3-4bb3-949d-b5d7ad57c13c} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 1136 2641b358 tab
                                      6⤵
                                        PID:3464
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.5.783779344\973339891" -childID 4 -isForBrowser -prefsHandle 3332 -prefMapHandle 3084 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79789a84-179a-451e-be6f-2f0302bf26b0} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3744 20304758 tab
                                        6⤵
                                          PID:3512
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1616.6.1668344554\791802027" -childID 5 -isForBrowser -prefsHandle 3892 -prefMapHandle 3896 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 584 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44054fa3-3d7c-4889-8db8-e6e22f5c513d} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 3880 26eeec58 tab
                                          6⤵
                                            PID:3532
                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                  1⤵
                                    PID:1392

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                    Filesize

                                    264KB

                                    MD5

                                    f50f89a0a91564d0b8a211f8921aa7de

                                    SHA1

                                    112403a17dd69d5b9018b8cede023cb3b54eab7d

                                    SHA256

                                    b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                    SHA512

                                    bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                    Filesize

                                    2KB

                                    MD5

                                    ce40fe4ba03b4b899ba8a9b11dd551e9

                                    SHA1

                                    7e83ce5dedf601c96d28a4703db65974e23bce6d

                                    SHA256

                                    77bf1999d87b9cda0831f05eafde95ee01ceae305c085cbb8d2352da7c5fccee

                                    SHA512

                                    4aae2b18f0308a76ceed17baba501e0bc30a6701d9413ab4d1ee581999c1b130f14a020bcb2d0356595df5365d44911173faf32e2d244c45cb1e4f98e7c1b68a

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    66220d15753f9e86c388f7b9ad627d39

                                    SHA1

                                    bb9f02fcece0bb259fce1dc7393a557cf83804ec

                                    SHA256

                                    ab6a1b45ccd43ddc67d88d6c82b2600f4df82e9b49ba896dac3bbd3033d87f15

                                    SHA512

                                    18dfd9d364de8cefff40da942b84edc63ed7ad89bfbd10d502481d47e0269f5bc0626c0ba42fae807e3083310d58f6250f38a7b7fd2143054ab83923c629301c

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    17bdf7a9baad903611f75818b9fe6669

                                    SHA1

                                    154c48eebf04ec5a0cbf0aa322a699c99467c331

                                    SHA256

                                    d77aa2bc7ccb13f1eb3b3644aa885cbbd897bc9bd80c52305178fba104bf4d6a

                                    SHA512

                                    e4b5028134ab6f679106454b090eb33b9f7a784216114d0bb1535f5bce1b16f7a97217e471e0fcd3e2117a5c4ce018dc6f3346feaad0a80cf951d22f1bb8ad90

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    18e723571b00fb1694a3bad6c78e4054

                                    SHA1

                                    afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                    SHA256

                                    8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                    SHA512

                                    43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

                                    Filesize

                                    27KB

                                    MD5

                                    4ef976698907b1251cde76c3c32b3d35

                                    SHA1

                                    115c294bbca76cc510323a597cb5aed650e50f81

                                    SHA256

                                    e854acfaae269d3954d261a2555d6bfee9eadaec865dbec2f23824dadb44b1a7

                                    SHA512

                                    999d70d2012df81685d12abdc58b6e6fb71fb09a3ddbd8ca6a9d3c8439999154c10a1671f55a37e76a5ab43c5cc014b2211cd9be9f14f63a36ff9eac0e4e59ac

                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

                                    Filesize

                                    26KB

                                    MD5

                                    ba6782858ddf7061cdf5cc89058508bf

                                    SHA1

                                    a8dffcad0b829eaffdfc35a3f1f5b7704564c117

                                    SHA256

                                    3d4428b3d9694b58f356592d9285e7cd5b554ef693676cfd2febbd645800a53e

                                    SHA512

                                    9137ed9549c7a16bc361d6b1587dfff0ba8cfbd1d34393dbb5212161a93b9c104d98791edaaa6a0f57bf7d5832ba1bccd5ef48ee8d84ef7ac5795bf3091a8fb6

