Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 06:50

General

  • Target

    8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578.exe

  • Size

    1.8MB

  • MD5

    845e518c85f1b978cd46242946ba6d4d

  • SHA1

    2c9134231db03c35b788ac7b454b4cdf5698db22

  • SHA256

    8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578

  • SHA512

    b5c2a52db82c0467eff9f58406a62926b8a91a332853fb7774054eabba3e02adcc18dbdd2151cb6bdaba160cd74a9adea82b0add80da0dd164324b3d552bdaa0

  • SSDEEP

    49152:Pw1q2E1STbYe+DEJWWf2xdd5cf+I5CflYngG1i4GFf3uO:ItE1Re+4J+xd32/C2jau

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578.exe
    "C:\Users\Admin\AppData\Local\Temp\8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Users\Admin\AppData\Local\Temp\1000006001\79885100f7.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\79885100f7.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3024
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJJEGHDAEC.exe"
          4⤵
            PID:4848
            • C:\Users\Admin\AppData\Local\Temp\JJJEGHDAEC.exe
              "C:\Users\Admin\AppData\Local\Temp\JJJEGHDAEC.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:3052
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BKECFIIEHC.exe"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:5308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\71e5a7decc.cmd" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
            4⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd1879ab58,0x7ffd1879ab68,0x7ffd1879ab78
              5⤵
                PID:2300
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=2036,i,17572596509253830250,3959809222006235743,131072 /prefetch:2
                5⤵
                  PID:1308
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=2036,i,17572596509253830250,3959809222006235743,131072 /prefetch:8
                  5⤵
                    PID:112
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1880 --field-trial-handle=2036,i,17572596509253830250,3959809222006235743,131072 /prefetch:8
                    5⤵
                      PID:1776
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=2036,i,17572596509253830250,3959809222006235743,131072 /prefetch:1
                      5⤵
                        PID:5200
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=2036,i,17572596509253830250,3959809222006235743,131072 /prefetch:1
                        5⤵
                          PID:5212
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4036 --field-trial-handle=2036,i,17572596509253830250,3959809222006235743,131072 /prefetch:1
                          5⤵
                            PID:5764
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=2036,i,17572596509253830250,3959809222006235743,131072 /prefetch:2
                            5⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5192
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                          4⤵
                          • Enumerates system info in registry
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of WriteProcessMemory
                          PID:2460
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffd18533cb8,0x7ffd18533cc8,0x7ffd18533cd8
                            5⤵
                              PID:4668
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
                              5⤵
                                PID:2016
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4560
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
                                5⤵
                                  PID:2868
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                                  5⤵
                                    PID:5016
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
                                    5⤵
                                      PID:4060
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
                                      5⤵
                                        PID:1736
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
                                        5⤵
                                          PID:2652
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
                                          5⤵
                                            PID:4944
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
                                            5⤵
                                              PID:5148
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
                                              5⤵
                                                PID:5372
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:6376
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:6464
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,4013739299378043885,4222776302220455131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1036 /prefetch:2
                                                5⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:3112
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                              4⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:3572
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                5⤵
                                                • Checks processor information in registry
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of FindShellTrayWindow
                                                • Suspicious use of SendNotifyMessage
                                                • Suspicious use of SetWindowsHookEx
                                                • Suspicious use of WriteProcessMemory
                                                PID:2700
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.0.1518148164\1398439128" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea4b2129-c93f-4284-88bc-8f84e2a8a3f5} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 1844 155ac623758 gpu
                                                  6⤵
                                                    PID:1772
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.1.1329551886\2093107400" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4627cdd5-00ee-460f-86b2-c9c3aa731675} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2440 1559f785058 socket
                                                    6⤵
                                                      PID:716
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.2.64840532\866248330" -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 2944 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1042ce49-009e-403e-8106-3a94dfba8ec7} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2960 155af551358 tab
                                                      6⤵
                                                        PID:804
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.3.233610332\1621921214" -childID 2 -isForBrowser -prefsHandle 3364 -prefMapHandle 3508 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a04bd35-2681-4789-b451-99d65ac6712b} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3296 1559f776b58 tab
                                                        6⤵
                                                          PID:1592
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.4.443523242\92916981" -childID 3 -isForBrowser -prefsHandle 5248 -prefMapHandle 788 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f80f328b-9618-4de2-89cb-d66c99c35a47} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 5252 155b4325f58 tab
                                                          6⤵
                                                            PID:5528
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.5.1268945991\1727365860" -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f8e5c1-e374-47fa-b1cc-a2de9e0f5013} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 5396 155b4326258 tab
                                                            6⤵
                                                              PID:5536
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.6.1716838080\63894861" -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33ae7486-4b04-44ca-8a31-95289ef130d8} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 5588 155b4323558 tab
                                                              6⤵
                                                                PID:5544
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:4712
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:2196
                                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                          1⤵
                                                            PID:5428
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6596
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:5404
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6468

