Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 06:50

General

  • Target

    8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578.exe

  • Size

    1.8MB

  • MD5

    845e518c85f1b978cd46242946ba6d4d

  • SHA1

    2c9134231db03c35b788ac7b454b4cdf5698db22

  • SHA256

    8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578

  • SHA512

    b5c2a52db82c0467eff9f58406a62926b8a91a332853fb7774054eabba3e02adcc18dbdd2151cb6bdaba160cd74a9adea82b0add80da0dd164324b3d552bdaa0

  • SSDEEP

    49152:Pw1q2E1STbYe+DEJWWf2xdd5cf+I5CflYngG1i4GFf3uO:ItE1Re+4J+xd32/C2jau

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578.exe
    "C:\Users\Admin\AppData\Local\Temp\8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Users\Admin\AppData\Local\Temp\1000006001\9106aab8da.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\9106aab8da.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1776
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IECBGIDAEH.exe"
          4⤵
            PID:6704
            • C:\Users\Admin\AppData\Local\Temp\IECBGIDAEH.exe
              "C:\Users\Admin\AppData\Local\Temp\IECBGIDAEH.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:6800
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBAKFCBFHJ.exe"
            4⤵
            • Checks computer location settings
            • Suspicious use of SetWindowsHookEx
            PID:6740
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\517fe44856.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2204
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
            4⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3640
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffce173ab58,0x7ffce173ab68,0x7ffce173ab78
              5⤵
                PID:2684
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=2016,i,6770430919215852677,3338294853254777143,131072 /prefetch:2
                5⤵
                  PID:1104
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=2016,i,6770430919215852677,3338294853254777143,131072 /prefetch:8
                  5⤵
                    PID:4220
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1992 --field-trial-handle=2016,i,6770430919215852677,3338294853254777143,131072 /prefetch:8
                    5⤵
                      PID:2076
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=2016,i,6770430919215852677,3338294853254777143,131072 /prefetch:1
                      5⤵
                        PID:3676
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=2016,i,6770430919215852677,3338294853254777143,131072 /prefetch:1
                        5⤵
                          PID:1212
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3848 --field-trial-handle=2016,i,6770430919215852677,3338294853254777143,131072 /prefetch:1
                          5⤵
                            PID:5700
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=996 --field-trial-handle=2016,i,6770430919215852677,3338294853254777143,131072 /prefetch:2
                            5⤵
                              PID:6916
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                            4⤵
                              PID:2632
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                              4⤵
                              • Suspicious use of WriteProcessMemory
                              PID:372
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                5⤵
                                • Checks processor information in registry
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:3672
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.0.1168354147\1458042150" -parentBuildID 20230214051806 -prefsHandle 1636 -prefMapHandle 1628 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32594433-74ed-4af3-b5f0-297cfa87dfe5} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 1808 1dddc70c458 gpu
                                  6⤵
                                    PID:4364
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.1.1210545505\934806835" -parentBuildID 20230214051806 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {956ddea4-7cdc-49d8-9933-3038d52f0508} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 2444 1ddcfa84a58 socket
                                    6⤵
                                      PID:4588
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.2.930026942\47611725" -childID 1 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 1124 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b78fbc12-0111-499a-8e32-b08375cd7a50} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 3496 1dddf76f358 tab
                                      6⤵
                                        PID:5600
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.3.732617766\116469398" -childID 2 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1124 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28680134-0ad7-465e-99cf-77471b84edef} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 3636 1ddcfa76858 tab
                                        6⤵
                                          PID:5980
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.4.1646673797\862419573" -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 4744 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1124 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10385641-6cdf-43eb-92d5-cc940a111189} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 4676 1dde21d5558 tab
                                          6⤵
                                            PID:5932
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.5.1130762951\673869027" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4804 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1124 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbc13ec4-c72f-49ae-a471-32c8753a40d0} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 4948 1dde21d5858 tab
                                            6⤵
                                              PID:5964
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3672.6.169508317\2071166820" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5164 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1124 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3f701c-5d50-4d29-8ea3-426ac52af23a} 3672 "\\.\pipe\gecko-crash-server-pipe.3672" 5060 1dde21d5b58 tab
                                              6⤵
                                                PID:5956
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3988,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
                                      1⤵
                                        PID:4968
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4992,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:1
                                        1⤵
                                          PID:3564
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5020,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:1
                                          1⤵
                                            PID:1616
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5396,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:1
                                            1⤵
                                              PID:2228
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5544,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
                                              1⤵
                                                PID:2936
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6024,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:8
                                                1⤵
                                                  PID:3928
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6164,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:1
                                                  1⤵
                                                    PID:320
                                                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                    1⤵
                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                    • Checks BIOS information in registry
                                                    • Executes dropped EXE
                                                    • Identifies Wine through registry keys
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:1156
                                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                    1⤵
                                                      PID:5288
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3532,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:3
                                                      1⤵
                                                        PID:4980
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5704,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:8
                                                        1⤵
                                                          PID:372
                                                        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                          C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                          1⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          PID:6204
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3928,i,15168044379859864039,3380316340477469860,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:8
                                                          1⤵
                                                            PID:1120
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            PID:6428

