Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 00:26

General

  • Target

    9f501968d716e102a805e3a1a5f8ff158a4d2d2a10425e9d0be05addc3551ae4.exe

  • Size

    1.8MB

  • MD5

    b3e0273a69e380d4fa414d74a4a180d1

  • SHA1

    f1c9249dc9a83e63d85a8373ddbf3e0a0d0063b1

  • SHA256

    9f501968d716e102a805e3a1a5f8ff158a4d2d2a10425e9d0be05addc3551ae4

  • SHA512

    fb8c1311ad4ba3ea8fec6028c3b9046bffc50f0257fc4ffacf9c1f7ea3f4ae98db98718fe1eebd40292385b36634c921cfa8f54d5e724aa5425f72b0f44e2ecb

  • SSDEEP

    49152:9UltKu0OGGK3oq+g8he3lGHge3a9a/9Onay:9UYaU9x82GD/Ua

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f501968d716e102a805e3a1a5f8ff158a4d2d2a10425e9d0be05addc3551ae4.exe
    "C:\Users\Admin\AppData\Local\Temp\9f501968d716e102a805e3a1a5f8ff158a4d2d2a10425e9d0be05addc3551ae4.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:572
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Users\Admin\AppData\Local\Temp\1000006001\74297e5a50.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\74297e5a50.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1804
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe"
          4⤵
            PID:6696
            • C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe
              "C:\Users\Admin\AppData\Local\Temp\AKFIDHDGIE.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:6796
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBFIIEHJDB.exe"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:6716
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\37c38691ae.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3788
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
            4⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3604
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0x80,0x118,0x7ffee4abab58,0x7ffee4abab68,0x7ffee4abab78
              5⤵
                PID:2192
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=2152,i,869740268043839450,13275832324904138625,131072 /prefetch:2
                5⤵
                  PID:2320
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=2152,i,869740268043839450,13275832324904138625,131072 /prefetch:8
                  5⤵
                    PID:4252
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1900 --field-trial-handle=2152,i,869740268043839450,13275832324904138625,131072 /prefetch:8
                    5⤵
                      PID:3236
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=2152,i,869740268043839450,13275832324904138625,131072 /prefetch:1
                      5⤵
                        PID:460
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=2152,i,869740268043839450,13275832324904138625,131072 /prefetch:1
                        5⤵
                          PID:1672
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3840 --field-trial-handle=2152,i,869740268043839450,13275832324904138625,131072 /prefetch:1
                          5⤵
                            PID:6140
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=2152,i,869740268043839450,13275832324904138625,131072 /prefetch:2
                            5⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:6680
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                          4⤵
                          • Enumerates system info in registry
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of WriteProcessMemory
                          PID:480
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffee4963cb8,0x7ffee4963cc8,0x7ffee4963cd8
                            5⤵
                              PID:2608
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
                              5⤵
                                PID:1668
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:984
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
                                5⤵
                                  PID:1860
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
                                  5⤵
                                    PID:2456
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
                                    5⤵
                                      PID:2616
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
                                      5⤵
                                        PID:5712
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:8
                                        5⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:6540
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
                                        5⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:6228
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                                        5⤵
                                          PID:972
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                                          5⤵
                                            PID:1452
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
                                            5⤵
                                              PID:6200
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
                                              5⤵
                                                PID:6208
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1734273612823079662,3459051241887458074,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3416 /prefetch:2
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:6504
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                              4⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:1088
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                5⤵
                                                • Checks processor information in registry
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                • Suspicious use of SetWindowsHookEx
                                                • Suspicious use of WriteProcessMemory
                                                PID:3860
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.0.1593018254\1259882721" -parentBuildID 20230214051806 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd7b2473-7381-4017-9718-d67923d1d8c0} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1840 2005230ce58 gpu
                                                  6⤵
                                                    PID:1884
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.1.2093856268\1556141479" -parentBuildID 20230214051806 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96c0d881-4f07-4b1a-9953-532b2147c86f} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2392 20045486058 socket
                                                    6⤵
                                                      PID:712
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.2.468732666\1252775574" -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 2836 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67b5d2cc-3f5e-4977-a9b2-2837379ba8f3} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2980 2005523c958 tab
                                                      6⤵
                                                        PID:3556
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.3.1145099946\385980162" -childID 2 -isForBrowser -prefsHandle 3452 -prefMapHandle 3448 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de833c5-214b-41d1-9721-ea74df6c8e95} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 3440 20045477858 tab
                                                        6⤵
                                                          PID:3464
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.4.2863083\1259667624" -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5220 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fb35a18-7c52-4790-86b3-d1894eb4f23b} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5232 20059eaea58 tab
                                                          6⤵
                                                            PID:5680
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.5.653034099\339859146" -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5252 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a40d80e2-a4ca-47ee-bdb3-cbfb758ec1e7} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5384 20059eaf358 tab
                                                            6⤵
                                                              PID:5696
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.6.2113700178\2010938057" -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d3b06b8-12df-431b-9d07-288d842810ea} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 5348 20059eaf958 tab
                                                              6⤵
                                                                PID:5704
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:728
                                                      • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                        1⤵
                                                          PID:5288
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:5604
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:4272
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:5832
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6880