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\ProgramData\mozglue.dll

                                                            Filesize

                                                            593KB

                                                            MD5

                                                            c8fd9be83bc728cc04beffafc2907fe9

                                                            SHA1

                                                            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                            SHA256

                                                            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                            SHA512

                                                            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                          • C:\ProgramData\nss3.dll

                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            1cc453cdf74f31e4d913ff9c10acdde2

                                                            SHA1

                                                            6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                            SHA256

                                                            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                            SHA512

                                                            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            216B

                                                            MD5

                                                            7c3e467494a6537c7e09bc6b41e88aa0

                                                            SHA1

                                                            92165aef10accbe9a351dfc7a86ffeb1e8e99078

                                                            SHA256

                                                            7328b85e95457e58f9f2cf517bac1db67e61ced28fc807b172f7940f9c32403c

                                                            SHA512

                                                            25edd602b8eaafe3219ea216644d7e2ca2082f94ac8f1ccf4dea91b4d7824bb2344da769e80d5943eb0ea2fd2051460e1ebc108d2c8bccf65e6dee79f0eb8b06

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            778305cb10921fa16c96e3138bc90d93

                                                            SHA1

                                                            c504b5159d95d55c7cca958cfe4897ccf15d7e25

                                                            SHA256

                                                            1bf721fca9d2a9958c464e12c1a38fc5274e21d2ea97293548d28aa9157e2a90

                                                            SHA512

                                                            79aad91ece9cc291557519ae1f43a4330b4dc529fa21fb722117e7d2661244e6ec287e7a37cbc4ee6ed3afc54d32c504c5b71d01cc1d9c5f80c3979b08c2e9f7

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            2b4ac38262af464cf70eb3b923339a30

                                                            SHA1

                                                            c8b9bd2b5c07cab84d5783d14f9d3ae1eb050770

                                                            SHA256

                                                            171bdeb8855fb7eb1bde4afadf45fcd1877c3dd85a85a6670f162a88441365dd

                                                            SHA512

                                                            e21437b53cc3c2755efbdc30efd52e8266b44698852f15050ac7a96c922c625ee6a8d63f8f18ab87ec28b5e3dcb886cb3ec680d4a7d32cf51e411dc713f339f4

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                            Filesize

                                                            524B

                                                            MD5

                                                            2168a4f54be782f1a0796ed2222bcb62

                                                            SHA1

                                                            c0cd066d6e1280e2707375a937d92c317265a621

                                                            SHA256

                                                            86866565e634c407a702cd26177a169de01bd061560b8ffa275a99c3397f2e8b

                                                            SHA512

                                                            0c06e58beeaf5c7d9ceb5b3ba344adf4c2e173f202e5620bd945d56247cf3c78a8e179395ccb8fdc9755ab9f7b2c86411a7e7195ac381438c95e1da33024e1d8

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            b5547ec3f18b74c8f1086f1e889191af

                                                            SHA1

                                                            4557da044893e651fd150a00a8e2484d05ea27a5

                                                            SHA256

                                                            434fffb3c8b7a6e6d8874b902571b0a0af5887f4e969894009f126f23b1471dd

                                                            SHA512

                                                            5b2081c88a5222952aabe15b6a8d65900eb42ecb50ef3035180e5c6c916e09c68232584d0fec9a4f749cda77f4c5f3e226ad8e9df1a12e52a61e9d423c5fb377