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\ProgramData\mozglue.dll

                                                            Filesize

                                                            593KB

                                                            MD5

                                                            c8fd9be83bc728cc04beffafc2907fe9

                                                            SHA1

                                                            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                            SHA256

                                                            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                            SHA512

                                                            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                          • C:\ProgramData\nss3.dll

                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            1cc453cdf74f31e4d913ff9c10acdde2

                                                            SHA1

                                                            6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                            SHA256

                                                            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                            SHA512

                                                            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            240B

                                                            MD5

                                                            4dbda53fdd944b63300bb78b654f2be2

                                                            SHA1

                                                            602b721435178f057b32671baae46255f1c6a774

                                                            SHA256

                                                            bdb132261c275f8b712b30da66188a7dd9cf5b3d8ccda7bf5d999632654907ee

                                                            SHA512

                                                            96fec77aac25f765b75fcdf15eb1c8f4487fcf259cfad6586c9f72d8a06f6b4aa21868858ef34b1c7015d89f49eda60bb7c148cc2acb9335a4e18630f09edfea

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            048b48fbe8ad296dce420780a01efb0f

                                                            SHA1

                                                            0cd10887c5b8065f3c99498c54c8ca517d83aec0

                                                            SHA256

                                                            8251e9873077d1d207d7acaa4e81aa6809b3fd9a9ecbf916aef4462fbd1c6c2d

                                                            SHA512

                                                            dc8d35072dc7ac399d8293ac100c24a3e5b4b39de378d34523e228bac6f95f758d149c92d26bf10db06def6ea0b890d065f9e1b388110cf184e22c69d471615a

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                            Filesize

                                                            522B

                                                            MD5

                                                            00319c6273ec1ef8f6f8550b8cc52783

                                                            SHA1

                                                            77ee7f2ac32abf5a309196315d6aac3ecfb5fd0c

                                                            SHA256

                                                            e25bb48703c51a348876d175e72223e0e4f23642a8723ad4fa2f792b1cc7200a

                                                            SHA512

                                                            6874eba4bedec6d480d376df175617296b067e3cf77c10155aaa0c0b4ad236dcedf2d21ffe4e79b911585fc2977d42bbdbd325ed1f096d7c4b57bb12365adb84

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            73d233d0586b252c24b229eb27dc9ea2

                                                            SHA1

                                                            5111d651de76edc0691f20255ec51761e3b08fb0

                                                            SHA256

                                                            7ed30779c0f010310a61d2d3280737ca06fdd0e26fc76ba400e79e7052fe850d

                                                            SHA512

                                                            d5a2446f63e5e90447e0ae4cabbdae4995a19e128e8e4caf5317b75fab57704a1a6368fc9772c5da5c7c6e1cd75e5dab880692dc95bc94fc08fe19bce2e7b11a

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                            Filesize

                                                            144KB

                                                            MD5

                                                            5a7973696df623f3646397cc30b1ed40

                                                            SHA1

                                                            f04d3ff7e9c047ed1ecba3cdc01d26e022a172e2

                                                            SHA256

                                                            efef0bf33c7cc4e1993d6a7e733a55928c57c400b94c9cb752c4f3d13035c0ee

                                                            SHA512

                                                            1cccf4a5b06fe4a36fc686bc9642bbb23a7be9aae3ae7c60dac3606877ab4ca016579f7a04142cc70ae25fa648301a53b4e37d66f2892fdaa86e9ad0e8a47b65