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\ProgramData\mozglue.dll

                                                            Filesize

                                                            593KB

                                                            MD5

                                                            c8fd9be83bc728cc04beffafc2907fe9

                                                            SHA1

                                                            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                            SHA256

                                                            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                            SHA512

                                                            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                          • C:\ProgramData\nss3.dll

                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            1cc453cdf74f31e4d913ff9c10acdde2

                                                            SHA1

                                                            6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                            SHA256

                                                            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                            SHA512

                                                            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            240B

                                                            MD5

                                                            2055334bc4b26e8783c10c8b454ed671

                                                            SHA1

                                                            c58e030de138b4a8fc6874f5e703b03f81ecf7cb

                                                            SHA256

                                                            ebab9ad18770f1f1824989dff8952ed5ae91c0020812af840dd947418bcc580e

                                                            SHA512

                                                            29a6ff625eadb0ca5bc0f0ad519a9848e2f5db9722a7439b558d4a4257fe1378dd05d7edaac87d6d0befee5dbcbdd960e3b5de1bb57430963003a98804c3fac8

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            887640fe1044ec20918eac7ecac099f1

                                                            SHA1

                                                            a3c2f035fda6bf417b84e9fb37dca5923ebfe21a

                                                            SHA256

                                                            108fc83871359021de897fcbdbb7c3aee6d141511c39393c0a551f2eb151d1e6

                                                            SHA512

                                                            e4666d2d9b49d0cc1fde4f47cebfcc117b6b10086cf86bc5bf33ccf5def86c7f843b3965ce1b57ca8b5240a9fb5298c1cb31efe5a0dfc4a8f338bfa06cdced62

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                            Filesize

                                                            524B

                                                            MD5

                                                            3c6d6f3c611bb6d360010f93d6d4bd66

                                                            SHA1

                                                            1aed76cabdd0df35b7158373d1bf8c82e454a964

                                                            SHA256

                                                            c10d707641390fbecf2f3f124d99eadc6ac1916c7ed7ce611bcf554fd3dbd88d

                                                            SHA512

                                                            cb780f0107bdab93688bb86b364dfe23e7794b05ae6f80f3e78150d18d89c99ef4de0053ec2429e5a61aa998f3f40b4915c25441095400edaef72473c058944f

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            0d70d729c7790cad38a04947fc75fba1

                                                            SHA1

                                                            611614c0639db24e1285a7080b2889a8be2a5f2a

                                                            SHA256

                                                            8eac6038bbc8d66b2eee2cadcad9936255a4a2edd76a16296005e13acf8588ae

                                                            SHA512

                                                            3ec0cf2a578e04f3ab4adf0b7ba0a806f3c46a2e262cbc9900c5211a5f2807c6a0a42be133a0f98d637cb325bc51fa8e2e378130db03bce676b9af4a18e8d187