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                            Filesize

                                                            144KB

                                                            MD5

                                                            44a3ca57326a627f44f07c0ea657550b

                                                            SHA1

                                                            8dd5bb784450c413ab7f4f38bc81111ac4e97aac

                                                            SHA256

                                                            bbee9751c31a31524ce45c1f653c7b75da52cf76e4d97e484b55d23c85f1ba89

                                                            SHA512

                                                            ea6443f0dda3df78e346b59a685b095e33283f93291863b8e005a7509539a88aa54afbc1c745c2ed9297619762600275e9890fbff58401431638c3386cb431d4

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            b88c419948b22d8f079311239c952096

                                                            SHA1

                                                            57bde0e55d3ad4c555f1dae4224a64a0d2375da9

                                                            SHA256

                                                            d424881e070ffbdcf8801a339813bcd5dbdd9c1d121d197e7924adceeed0ab4a

                                                            SHA512

                                                            76bcb75c16d21cb2f452f19562c2d311e3741c6aaf22128ec6b2c37159c9b28c3337ff6a57a38430b0c249d6d4eca7185a859ca32515dc44de106fb0a45d6c3b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            8f99c482b569e51ec044a39d33e5aa9d

                                                            SHA1

                                                            c4118d25e83679a64720b0c32ae30aa6fab0fe26

                                                            SHA256

                                                            cc73e826d62a46c84cc26263266fb7015c15180e3844062e35305875b1180895

                                                            SHA512

                                                            2693cc5e9b465a2296700d2563469b53460b82b87125793a638e9efd6b69b30fe232206b194b31fd07b85f9dc50b7aed92bf96845827d695088638b8574a8ab8

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                                            Filesize

                                                            67KB

                                                            MD5

                                                            51c3c3d00a4a5a9d730c04c615f2639b

                                                            SHA1

                                                            3b92cce727fc1fb03e982eb611935218c821948f

                                                            SHA256

                                                            cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                            SHA512

                                                            7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

                                                            Filesize

                                                            36KB

                                                            MD5

                                                            103d7813f0ccc7445b4b9a4b34fc74bf

                                                            SHA1

                                                            ed862e8ebd885acde6115c340e59e50e74e3633b

                                                            SHA256

                                                            0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                            SHA512

                                                            0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            240B

                                                            MD5

                                                            93bb08c291d848772a9a30691ec803ee

                                                            SHA1

                                                            a03a03ced06843dc91e6394a8cdc5126eae19cf8

                                                            SHA256

                                                            f2e465eb7c6df5cdbc1f3af8b498ce004873392f0cd78c4e3ce3b2737fbcc5bc

                                                            SHA512

                                                            986747554fb6cf5d299b142e56750370be47e8b8a4d1222d7d7aecaa256ac9fb789fe9a03ee713f2c3839193da5a8b9ba9639e7d406d7f59e9829d985a86e17e

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            82f09451999f01bbefda98bedabf0fa7

                                                            SHA1

                                                            6728bf84ace8bd7e9b7989320d4de98100bf6e73

                                                            SHA256

                                                            a8d6c3281053bc03af6e1a3ff4e2272c63d1fcff7464648ba1f9b32338f4c710

                                                            SHA512

                                                            92dbdb9d35cde5d8564edbf0976bdac545b57156fbeaae2b07754574c180316a90b77715e54e287525f09cb22135337a3992b304bfd9d8bbe662da889bf8e61c

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            011a3f641659e01c5693ca1fb35683d8

                                                            SHA1

                                                            30b6c60e2e6f581cb7c72db88fe9b45ad218dc3f

                                                            SHA256

                                                            f733af4691a7fbbd3d7e65fa28a6364c0f91a850256b18339c842d6e18d56385

                                                            SHA512

                                                            5baa6296629956ce60f457fb1efa1dd9e74edb39016e6409f60c8efee5de68f6b4495657b238268d52c7e887ff0c495b0084ac5b806577f2bbc58761cdb832dd