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            24bb3d5b8049453de981df9d253cb2d9

                                                            SHA1

                                                            5b067eb5b60b69d055680244eb7e1ba710fe8013

                                                            SHA256

                                                            d0f71056b2922cb02c08fcf9f07e95028827f5a627adf836d854fcbd3e05c272

                                                            SHA512

                                                            c79a1695848a03730e3f6c61ce77440c2e085be64c18bd88fe5a52038b9a24f302311c0283e748a15949b42d332e3aed61f1ce0a22e89d3109b6a7c3ad8b9534

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

                                                            Filesize

                                                            40B

                                                            MD5

                                                            20d4b8fa017a12a108c87f540836e250

                                                            SHA1

                                                            1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                                            SHA256

                                                            6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                                            SHA512

                                                            507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bgt81dxj.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            25KB

                                                            MD5

                                                            ab3f0aafd99efa1a388f73fca1be3bcf

                                                            SHA1

                                                            1f26f3b61819ec0d03a5f199121cc183e8715d54

                                                            SHA256

                                                            bb6527a5f9d1da4e36afc0a24e86b7162206a6d11d576fb03f5462d4f7ff291a

                                                            SHA512

                                                            7df40089da548a646cbe6fe7d7129e7a98784aff5c7adf1766afc31a01df6aae738bc2194d111edfa4aa72eafb991e50c653723d13d5c3411ef36a3500352efb

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bgt81dxj.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            26KB

                                                            MD5

                                                            57fccd6d757ca8a6cbe10aa4a14fc262

                                                            SHA1

                                                            6c61a3fb25a2da920d3ebbf017de843f8e5e7d83

                                                            SHA256

                                                            f944fa54e1d6d9e6d18d520000bbbea26d7ed7ca92b672584517983821f7a828

                                                            SHA512

                                                            75991ed1d75bd5ccf68fa1e81b4920c323edddb2a21afecf61beed9bf9b740fa6aab6f98fd0a9e6381fc7b0e9cccea6a6bb9709daef07bc210eb201e1c7da795

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bgt81dxj.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                            Filesize

                                                            13KB

                                                            MD5

                                                            2aa131d94ebf175461dfb6d2f4e342eb

                                                            SHA1

                                                            8013b78e7528e54ca261702139515121946d71c4

                                                            SHA256

                                                            5df98f40dc48bad9fe6b6fa06c0e246b1243453bc817116dff3c22db4b9912d2

                                                            SHA512

                                                            518785587cff2f5e7227f6a706aee25088eac3dc455e9275787709df1ba5d40ccfde44e84fcf8a3e049e7358c3232702ae59ecdbfe4adddc20082250b16188c5

                                                          • C:\Users\Admin\AppData\Local\Temp\1000006001\9106aab8da.exe

                                                            Filesize

                                                            2.4MB

                                                            MD5

                                                            510ef6656d676509abf2ff0e28ecda55

                                                            SHA1

                                                            0f61ea4fff3a4160ee5eadbec3ee35506c98b10f

                                                            SHA256

                                                            42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215

                                                            SHA512

                                                            08870978ef501a7dfe0a1f0042a5373ce70f50308f6929d1940434a27fdc61ec230ac0df4d80299ab82ec05ef6263a3bc40ebf82b17d32074f5ca6000764ba0a

                                                          • C:\Users\Admin\AppData\Local\Temp\1000008021\517fe44856.cmd

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            c1b73be75c9a5348a3e36e9ec2993f58

                                                            SHA1

                                                            84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                                            SHA256

                                                            a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                                            SHA512

                                                            fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            845e518c85f1b978cd46242946ba6d4d

                                                            SHA1

                                                            2c9134231db03c35b788ac7b454b4cdf5698db22

                                                            SHA256

                                                            8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578

                                                            SHA512

                                                            b5c2a52db82c0467eff9f58406a62926b8a91a332853fb7774054eabba3e02adcc18dbdd2151cb6bdaba160cd74a9adea82b0add80da0dd164324b3d552bdaa0

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                            Filesize

                                                            442KB

                                                            MD5

                                                            85430baed3398695717b0263807cf97c

                                                            SHA1

                                                            fffbee923cea216f50fce5d54219a188a5100f41

                                                            SHA256

                                                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                            SHA512

                                                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                            Filesize