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                            Filesize

                                                            144KB

                                                            MD5

                                                            07d21f6c4b4f0b007d3ef31df453e2c8

                                                            SHA1

                                                            0b92edff397a4e846f8f83720431bf48aa43b06f

                                                            SHA256

                                                            da596251d2a9381b3332d981c18c6c1974012389b4fe4050d592c5f7a5becd9e

                                                            SHA512

                                                            0251981d3daca48da11ead122171d18187b4e87b0c3d628e807b9ab6731e9881d16902df5600a56643636892675377cac6d7368c16f826de3a237d57475edb4b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            6c1de55e8af0859bea07b6af77782896

                                                            SHA1

                                                            d5efde7bcf31d692d697ebbc54ccd13fb3624856

                                                            SHA256

                                                            130afd8eb97d11640a28231e9314983eee9eff75964c93abd71e84e6412f710f

                                                            SHA512

                                                            9664d41b0b1767ddc4012318fca427edf9606c525f868a5ba98e5987bf5e71e4710dd19a0ed7223c706588b5803f3b118ee949c51d6fd99696049befff5fd510

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            0176e968a02096540e4a096219a8fe34

                                                            SHA1

                                                            cd301ea619d7c92daf64446caea1f1293da48373

                                                            SHA256

                                                            f9319c68cc75bc8e334037d946cc89ad65605606c1bfd12a2fe2ebd711b14067

                                                            SHA512

                                                            b6aba8640823d43f8968ff31a2e5a48b6f6def43ea6f83cef801294ea1ca9eb1fa16cec516893485b650d7b4407e34536b380712fb72bc9da581cc2e1e0ae2d8

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                                            Filesize

                                                            67KB

                                                            MD5

                                                            51c3c3d00a4a5a9d730c04c615f2639b

                                                            SHA1

                                                            3b92cce727fc1fb03e982eb611935218c821948f

                                                            SHA256

                                                            cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                            SHA512

                                                            7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

                                                            Filesize

                                                            36KB

                                                            MD5

                                                            103d7813f0ccc7445b4b9a4b34fc74bf

                                                            SHA1

                                                            ed862e8ebd885acde6115c340e59e50e74e3633b

                                                            SHA256

                                                            0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                            SHA512

                                                            0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            240B

                                                            MD5

                                                            3ea0d5ba771d5dd0d6e8ac96637f8b95

                                                            SHA1

                                                            cafa36322e45ec4a2b44a39f21fcca717434025e

                                                            SHA256

                                                            8e285c8e0f068b521f253fe5e1e22faa6ac0308ae00d3ad02bb670e3123bd190

                                                            SHA512

                                                            1e5c8f3de459f5852d9718b430df7b456f35a8c917f76cd319941fd9ea049cf66664fa9951faff629b5bb91a9480b62f807b169888dd81e1d3e1f7f0d616198b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            5d04300f959d05c9afcfd1cee646ad6a

                                                            SHA1

                                                            1b99ddaef66a005033d476dbd8a7a7bb28d48b41

                                                            SHA256

                                                            b8badd2e642eefa3f23ab41503548b68a9b5ef7cb2e0d679ad499555ff391e89

                                                            SHA512

                                                            c1c93ab0812c024ddd0e6d47e93dd0883cf7487037d85cf1022ba06cb14b580bd5bddb84d84db3ddd4688108f0ba3d8fa4f4d22cf8b4cfe48d0b131047459c50

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            f91b83fc0803427a040d39c831194779

                                                            SHA1

                                                            9ca1c3a4c8493107a1ceb9bfec6edd9d0d87746d

                                                            SHA256

                                                            8aad3b6b77da7bb6436cbada44d51a5334b95437ce5c717e903c3ca1dc16e604

                                                            SHA512

                                                            79bef34b0f14dc7a35829f84ac389027233e6844ed941e74fb45c530bb30dc550bd1dce6ea248568ff5dc8243ce10ab2d86fc45e011fc1cabcf47eb618c4ec7f