                                  • C:\Users\Admin\AppData\Local\Temp\1000006001\17ffeecb0a.exe

                                    Filesize

                                    2.4MB

                                    MD5

                                    1353eeb92749ad19736c9e3d97959c2a

                                    SHA1

                                    0bfd65e336cb0a12b150e7212877cf9b5c466500

                                    SHA256

                                    7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803

                                    SHA512

                                    fb1a3757833a746e811d8ac5a7b3cd486596ba8e1a6ef47efa54f8fd0be71c2719a8d136750a8a551125504072be25ee5b798fa4f1317b5dc53864ba918e8ab7

                                  • C:\Users\Admin\AppData\Local\Temp\1000008021\9445e00051.cmd

                                    Filesize

                                    2KB

                                    MD5

                                    c1b73be75c9a5348a3e36e9ec2993f58

                                    SHA1

                                    84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                    SHA256

                                    a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                    SHA512

                                    fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                    Filesize

                                    1.8MB

                                    MD5

                                    d5d3a63a0c127480a4f3c3acde73a130

                                    SHA1

                                    6386347bb05c432a70895ba02cfbaec68a9067f0

                                    SHA256

                                    10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7

                                    SHA512

                                    c7bd14f45005b1ff14a5cdf6b80777f97ee901445607e09da25c1bd4123c662f72ecd122578eccaca846b455fc04510cddc9f25fed6405d915cb04ea9a239180

                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                    Filesize

                                    442KB

                                    MD5

                                    85430baed3398695717b0263807cf97c

                                    SHA1

                                    fffbee923cea216f50fce5d54219a188a5100f41

                                    SHA256

                                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                    SHA512

                                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                    Filesize

                                    8.0MB

                                    MD5

                                    a01c5ecd6108350ae23d2cddf0e77c17

                                    SHA1

                                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                    SHA256

                                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                    SHA512

                                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\cookies.sqlite-wal

                                    Filesize

                                    256KB

                                    MD5

                                    50a4028c54315b2576867f6110e66467

                                    SHA1

                                    2177c4cc849306350d412f4a91be3d3e0a3f3656

                                    SHA256

                                    b9141cb51f494263ad480553978f99a444d0a332ece081b9fdff072362664b5e

                                    SHA512

                                    bb645ad0f0d59fead87e4411d6323253fd45359a89545be0b4a545df368f7b250143260b824cf0ebaf2b5f79120a9f6dd56951ce1b8306f861bc44803bfcfb54

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\db\data.safe.bin

                                    Filesize

                                    2KB

                                    MD5

                                    1ffeeedf819e19d7efdf2268f2ecf36b

                                    SHA1

                                    bd0981be141a97871263433523f62893f6824bdb

                                    SHA256

                                    45068fee4f134957a5d636a6ae6807fe46d227294aefdadaa1fb3c03b04d4b6e

                                    SHA512

                                    5a6cbb44245053b26170f235b6e8f69f18decf4922cda3bbd80c9e3c639d22b916cda8f3eaea4b6a47bd2351a8e8d5373986e46aafeda88591c7f378fa385da5

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\375ab1f1-5c98-4adc-9b97-c711e2fa2d72

                                    Filesize

                                    12KB

                                    MD5

                                    f249e016b3b05b4c1f839dd42724a02b

                                    SHA1

                                    3d3da24af96d2d5ff4932856916d7789f9337bf4

                                    SHA256

                                    0ab6cf348277ebe5488c863268de8fc8951872d5cf9db8a10b227bad580874cc

                                    SHA512

                                    eec515893408c073a1bd537695bf558702cafe85d7fd19524ae125b785aa7215f1b57a0ce5fa2cf11d8b9dc51b9179886dae5376a9a93ed089dda7ad6671f677

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\aa2c869a-7ed4-4061-975e-a2d494a09dcc