                                                            8.0MB

                                                            MD5

                                                            a01c5ecd6108350ae23d2cddf0e77c17

                                                            SHA1

                                                            c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                            SHA256

                                                            345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                            SHA512

                                                            b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\cookies.sqlite-wal

                                                            Filesize

                                                            192KB

                                                            MD5

                                                            597c19a8a733bd68f3c4aad6e2912881

                                                            SHA1

                                                            a272644926a528e80044a1c3ea3b969c79a5666d

                                                            SHA256

                                                            a6d6681ad9d1f0d7d2e2f6fc363b630a71cb23b12a09bd033a9296c135b7f1b6

                                                            SHA512

                                                            2da75f6a35d6c80f02d20b9b5ad30d5242445979c59043ece17909a43b4a7e8fca063c45c519cec55d1bb180294ba4ffd6c43125986c070347dc9a723f5f0bc4

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                            Filesize

                                                            997KB

                                                            MD5

                                                            fe3355639648c417e8307c6d051e3e37

                                                            SHA1

                                                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                            SHA256

                                                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                            SHA512

                                                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                            Filesize

                                                            116B

                                                            MD5

                                                            3d33cdc0b3d281e67dd52e14435dd04f

                                                            SHA1

                                                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                            SHA256

                                                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                            SHA512

                                                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                            Filesize

                                                            479B

                                                            MD5

                                                            49ddb419d96dceb9069018535fb2e2fc

                                                            SHA1

                                                            62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                            SHA256

                                                            2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                            SHA512

                                                            48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                            Filesize

                                                            372B

                                                            MD5

                                                            8be33af717bb1b67fbd61c3f4b807e9e

                                                            SHA1

                                                            7cf17656d174d951957ff36810e874a134dd49e0

                                                            SHA256

                                                            e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                            SHA512

                                                            6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                            Filesize

                                                            11.8MB

                                                            MD5

                                                            33bf7b0439480effb9fb212efce87b13

                                                            SHA1

                                                            cee50f2745edc6dc291887b6075ca64d716f495a

                                                            SHA256

                                                            8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                            SHA512

                                                            d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            688bed3676d2104e7f17ae1cd2c59404

                                                            SHA1

                                                            952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                            SHA256

                                                            33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                            SHA512

                                                            7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            937326fead5fd401f6cca9118bd9ade9

                                                            SHA1

                                                            4526a57d4ae14ed29b37632c72aef3c408189d91

                                                            SHA256

                                                            68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                            SHA512

                                                            b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\places.sqlite-wal

                                                            Filesize

                                                            992KB

                                                            MD5

                                                            919c83d95452fe56863a0d1964aa2b0b

                                                            SHA1

                                                            e08bb5274a0038bd845f8b03d84491331074aae0

                                                            SHA256

                                                            368880d38acae8a57020e118f68851ceb8c66192c3b6d428338a6061be7a7e74

                                                            SHA512

                                                            9e336d778180a378654e6c170cc48661d882ddfda71c4de7d6eeccb3f60da0e5ad9c42b0a4f3ec4320afc9e5124f597013d291bafe19e3534624498c7221eb99

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\prefs-1.js

                                                            Filesize

                                                            8KB

                                                            MD5

                                                            a86bd57ae26f1b4f0693adf33a67b7e7

                                                            SHA1

                                                            f9fc3045c1a18857acbb6935726df331dc3b6e83

                                                            SHA256

                                                            b4110fe74e0e521e554789a5a8047c4705425d8e2f6418a08b4528adfe006d9c

                                                            SHA512

                                                            a25ab6fe4788bb9c43f8f8557b3ab04fca928a604b1018b42f0f9b6dae66af947b1c90e4e8cd2cff91197727146828ad0d983936eb4438bb14b0f578a07fd08a

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\prefs-1.js

                                                            Filesize

                                                            10KB

                                                            MD5

                                                            a474bbce945fb10de79375460afa92dc

                                                            SHA1

                                                            2e274fefeb852045e1771343f43ab9019c051085

                                                            SHA256

                                                            7fd4e9318fdd269d841b23e76b3e678e7b62980d65b001beb52ef6632e312351

                                                            SHA512

                                                            207f4f289082826adaebe2994aee71dbc4f8946ada84cd178215398af2d5b4cca35cb3aeac515e36680ed9694ef44e3b4dfc10e5cf41dbe642299accba693150