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            b24c67706ec320609fe48d8c5647e797

                                                            SHA1

                                                            2d295277d02ef108ce9ff7a90610f8d78a214b9c

                                                            SHA256

                                                            2b70699e1518ae366c79c7ac44a1129abb53290294e05eacad5192dd824db271

                                                            SHA512

                                                            6188fab66d1419d311a7c1e1a9e2263c8234978cccc589599efd4482750a91be55d0e9a768f7c16c2a551544c69303f6815a07aae0f1529145474726467d0a38

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            46295cac801e5d4857d09837238a6394

                                                            SHA1

                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                            SHA256

                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                            SHA512

                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            206702161f94c5cd39fadd03f4014d98

                                                            SHA1

                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                            SHA256

                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                            SHA512

                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            de038cddce94b2acd5c7568710cb412d

                                                            SHA1

                                                            4472696e1efa40fd5decb55bd68ec2a8e2414040

                                                            SHA256

                                                            57459e4c64cfabd97038af256befc318dd149e1bbb03837b3291b9c27aee6858

                                                            SHA512

                                                            eb9f141e45a86ac6fc8050776121db1bc5e8cea355bcc5143678195a8ad9eebb52d0c3d40b5b80088a32f8c59da68dcac8b114e3c9f678873f44feb34c1bc513

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            74ce1f5a86ba48697c8ca481fc852c2e

                                                            SHA1

                                                            74766af1e375526d9b4bf17913a217ef79384222

                                                            SHA256

                                                            eb46aaaeae38a5a889377e070580fa3fdfc7d53339bdd7476851cec5694f6349

                                                            SHA512

                                                            d619e1b0dbd300089b35ffe75ea5ca502295ae834c97e50348de9c39f6892ef4ac85e55b356844bd2921405b5457437a6900137cd7166ea0f67062e9c5e03972

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            22KB

                                                            MD5

                                                            bc9ac2d748a983b0149ef2833f3bbef9

                                                            SHA1

                                                            185f638880e3947629f568891499cfb385835185

                                                            SHA256

                                                            29262465b8506610ae46cb6d2f0116fa40102748c48a0641ba79da4360109608

                                                            SHA512

                                                            2e81facda798c6d11536b283168304e8b0e63d9065616bfa34a73e7210fb775a2799dc7c2b6a85413ff22d65f22461ea33c6972955c720dc121bb5da7f0cf3d4

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                            Filesize

                                                            13KB

                                                            MD5

                                                            7f9f2171b1534ec5e414668bb42d5183

                                                            SHA1

                                                            23bab44b7aaf876343fcdc18f89e7ebee1dd5842

                                                            SHA256

                                                            ca02fd26e4cc06ee20ffa142f369c6784d2583e1dfbc0d56d543352855cc52e5

                                                            SHA512

                                                            46fdb5e168e22c60b862adea3330b96746e20f35a6f1bef94e5dfedcc1c5ebbba50fc98b20c69d3013f2a3f3e97356fdc392f5f16a68ab0bd4396cc1fb5cee8f

                                                          • C:\Users\Admin\AppData\Local\Temp\1000006001\74297e5a50.exe

                                                            Filesize

                                                            2.4MB

                                                            MD5

                                                            e6a54ac6b35b2def5a7d9b9699388f26

                                                            SHA1

                                                            5f8a57b2e8902523bbafc50434f3692fe1d92b74

                                                            SHA256

                                                            25d515f52e58c10727895f1ee1a269998e37d3b4308e6ac6f1419186c30290a9

                                                            SHA512

                                                            8cdfb2da836614148507585645613432f7dd802ac8c80b89a4b302c9dfbbc9a96decd4a2df6468843ccfebd479968058d7f184e67026cf6b1d8dd474634c87c4