                                    Filesize

                                    745B

                                    MD5

                                    3e9fa7cd2b72bddabc2e96ed1fbd9569

                                    SHA1

                                    495e8385d556306455e082ba653a03dc5f5c4551

                                    SHA256

                                    97d6f92b3467365149e8c4a48f06898e9432b5cddc9a8205f05e1c66deb13370

                                    SHA512

                                    e5f69d922da6e40a48ef9b12119d09e63587c0b9478956ab8e7918833b17187a64f663fa37a5626e05a08500957896c4befc7d307455846eac11b2cf04a243e4

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                    Filesize

                                    997KB

                                    MD5

                                    fe3355639648c417e8307c6d051e3e37

                                    SHA1

                                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                    SHA256

                                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                    SHA512

                                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                    Filesize

                                    116B

                                    MD5

                                    3d33cdc0b3d281e67dd52e14435dd04f

                                    SHA1

                                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                    SHA256

                                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                    SHA512

                                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                    Filesize

                                    479B

                                    MD5

                                    49ddb419d96dceb9069018535fb2e2fc

                                    SHA1

                                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                    SHA256

                                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                    SHA512

                                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                    Filesize

                                    372B

                                    MD5

                                    8be33af717bb1b67fbd61c3f4b807e9e

                                    SHA1

                                    7cf17656d174d951957ff36810e874a134dd49e0

                                    SHA256

                                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                    SHA512

                                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                    Filesize

                                    11.8MB

                                    MD5

                                    33bf7b0439480effb9fb212efce87b13

                                    SHA1

                                    cee50f2745edc6dc291887b6075ca64d716f495a

                                    SHA256

                                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                    SHA512

                                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                    Filesize

                                    1KB

                                    MD5

                                    688bed3676d2104e7f17ae1cd2c59404

                                    SHA1

                                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                    SHA256

                                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                    SHA512

                                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                    Filesize

                                    1KB

                                    MD5

                                    937326fead5fd401f6cca9118bd9ade9

                                    SHA1

                                    4526a57d4ae14ed29b37632c72aef3c408189d91

                                    SHA256

                                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                    SHA512

                                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\places.sqlite-wal

                                    Filesize

                                    992KB

                                    MD5

                                    f4bf1cc0d7d9fde028746fb24072a935

                                    SHA1

                                    a5fd201a3e183395b19382a074787772cb265b33

                                    SHA256

                                    7e571f8b728ba2ded66b9f001f3c2369c6cd1b1d742caa35a00a45eae5c90842

                                    SHA512

                                    9cec92fc56141f7e14581588a5e3e1cc67a2f55a6398745ede3e27455074f64f23cf1be7bdc135564e33d0fd4762e81bcd17a23b4244f04a5bb6b8bedd28401c

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

                                    Filesize

                                    7KB

                                    MD5

                                    57e886b65461cd6ad1e741dd6c6e9743

                                    SHA1

                                    7fe1819b4ba1d939bfb49e8c0da6ebcca99e00f2

                                    SHA256

                                    c42fa5daa9a3b9464e3c8b3244b5b7164e7c4adb98e1978f59e325a4fbcffada

                                    SHA512

                                    abe9838c029f3597d910dded89f9856beecca59b0fa5d28233324b7a7f46c2ecdfc30e17d7426d46651affb5f86b496e0eaa1c3db27f187897c4d1271cbd5551

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

                                    Filesize

                                    7KB

                                    MD5

                                    299969bfa2e6aa835601f6dcd8cee42d

                                    SHA1

                                    337ff42c06555eb502016e806fdc66f49e3d14ce

                                    SHA256

                                    c16c72670a55d1ef9d773874343a95a79aed7935f626735b063ec26ab8b8a93f

                                    SHA512

                                    c4058fc67738c1d6697770f4a8ed935303a0bb885197480785e4565b594d64cc3116f44fb9f2a017fc4fca7a5cc41aa75281a63aa78b1fcfa2550ec281358a6a