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            9661a31a15d4a3172cb9c36ef4b700d0

                                                            SHA1

                                                            2ad1e59d1030658dedce14cbdd3e940d4d1b1ab5

                                                            SHA256

                                                            ce8c5392e26ae0d2a59a457ef38ebb3131fd5686beea1f1857b43830cc117258

                                                            SHA512

                                                            ecbb089357d75be3de70bec353c9595469a8b07609016e9805c4b9cbc4fa8f6cb998fb52db56fbba6d9d1be8485cddeb9286d87416b84f2af5fc4afbe6d1e637

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            206702161f94c5cd39fadd03f4014d98

                                                            SHA1

                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                            SHA256

                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                            SHA512

                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            46295cac801e5d4857d09837238a6394

                                                            SHA1

                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                            SHA256

                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                            SHA512

                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            4a8cb8d91f3030ded3495478dbef3be0

                                                            SHA1

                                                            c962ec2b6c68c72fb79587b63c3ae0b654fc8e0b

                                                            SHA256

                                                            8bd8e6c45fb9c180a0a14744344c6a9a0d49e7a85870b9b4ac11847967391001

                                                            SHA512

                                                            bc501be4f3ebf4dff6800b5439b1c9b1feb4c4d81df88b1364109cf2ccc6078f73441f97d37697f9c21503aee1e77a1e2751c71b0bbd443154708a9423026ff1

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            10eb5f243ae2744d190da7a73ff07440

                                                            SHA1

                                                            36af820939afb6173d60e33fb63a65c2b122dd2c

                                                            SHA256

                                                            758c4615233ed53fb3ece60bb9e219e815bd0b7d1f0237d6c19d3008789b7d2a

                                                            SHA512

                                                            a25bd578a4c7296cb4737a786fdc05fb8483c6bfe7ba94964a31c258bba8dd60c385b92dd3bb3652649ccf4021b0fea670df7dd98f552d9e74805265aa95b026

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            28KB

                                                            MD5

                                                            d9c08dc95d7d508fddea6e17ac9af435

                                                            SHA1

                                                            adad14441f4641ed60ef4bd2c23cd6a35e2b82f9

                                                            SHA256

                                                            1cd69f704c03d946d5dbaf7e0cfe8e8b397ab777efe299084e2d4c1beb902b34

                                                            SHA512

                                                            c33459349cd5b6616df1c89d2c3bdcc07c6d5968a93d462a0893ab5814c192a7fcc556aa9b5895eb41dcca7eec6714b5bd15cc673280c27a3c271abc611f97ce

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                            Filesize

                                                            13KB

                                                            MD5

                                                            a3e97ecff949015fa624f8e7b3185920

                                                            SHA1

                                                            88710049a69e87bfbe871123475225c75c3f0f83

                                                            SHA256

                                                            bd337beae7757cb678c329868bafe35cd24e31ed9004801134d65b2cb1946664

                                                            SHA512

                                                            7619fc6abfa9e1045bf568ed0606608a019b9e2f13d83807dba938e6ad4d6036d8d97fca889d24cfdffc4576a26cdc03e0ce7134070d4d910522a0b8a15e9484

                                                          • C:\Users\Admin\AppData\Local\Temp\1000006001\79885100f7.exe

                                                            Filesize

                                                            2.4MB

                                                            MD5

                                                            510ef6656d676509abf2ff0e28ecda55

                                                            SHA1

                                                            0f61ea4fff3a4160ee5eadbec3ee35506c98b10f

                                                            SHA256

                                                            42925f90758bbcac4f02d0f58e671ef5d071e1f528a3aa2b4cfa7715da9ff215

                                                            SHA512

                                                            08870978ef501a7dfe0a1f0042a5373ce70f50308f6929d1940434a27fdc61ec230ac0df4d80299ab82ec05ef6263a3bc40ebf82b17d32074f5ca6000764ba0a

                                                          • C:\Users\Admin\AppData\Local\Temp\1000008021\71e5a7decc.cmd

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            c1b73be75c9a5348a3e36e9ec2993f58