                                                          • C:\Users\Admin\AppData\Local\Temp\1000008021\37c38691ae.cmd

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            c1b73be75c9a5348a3e36e9ec2993f58

                                                            SHA1

                                                            84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                                            SHA256

                                                            a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                                            SHA512

                                                            fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            b3e0273a69e380d4fa414d74a4a180d1

                                                            SHA1

                                                            f1c9249dc9a83e63d85a8373ddbf3e0a0d0063b1

                                                            SHA256

                                                            9f501968d716e102a805e3a1a5f8ff158a4d2d2a10425e9d0be05addc3551ae4

                                                            SHA512

                                                            fb8c1311ad4ba3ea8fec6028c3b9046bffc50f0257fc4ffacf9c1f7ea3f4ae98db98718fe1eebd40292385b36634c921cfa8f54d5e724aa5425f72b0f44e2ecb

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                            Filesize

                                                            442KB

                                                            MD5

                                                            85430baed3398695717b0263807cf97c

                                                            SHA1

                                                            fffbee923cea216f50fce5d54219a188a5100f41

                                                            SHA256

                                                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                            SHA512

                                                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                            Filesize

                                                            8.0MB

                                                            MD5

                                                            a01c5ecd6108350ae23d2cddf0e77c17

                                                            SHA1

                                                            c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                            SHA256

                                                            345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                            SHA512

                                                            b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\cookies.sqlite-wal

                                                            Filesize

                                                            256KB

                                                            MD5

                                                            af0b0013045bf8c3be586c48c6633448

                                                            SHA1

                                                            b3ac1b8d5eaadbb180162edd11d3820608c3516d

                                                            SHA256

                                                            b58c1eaea89b44c2e65d1df51088bcce6f015f21912423cce625bd6446a6be55

                                                            SHA512

                                                            ae93afb3f22c484a334980ffec3b3b86e788d93e5fec17a5ba69601f150fb70be15fc12cbfcc1f08ad45b1a0ac9b2c4d621a9bc3f6c51eb29b66281c89d02bbc

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                            Filesize

                                                            997KB

                                                            MD5

                                                            fe3355639648c417e8307c6d051e3e37

                                                            SHA1

                                                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                            SHA256

                                                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                            SHA512

                                                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                            Filesize

                                                            116B

                                                            MD5

                                                            3d33cdc0b3d281e67dd52e14435dd04f

                                                            SHA1

                                                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                            SHA256

                                                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                            SHA512

                                                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                            Filesize

                                                            479B

                                                            MD5

                                                            49ddb419d96dceb9069018535fb2e2fc

                                                            SHA1

                                                            62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                            SHA256

                                                            2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                            SHA512

                                                            48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                            Filesize

                                                            372B

                                                            MD5

                                                            8be33af717bb1b67fbd61c3f4b807e9e

                                                            SHA1

                                                            7cf17656d174d951957ff36810e874a134dd49e0

                                                            SHA256

                                                            e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                            SHA512

                                                            6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                            Filesize

                                                            11.8MB

                                                            MD5

                                                            33bf7b0439480effb9fb212efce87b13

                                                            SHA1

                                                            cee50f2745edc6dc291887b6075ca64d716f495a

                                                            SHA256

                                                            8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                            SHA512

                                                            d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            688bed3676d2104e7f17ae1cd2c59404

                                                            SHA1

                                                            952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                            SHA256

                                                            33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                            SHA512

                                                            7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            937326fead5fd401f6cca9118bd9ade9

                                                            SHA1

                                                            4526a57d4ae14ed29b37632c72aef3c408189d91

                                                            SHA256

                                                            68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                            SHA512

                                                            b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\places.sqlite-wal

                                                            Filesize

                                                            992KB

                                                            MD5

                                                            64e8aad23573291e5366d67dbf1bff0a

                                                            SHA1

                                                            0bf516b4fef645e5af29625d3ee2b81d4ed5283b

                                                            SHA256

                                                            e23433a0a2ca8ae1b61a71b9a0d01dda5559da9738c9ade03573f941b75ae750

                                                            SHA512

                                                            29ed06767c42301703997e3f63c0509ec5169d0462724df42b85fdad168fac4701960d742d8b4a823c4d35983e753e476017e945d746cecbce246502fd43e17a

