Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 14:13

General

  • Target

    f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e.exe

  • Size

    1.8MB

  • MD5

    99b800d074dc4121cdc4a127276b9f6e

  • SHA1

    c2099c6ed0cd5be77000c13cda849a84fd7bf662

  • SHA256

    f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e

  • SHA512

    b317716aefab1fd83b3fa6c0057c613e98deb55f577b50d4a4ad93fa2ec71e25994ae28549c3f0d03396ce9a721c83afb6d0c754c2cd46eb85159484d6e315ba

  • SSDEEP

    49152:hz8Y6VEcforjruAZLG6oBSTglgpJAwCXWFzmMEcK0jhF:18Y6VJforjr7gwTDDVCXWFzTEcJh

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e.exe
    "C:\Users\Admin\AppData\Local\Temp\f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Users\Admin\AppData\Local\Temp\1000006001\4bace03766.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\4bace03766.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3216
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AECAECFCAA.exe"
          4⤵
            PID:6604
            • C:\Users\Admin\AppData\Local\Temp\AECAECFCAA.exe
              "C:\Users\Admin\AppData\Local\Temp\AECAECFCAA.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:6700
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IECFIEGDBK.exe"
            4⤵
            • Checks computer location settings
            • Suspicious use of SetWindowsHookEx
            PID:6636
        • C:\Users\Admin\AppData\Local\Temp\1000010001\0e0f587120.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\0e0f587120.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C3DC.tmp\C3DD.tmp\C3DE.bat C:\Users\Admin\AppData\Local\Temp\1000010001\0e0f587120.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:796
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              5⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2484
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffcfd8dab58,0x7ffcfd8dab68,0x7ffcfd8dab78
                6⤵
                  PID:1488
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:2
                  6⤵
                    PID:4480
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:8
                    6⤵
                      PID:2160
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1664 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:8
                      6⤵
                        PID:4848
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:1
                        6⤵
                          PID:2424
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:1
                          6⤵
                            PID:4324
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3980 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:1
                            6⤵
                              PID:5948
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:8
                              6⤵
                                PID:1968
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:8
                                6⤵
                                  PID:4468
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=2364,i,5351176254279918369,6113472044472924249,131072 /prefetch:2
                                  6⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:6812
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                                5⤵
                                • Enumerates system info in registry
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of WriteProcessMemory
                                PID:3604
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcfd7846f8,0x7ffcfd784708,0x7ffcfd784718
                                  6⤵
                                    PID:3256
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,8015029887621293668,4475788816974321802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
                                    6⤵
                                      PID:5016
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,8015029887621293668,4475788816974321802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
                                      6⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:784
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,8015029887621293668,4475788816974321802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
                                      6⤵
                                        PID:2908
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8015029887621293668,4475788816974321802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
                                        6⤵
                                          PID:4540
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8015029887621293668,4475788816974321802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
                                          6⤵
                                            PID:4016
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,8015029887621293668,4475788816974321802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
                                            6⤵
                                              PID:5940
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,8015029887621293668,4475788816974321802,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 /prefetch:2
                                              6⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:6792
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                            5⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3248
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                              6⤵
                                              • Checks processor information in registry
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of SetWindowsHookEx
                                              • Suspicious use of WriteProcessMemory
                                              PID:1416
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1416.0.988976479\1532313381" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fb9782f-f454-46c7-af5e-83ae9ff2adcf} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" 1844 245ddc0c158 gpu
                                                7⤵
                                                  PID:4056
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1416.1.2042838663\141267630" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94eb27d5-7cae-49ea-a6ff-c6ba69ff88b0} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" 2472 245d0d86558 socket
                                                  7⤵
                                                    PID:1844
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1416.2.847932756\751329649" -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 2808 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f550465e-0be2-47e6-8bb9-8ac1b078b62f} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" 3376 245e0275258 tab
                                                    7⤵
                                                      PID:2992
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1416.3.2118292327\710164039" -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 2976 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17d782e2-7da6-40ca-886b-0bb4b6b462ff} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" 3692 245d0d76e58 tab
                                                      7⤵
                                                        PID:5500
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1416.4.1404783601\1401962820" -childID 3 -isForBrowser -prefsHandle 4200 -prefMapHandle 5232 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {612a4dea-0f48-4736-90f3-6410d6431854} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" 5212 245e488f558 tab
                                                        7⤵
                                                          PID:6028
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1416.5.492060313\97226952" -childID 4 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bbd5748-a97f-4acf-9d92-2d42eb579c74} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" 5376 245e48d7958 tab
                                                          7⤵
                                                            PID:6032
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1416.6.151857671\652914768" -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5212 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c4a7185-32ca-4090-a56a-487dacdc9d21} 1416 "\\.\pipe\gecko-crash-server-pipe.1416" 5596 245e48d7658 tab
                                                            7⤵
                                                              PID:6040
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:5184
                                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                    1⤵
                                                      PID:5392
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:5808
                                                      • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                        C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:6516
                                                      • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                        C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                        1⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:6476