                                                            SHA1

                                                            84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                                            SHA256

                                                            a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                                            SHA512

                                                            fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            845e518c85f1b978cd46242946ba6d4d

                                                            SHA1

                                                            2c9134231db03c35b788ac7b454b4cdf5698db22

                                                            SHA256

                                                            8d1cc44f24a9022819de9d34a328315d88e215dcac2ffb3cf29d637948d4c578

                                                            SHA512

                                                            b5c2a52db82c0467eff9f58406a62926b8a91a332853fb7774054eabba3e02adcc18dbdd2151cb6bdaba160cd74a9adea82b0add80da0dd164324b3d552bdaa0

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                            Filesize

                                                            442KB

                                                            MD5

                                                            85430baed3398695717b0263807cf97c

                                                            SHA1

                                                            fffbee923cea216f50fce5d54219a188a5100f41

                                                            SHA256

                                                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                            SHA512

                                                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                            Filesize

                                                            8.0MB

                                                            MD5

                                                            a01c5ecd6108350ae23d2cddf0e77c17

                                                            SHA1

                                                            c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                            SHA256

                                                            345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                            SHA512

                                                            b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cookies.sqlite-wal

                                                            Filesize

                                                            256KB

                                                            MD5

                                                            c2de3c06b6344e59d32b91645332a8eb

                                                            SHA1

                                                            01321ece253fb171fe8eab1f019160a623c4bef6

                                                            SHA256

                                                            87b5045eb7769a24c2bdb19fdc61eebff55468326d7a86893ba6a157393ce73e

                                                            SHA512

                                                            3bbc7fa7456e6701b7cb78e44bb455ec1642ad5c68ab1491fbc6cace8a4042d9175753cf3c2d44f407ba322143d44f5b2addb1280b6c47139d57acbb7dc625bb

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                            Filesize

                                                            997KB

                                                            MD5

                                                            fe3355639648c417e8307c6d051e3e37

                                                            SHA1

                                                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                            SHA256

                                                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                            SHA512

                                                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                            Filesize

                                                            116B

                                                            MD5

                                                            3d33cdc0b3d281e67dd52e14435dd04f

                                                            SHA1

                                                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                            SHA256

                                                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                            SHA512

                                                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                            Filesize

                                                            479B

                                                            MD5

                                                            49ddb419d96dceb9069018535fb2e2fc

                                                            SHA1

                                                            62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                            SHA256

                                                            2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                            SHA512

                                                            48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                            Filesize

                                                            372B

                                                            MD5

                                                            8be33af717bb1b67fbd61c3f4b807e9e

                                                            SHA1

                                                            7cf17656d174d951957ff36810e874a134dd49e0

                                                            SHA256

                                                            e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                            SHA512

                                                            6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                            Filesize

                                                            11.8MB

                                                            MD5

                                                            33bf7b0439480effb9fb212efce87b13

                                                            SHA1

                                                            cee50f2745edc6dc291887b6075ca64d716f495a

                                                            SHA256

                                                            8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                            SHA512

                                                            d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            688bed3676d2104e7f17ae1cd2c59404

                                                            SHA1

                                                            952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                            SHA256

                                                            33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                            SHA512

                                                            7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            937326fead5fd401f6cca9118bd9ade9

                                                            SHA1

                                                            4526a57d4ae14ed29b37632c72aef3c408189d91

                                                            SHA256

                                                            68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                            SHA512

                                                            b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\places.sqlite-wal

                                                            Filesize

                                                            992KB

                                                            MD5

                                                            e3deaca3d7dea51193c9bea28d2f3057

                                                            SHA1

                                                            cd48fcc44a5b95c4cbf19da8b69a81ef9126d43f

                                                            SHA256

                                                            665703791f95d1bc1b6709f668a35544a9e821312e626ce3e5feab293956888e

                                                            SHA512

                                                            4dc6087f3c94e4a9c88b876c5a1fa3bc412ab3bf4006c28cfbeb48e714d31ad509e79096b7a2e106fe6c899c65dfcf20eb3713f35a7fe3522a181d4aad180397