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

                                    Filesize

                                    6KB

                                    MD5

                                    20cb6b39548912c4be37c367c324346c

                                    SHA1

                                    36943b020264e9e11f3770e78fb06a9f30a5f389

                                    SHA256

                                    98ec0c66c3df2d9cee736817328f91c83c1740507167824948be244cd78270e3

                                    SHA512

                                    59669006d869c3de0732a5af19f0b07fe81bd80f653c739d317a4200948a08cdfc59fa19b718aba5e55ee04bbace4bc1cdb0f7f2c0d4af3247bab23a1b4c8232

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

                                    Filesize

                                    6KB

                                    MD5

                                    ce2359a8951d683debbe7a00ecfafdc0

                                    SHA1

                                    98e0723dbeb16eae18dc0722edc88d29fe4b7b5c

                                    SHA256

                                    10c1fe579a8f999a8b7bd41620ac32e4065243bff5ac364924257df323bc2a14

                                    SHA512

                                    60b88e48319a134a33809c90c370d0beaab52927b2a6f346f87f146d5cf5691b65a4328509456725b6e42df5c80f8f964f5cc05c3fe4f5f4f897666b411675dc

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4

                                    Filesize

                                    4KB

                                    MD5

                                    9c45ff2573728a2f8121aad592318941

                                    SHA1

                                    95c737842b40335c5e0ee6fb8c05c5edb570a04e

                                    SHA256

                                    1f5a27153f32cc25b58381fe07f71d4da7f7fb7b161aa318f6e23d1a5cc27648

                                    SHA512

                                    5afb99c2574325a3a58ff64f7f36259929f0963efb405a46acd62f9cda71ca8ea7fc222666ccb449a13c4bf7c0a8d6caa3d69169b6f6f0c0beb8328482b0cf66

                                  • \??\pipe\crashpad_1684_ERRTPPISDEHVKIDC

                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                  • \ProgramData\mozglue.dll

                                    Filesize

                                    593KB

                                    MD5

                                    c8fd9be83bc728cc04beffafc2907fe9

                                    SHA1

                                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                    SHA256

                                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                    SHA512

                                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                  • \ProgramData\nss3.dll

                                    Filesize

                                    2.0MB

                                    MD5

                                    1cc453cdf74f31e4d913ff9c10acdde2

                                    SHA1

                                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                    SHA256

                                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                    SHA512

                                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                  • memory/1556-87-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                    Filesize

                                    972KB

                                  • memory/1556-39-0x0000000001190000-0x0000000001D80000-memory.dmp

                                    Filesize

                                    11.9MB

                                  • memory/1556-351-0x0000000001190000-0x0000000001D80000-memory.dmp

                                    Filesize

                                    11.9MB

                                  • memory/1928-357-0x0000000000D20000-0x00000000011D8000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/1928-362-0x0000000000D20000-0x00000000011D8000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/1988-365-0x00000000012D0000-0x0000000001788000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/1988-360-0x00000000012D0000-0x0000000001788000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/2352-2-0x00000000010D1000-0x00000000010FF000-memory.dmp

                                    Filesize

                                    184KB

                                  • memory/2352-5-0x00000000010D0000-0x0000000001588000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/2352-15-0x00000000010D0000-0x0000000001588000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/2352-3-0x00000000010D0000-0x0000000001588000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/2352-0-0x00000000010D0000-0x0000000001588000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/2352-1-0x00000000772E0000-0x00000000772E2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/3008-37-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                    Filesize

                                    11.9MB

                                  • memory/3008-359-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                    Filesize

                                    11.9MB

                                  • memory/3008-38-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                    Filesize

                                    11.9MB

                                  • memory/3008-138-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-20-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-18-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-17-0x0000000000BC1000-0x0000000000BEF000-memory.dmp

                                    Filesize

                                    184KB

                                  • memory/3008-16-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-384-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-363-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                    Filesize

                                    11.9MB

                                  • memory/3008-482-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-394-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-491-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-492-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-502-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-346-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-517-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-518-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-519-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-520-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-521-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-527-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-528-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB

                                  • memory/3008-343-0x0000000000BC0000-0x0000000001078000-memory.dmp

                                    Filesize

                                    4.7MB