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\ProgramData\mozglue.dll

                                                        Filesize

                                                        593KB

                                                        MD5

                                                        c8fd9be83bc728cc04beffafc2907fe9

                                                        SHA1

                                                        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                        SHA256

                                                        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                        SHA512

                                                        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                      • C:\ProgramData\nss3.dll

                                                        Filesize

                                                        2.0MB

                                                        MD5

                                                        1cc453cdf74f31e4d913ff9c10acdde2

                                                        SHA1

                                                        6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                        SHA256

                                                        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                        SHA512

                                                        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

                                                        Filesize

                                                        36KB

                                                        MD5

                                                        103d7813f0ccc7445b4b9a4b34fc74bf

                                                        SHA1

                                                        ed862e8ebd885acde6115c340e59e50e74e3633b

                                                        SHA256

                                                        0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                        SHA512

                                                        0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                        Filesize

                                                        240B

                                                        MD5

                                                        f025fc155d8477727e02ce0aedaa3bde

                                                        SHA1

                                                        1f3929386203debd0b68c9d2bae1069399e0d924

                                                        SHA256

                                                        b0c1a5a06db788bb120a9c38e3418fd0663378402bfdd8623405f617966951fc

                                                        SHA512

                                                        fe409c6a309572ba9801588dfbe0ca2d5ab36fc7e6d8000ecc5f6b60f90671c3490443e222bfcf804d279577c11c5ffeba7c8c119f753b985e4d6256c3f4c6f7

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        b06144cb1c8c21e5237b77ea8ad2f0af

                                                        SHA1

                                                        964abcc3a311ef9cf0fc381683371f9cecec33f2

                                                        SHA256

                                                        beb4449dcbf964d371db58e5384684468e111d961041ed0c09028cbf00a7efd6

                                                        SHA512

                                                        5198cef91a330b9f1c0f2a5027d34b920779e9f06b656f3e77e3489a29b5c00c91370db3071b675842a6a137089c53825e8de36675f045f4ea86ff999afddbcf

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                        Filesize

                                                        2B

                                                        MD5

                                                        d751713988987e9331980363e24189ce

                                                        SHA1

                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                        SHA256

                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                        SHA512

                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                        Filesize

                                                        356B

                                                        MD5

                                                        38210b6d7dcbbb210ba19285ee960a50

                                                        SHA1

                                                        64aece34b14fc219d4822cbfcdeb4c9f9c162da0

                                                        SHA256

                                                        c72792903856eecf7988877cb296cb2e9e0c51ca04339ce7554683f38de976eb

                                                        SHA512

                                                        f97b55c044927fd45ca18c4f0960f1ff0ba3aa345f1b73608f51acfe4fd40cf0c4eace7ec40c72694e3bc9cfc938efba6832d08d43ca9938c860b94d46e8cc54

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        51f9a70fc8625ce5e5f830fb4216d352

                                                        SHA1

                                                        9d8459a0415b6582fcbb772a98fd64c92968e4f3

                                                        SHA256

                                                        d7ffe619dda75ac75bf919100244e51140ad0f5725908a99506073376ffdf412

                                                        SHA512

                                                        170b8c7a125ce52f3e164548857991b183f81aea7eb1f0911583bb2fd746e8d4655f17c2c2bbece5f4530dec8ac710be238c109fbe61d95472d0e5078b629b96

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                        Filesize

                                                        145KB

                                                        MD5

                                                        87dffe067a3d2b394ac7c67bb28d69b0

                                                        SHA1

                                                        678ecbb75a4a342792ed3ecc23b45c35e9177a0c

                                                        SHA256

                                                        8b3d112224f1cb93969fbe5bcf7b5012e48647574cf242a250bd139394582244

                                                        SHA512

                                                        01771ed15b723acd5e1099095de9370c3c48593bd95914e2cf41b19ec6755a74197acfb2c4d710882da60e8ee54096735dbe42f5bd6f2f0d632de33cb30b845d

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                        Filesize

                                                        146KB

                                                        MD5

                                                        ca9d57bc65b2edfd364a67eb6ddba044

                                                        SHA1

                                                        9b822aaceffccb5cd4f2d3785fcf21a115bb376c

                                                        SHA256

                                                        275dd63213e16a5143b2da322c0b9025019b55df54996643e088de5956dde584

                                                        SHA512

                                                        da370005e0b533c0246f9f60c1c332f09f6eb0384efd6a32df031258c4d0cf7f360387ef690b0041ac2e16c388686b01176b6e4407b064631028b4bf2543b4e2

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                        Filesize