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs-1.js

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            192471ab8e5d629cf90b32517f5a299d

                                                            SHA1

                                                            5cc4492846b1e6dfd81236e1213e3a380eb067c5

                                                            SHA256

                                                            04392b3cbfa74e4ae59cb1e7b63eb8bb849218c45034d61e8cce6fe620d0eced

                                                            SHA512

                                                            c219aabe5be84dabd9b6b77e9c5f7b942e6fa632ee1e74441f5b8775fce61dc268d97121d4403495ed207acc1b640bb42034e1b5396be6d782cdc73a9e2c7e77

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs-1.js

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            d670c135cf28255606b423d0498398ee

                                                            SHA1

                                                            7501e8986503bfcc4e352b5e742e624404977e61

                                                            SHA256

                                                            fb3ff87874505c048efafbe4745cfb96c29dd2013dd7bbfe552f049566c89aaa

                                                            SHA512

                                                            19f193c54d21acd256d4c40405ff6c2dd6247588a86e5db23f895ceecb0283ae89ed47a3147ab117f6207120404b0b3a12bb0b048ee63a1c4ae6314856e01856

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            858dc199cb3cbb97637ad5160c1ca396

                                                            SHA1

                                                            29ac6554cce8fb6939f0f02bd7d4e48faba37564

                                                            SHA256

                                                            f19462f748e49e6bd715d18ec3a04d348258cb1a4f3b68e5696ffac3e27a5693

                                                            SHA512

                                                            15be2fbab202d95550c7a50c8207dd02259e6d74a58f07b00bef234ddd34f3299fdebb43be7835117d7cf1cec7a8acc8535f18137df3c9adcf3d3e0c3da96cfb

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            6dfab1404701a697d3668c8d4178e291

                                                            SHA1

                                                            091984e159ef1563564781b0a0e3febd4d5773dc

                                                            SHA256

                                                            12de0c19785152af10f5aadcae9080e04253cc4219798cf0a700173100968b73

                                                            SHA512

                                                            ee2d523d89a53e72f8e94a893ab1e966ce014b65617c179bed0086e8073de2806d079395e696855a57d17bb6d49eed30092f04d0569d66275a7be5af30f8b217

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            27f07996724dc412efb62d48c1f9dc4c

                                                            SHA1

                                                            11f83504e9b045a4151cb61705326dcb61bcc919

                                                            SHA256

                                                            a46210b82c57b676a3e5ae1a1a74537cb856a3a8998c7b4af989e5fb5d962fea

                                                            SHA512

                                                            3b8808f64a150e8cd485b2cc070b93ba8fa3532e319a92dbc7dd82f30a0ac280bd5e03f229f216b9259886967becccd8f0603b80854e378d6c9606f37db723c2

                                                          • \??\pipe\LOCAL\crashpad_2460_ANPRYROWVTMDXKKP

                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          • memory/2028-3-0x0000000000760000-0x0000000000C17000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2028-2-0x0000000000761000-0x000000000078F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/2028-1-0x00000000771A6000-0x00000000771A8000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/2028-17-0x0000000000760000-0x0000000000C17000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2028-5-0x0000000000760000-0x0000000000C17000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/2028-0-0x0000000000760000-0x0000000000C17000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3024-323-0x00000000007D0000-0x00000000013BA000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/3024-37-0x00000000007D0000-0x00000000013BA000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/3024-292-0x00000000007D0000-0x00000000013BA000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/3024-96-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                            Filesize

                                                            972KB

                                                          • memory/3052-337-0x00000000000A0000-0x0000000000557000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3052-329-0x00000000000A0000-0x0000000000557000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2497-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2542-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-220-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-390-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-368-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-18-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-20-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-19-0x0000000000B41000-0x0000000000B6F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/3108-633-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-1707-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2471-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-400-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-21-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2526-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2560-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2558-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2543-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2540-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-2541-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3108-380-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/5404-2539-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/5404-2533-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6468-2562-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6468-2564-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6596-369-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6596-373-0x0000000000B40000-0x0000000000FF7000-memory.dmp

                                                            Filesize

                                                            4.7MB