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\prefs-1.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            00ad45c72e6b3e3eb3cc3514a832acb6

                                                            SHA1

                                                            9ab82c3a67ecca14410074bf769f5a635a9a3492

                                                            SHA256

                                                            32c62165dc71b5c5bf9bc38e11650d4e51f0952e8f8f9e4dc40328fe78de1d48

                                                            SHA512

                                                            3f0e3adcb762c0ef657b7f209c063aa477d5ed5a830c61d395bf6bdc6022147f322e4857adc7ad0e94f870823480c49efdccbba8cffaec3a17ef95a4956edc96

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            a8f827da877f8b17525c764d0f258083

                                                            SHA1

                                                            0e495d706ff03604245cc958e49dff3b4df3fa62

                                                            SHA256

                                                            e95f626c219065e93fcea59ea2d130c90b10fcb651878156e70c6986993bc67a

                                                            SHA512

                                                            0bde976d8f0aea6f362562960fb1c8b0e82f2d882ff415882073213b14c206acbc54c36b08a580534d858ca396ebee7b08a9b4c631649119c3947554cfac00e7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            d5f46f195a80be99476efde92c26cbf6

                                                            SHA1

                                                            4ee9b631cbad8e41ff7677d8f1cb837258b544f5

                                                            SHA256

                                                            faa07da074f80a3b649f3e635ea196640adf0c5eb276c064a3e8fd50da5d77f3

                                                            SHA512

                                                            4fadd49057268bdccb2249cd65f6afcf6c501517b7b29a02cc02751b0fb3b17d626fb4329d49c09f8608c0891309f792c86288d6c62e219b0429e463186da4a9

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\sessionstore-backups\recovery.jsonlz4

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            8ec6155d8b55435bdd62db849dd6899f

                                                            SHA1

                                                            6293dd7820706020c4e5015af294ae84cdfa6d17

                                                            SHA256

                                                            51a21f7e3cf04d77a837dc34e84733777c3838c3e8de22eed3ab82d80f1c5819

                                                            SHA512

                                                            b47dc740344eeb9b8da7b30a49facd4363fe833f43b3ca3f9d676d32c56461fcf6a6623ca414994a6c382b908d83b04580e0c5683b1d4034117e9248c9ca08b0

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bgt81dxj.default-release\sessionstore-backups\recovery.jsonlz4

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            6d9d67c68318ffa7a8c3da15083bb3b9

                                                            SHA1

                                                            be972d1e5ccc10a6b26d9106610c5951fea46b3c

                                                            SHA256

                                                            4c9cd78717dd73af0811dfcbea885dd162ebdc3ae6830b5335936de7f07e63aa

                                                            SHA512

                                                            5cb6970404b7ab8bc1d97a99b2fdd612553a178e40cd06360ceab96a5ccf3dc712d51098395263f2773f569c07b926131f576971c58877220ca03c8bb73ac86e

                                                          • \??\pipe\crashpad_3640_WGPVBHKDGFMKXTUI

                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          • memory/1156-91-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/1156-88-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/1776-159-0x0000000000500000-0x00000000010EA000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/1776-36-0x0000000000500000-0x00000000010EA000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/1776-49-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                            Filesize

                                                            972KB

                                                          • memory/1776-304-0x0000000000500000-0x00000000010EA000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/2340-17-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-18-0x0000000000551000-0x000000000057F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/2340-2432-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-89-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2426-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-317-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-310-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-20-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-19-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2390-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2417-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-451-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-1070-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2416-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2410-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-270-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2338-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2367-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2409-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2340-2400-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4892-3-0x0000000000B70000-0x0000000001027000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4892-2-0x0000000000B71000-0x0000000000B9F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/4892-5-0x0000000000B70000-0x0000000001027000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4892-1-0x0000000077244000-0x0000000077246000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/4892-16-0x0000000000B70000-0x0000000001027000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4892-0-0x0000000000B70000-0x0000000001027000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6204-2389-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6204-2388-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6428-2424-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6428-2425-0x0000000000550000-0x0000000000A07000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6800-309-0x0000000000E10000-0x00000000012C7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6800-308-0x0000000000E10000-0x00000000012C7000-memory.dmp

                                                            Filesize

                                                            4.7MB