                                                        146KB

                                                        MD5

                                                        90345a8a9ca1283f8e90814592b2bb30

                                                        SHA1

                                                        80798994ea9d1be5846cc0dba420001d90f86370

                                                        SHA256

                                                        1a39a1d9ce16bd3cc3b28094d65e41c8e9c98c553c45d7717214b0cd450e9eb9

                                                        SHA512

                                                        3871d3956a359da61e84084c793e9c61553ba91f51cab601286839c1fd79194c70440d4c41447ce136c7e1fcc13135338e5552c279a9bb5831e70a2132a64604

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        0331fa75ac7846bafcf885ea76d47447

                                                        SHA1

                                                        5a141ffda430e091153fefc4aa36317422ba28ae

                                                        SHA256

                                                        64b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a

                                                        SHA512

                                                        f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        f0f818d52a59eb6cf9c4dd2a1c844df9

                                                        SHA1

                                                        26afc4b28c0287274624690bd5bd4786cfe11d16

                                                        SHA256

                                                        58c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61

                                                        SHA512

                                                        7e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                                        Filesize

                                                        67KB

                                                        MD5

                                                        51c3c3d00a4a5a9d730c04c615f2639b

                                                        SHA1

                                                        3b92cce727fc1fb03e982eb611935218c821948f

                                                        SHA256

                                                        cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                        SHA512

                                                        7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                        Filesize

                                                        240B

                                                        MD5

                                                        8744c07a7b6312d7a2e9008cccceaf39

                                                        SHA1

                                                        69e8aeedb00b32a1d3d34e33cdccb4df04db024e

                                                        SHA256

                                                        60c6fdab9f50e85d559db4ec5e9a8be88a1ea258583912cf4634edcdc2aebe46

                                                        SHA512

                                                        079dd47ddf86c4698debe67ab7491e11f46a222d5a88a566d8853a2f31e26598747d6a6742ca4dc734b71219f0006fc535d043589feb386e42dbb912c5751525

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        042a2178e2a86f648c1a22f03d8cd008

                                                        SHA1

                                                        a816ed60503c75183cf4739d3eb7f7db3f601754

                                                        SHA256

                                                        d63c8b6e3a454c1c995fad28489c541482f0bf89be88fa0ddf0ef38454b20e5c

                                                        SHA512

                                                        47c6f1603ef07594fc0696177e7d74d32ef3f77d3a7f0772c3751111040f95b96c13a01f64fbc157de90c4a8c478ec5a096393724513439ec27df4501c73520f

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        652b57d88ffdccf498e36148b3000da7

                                                        SHA1

                                                        4239555d23eb677a9aeb048e87668dfe4ee8fb24

                                                        SHA256

                                                        8876ade90622a8e0feab4cd657a0eb27272ecab99b11bef31448ccefebc85466

                                                        SHA512

                                                        2aa4adb6df12a45829794ea968625d6ecebb3547d56c2343f5b6765c939096210bf727a4dd34b340f7a81802c6c20ae7d8610548b9c5195005e5cf454c9faa56

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        c0b7f7b0862fea315bfd04e3fc251a38

                                                        SHA1

                                                        6e12aebff8abd1ebd16f80282ab1e6b7ee1d8587

                                                        SHA256

                                                        eaed025a557e732fdcd1502a943459a948583ea713eac84f4ac1010e087f01d7

                                                        SHA512

                                                        28c728bd7c11cb52a5cc5c0fc95d7d81c4225746e75334f70a928baf50aa9e03f0a5d4b9e5f705b4a84dab7ba009695fd6ab4fc9d030581cc51ac333321ca1ec

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        11KB

                                                        MD5

                                                        1461c8c0cd0024a4009aad3cdc1e988d

                                                        SHA1

                                                        6a9e2b52c9b9d115a849534e0c49fc8c0f31a9f3

                                                        SHA256

                                                        22af5f9e29a11d7dae1df4234b71de390f49f3765694e272f4e822b8c4b8ac37

                                                        SHA512

                                                        b8da5d884e36d9af5ac7b4e5db3b3372e98d8a1ac08896eeb252b126d27422c13555d6ebdcbe422b397662163bd516cfed0f216db657b98fc392214f2e02d01e

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp

                                                        Filesize

                                                        23KB

                                                        MD5

                                                        d4253286fb245c56c4d78c88de817063

                                                        SHA1

                                                        0078521b125c7d046ed44be0a413b114ea428a3a

                                                        SHA256

                                                        7cf372923161ca153a300f741c178b64acbbe31b09a7f0bc1964c3e361ae9d9a

                                                        SHA512

                                                        206b6f70cd9bc2cdacfe67e1cf5136eb36b019371f8e0c2f837f4582e502d5f92ef699492530781ee5464168341e957e1cafef32a39694ee296f97f8930ef745

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\activity-stream.discovery_stream.json.tmp