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\prefs-1.js

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            fe2908a9e3f4103559d1bb0949cf1700

                                                            SHA1

                                                            5a6d3995832572d97c7af5417679df908f2cef1f

                                                            SHA256

                                                            f82cab62b90854e3f43c30d81fad04c49955a1b30fa61c7a2fa39db87e855179

                                                            SHA512

                                                            66121e3efb5a58b21b327ca009cb6ab18fc4d7d4973a2b7e4d3a7a30e184789a87339dc4c1669debe6602f26b35c65d400eae1c48ca740e15750384a48d574fe

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\prefs-1.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            02b91edd412e83aa078ae308d2e6bc9e

                                                            SHA1

                                                            cc29dc4bd1d6f1ce7abc73d82be2764c92254411

                                                            SHA256

                                                            6d928bf2729e8a292d6c5456c4581bf833416d86b4d7653afc310041422ef578

                                                            SHA512

                                                            3bce558bab8b75a5dd1daf58849abc2a19362b6159df10f498aaacfc4cbe175a9e31858a20b66bc6ce4e818d2ce8c42b2d59a162a469938c1bedb3d5235c516e

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            af5e6b5a69f5b66bc09c151f077a4627

                                                            SHA1

                                                            a9c3618c876bb6c1de4bfe83f55791e23884ff74

                                                            SHA256

                                                            f319fc0467d3385aae1eeb8e081ad76ca519f6bcb6e6e983b22a79568b389470

                                                            SHA512

                                                            386f1faba2d97f73a92c8480b1c47538210d3385cddf8d8fe9463b48825c7f194b27fc311f39eee6204ad89c7bb38dfe32b8cea8ae111ca3f3dac589a0b7f566

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\sessionstore-backups\recovery.jsonlz4

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            77c86085679816f49f8e69ddad4948cb

                                                            SHA1

                                                            da51d899fe267807aa3c1797f89416ecfdb4bbd8

                                                            SHA256

                                                            2e4ff2bb93bcc4a1489cc76485ee2154cb636c7e048a36a4169abc0865a54086

                                                            SHA512

                                                            19dc91f69cc7bfcf6e0adc03b130a4616369bb27920fe5d5d45370774aa8ab4bf2c8435b933f8286e0b45e538950550e7f146ea38ea29ffc7a24ba2469ed07ac

                                                          • \??\pipe\LOCAL\crashpad_480_ESNIBAPDAQJUJLXF

                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          • memory/572-2-0x00000000005A1000-0x00000000005CF000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/572-3-0x00000000005A0000-0x0000000000A5E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/572-0-0x00000000005A0000-0x0000000000A5E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/572-1-0x0000000077AA6000-0x0000000077AA8000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/572-4-0x00000000005A0000-0x0000000000A5E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/572-17-0x00000000005A0000-0x0000000000A5E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-19-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2530-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-415-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-396-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-385-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2554-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-384-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-21-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-20-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2546-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-18-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-378-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-243-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2533-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2532-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2531-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-640-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2438-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2461-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2487-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/740-2529-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/1804-313-0x00000000007A0000-0x000000000139D000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/1804-317-0x00000000007A0000-0x000000000139D000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/1804-148-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                            Filesize

                                                            972KB

                                                          • memory/1804-37-0x00000000007A0000-0x000000000139D000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/4272-281-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4272-249-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/5832-2491-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/5832-2489-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6796-352-0x00000000008A0000-0x0000000000D5E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6796-321-0x00000000008A0000-0x0000000000D5E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6880-2550-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6880-2552-0x0000000000470000-0x000000000092E000-memory.dmp

                                                            Filesize

                                                            4.7MB