                                                        Filesize

                                                        22KB

                                                        MD5

                                                        f8faf4ab72f614703ccd8f9005bbde9b

                                                        SHA1

                                                        cf86d5b0ec4bd74e01a1e0f079dcb99f5b412dfa

                                                        SHA256

                                                        151f3bfe502aa0ec740da7f9e39d71a8dad7ba075a2643ceed6f88152eab8bec

                                                        SHA512

                                                        ef8a38141e92043a4e475bc220f7d263fa7c6faccc44673182708337a4260d4d39c201705520295264316b4a125c53b02226812ba44e718edbf1097c20bd4050

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                        Filesize

                                                        13KB

                                                        MD5

                                                        05c9931b32b18e61980ff16a4c7b8f02

                                                        SHA1

                                                        0ac5e6c2d6b01e162fd4e515b70af6bb92b7c25b

                                                        SHA256

                                                        6d8483de9d81f0d4c8005fd09c90cb19ce1c031b04722491326578a16f2155e4

                                                        SHA512

                                                        920274119cd148cf22dbd36a64eacdca7ad72e6df3f7ee89d1765fd93a0511ef9ec6f39e2b6906731c9227580edebe5b5dcecb4102a544d1f3d3ebac44dced88

                                                      • C:\Users\Admin\AppData\Local\Temp\1000006001\4bace03766.exe

                                                        Filesize

                                                        2.4MB

                                                        MD5

                                                        3cf711041254d965f4d100dfd2af83b5

                                                        SHA1

                                                        567f213eabaf61bf82e941631dbecd518b61d089

                                                        SHA256

                                                        77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce

                                                        SHA512

                                                        629f3136a6ebacf69800ed96000709c28ac096937c75cacb262394922779ab6cc613dd496e263ac02b41b998daa570771b68fd6a79b5d73fb3c4a45ef0bdb718

                                                      • C:\Users\Admin\AppData\Local\Temp\1000010001\0e0f587120.exe

                                                        Filesize

                                                        89KB

                                                        MD5

                                                        bc08b445116ecc06852a929a5d302c4a

                                                        SHA1

                                                        a78aa42220b90d47b4cf63119e6082f06b295f57

                                                        SHA256

                                                        5b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6

                                                        SHA512

                                                        657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf

                                                      • C:\Users\Admin\AppData\Local\Temp\C3DC.tmp\C3DD.tmp\C3DE.bat

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        de9423d9c334ba3dba7dc874aa7dbc28

                                                        SHA1

                                                        bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                                        SHA256

                                                        a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                                        SHA512

                                                        63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                                      • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                        Filesize

                                                        1.8MB

                                                        MD5

                                                        99b800d074dc4121cdc4a127276b9f6e

                                                        SHA1

                                                        c2099c6ed0cd5be77000c13cda849a84fd7bf662

                                                        SHA256

                                                        f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e

                                                        SHA512

                                                        b317716aefab1fd83b3fa6c0057c613e98deb55f577b50d4a4ad93fa2ec71e25994ae28549c3f0d03396ce9a721c83afb6d0c754c2cd46eb85159484d6e315ba

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                        Filesize

                                                        442KB

                                                        MD5

                                                        85430baed3398695717b0263807cf97c

                                                        SHA1

                                                        fffbee923cea216f50fce5d54219a188a5100f41

                                                        SHA256

                                                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                        SHA512

                                                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                        Filesize

                                                        8.0MB

                                                        MD5

                                                        a01c5ecd6108350ae23d2cddf0e77c17

                                                        SHA1

                                                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                        SHA256

                                                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                        SHA512

                                                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\cookies.sqlite-wal

                                                        Filesize

                                                        256KB

                                                        MD5

                                                        684fbdf5d6ec05d9b0f1cf8e3a3ebf4c

                                                        SHA1

                                                        45282d18e13eec36f2fcbf88998eb2e4ca300c80

                                                        SHA256

                                                        ec8d6853d7c687df6aa5c36a2f4f2e44bf59c141b40661c3088a7026444950bc

                                                        SHA512

                                                        bc98f440a71d90270b1df7d0e00febff84dd8bc85045e46edfb681152b8b316bfa827e42c2f4477d45d473971d139275330ec9ac7fab76eab56f2137e4c25fcc

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                        Filesize

                                                        997KB

                                                        MD5

                                                        fe3355639648c417e8307c6d051e3e37

                                                        SHA1

                                                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                        SHA256

                                                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                        SHA512

                                                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                        Filesize

                                                        116B

                                                        MD5

                                                        3d33cdc0b3d281e67dd52e14435dd04f

                                                        SHA1

                                                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                        SHA256

                                                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                        SHA512

                                                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                        Filesize

                                                        479B

                                                        MD5

                                                        49ddb419d96dceb9069018535fb2e2fc

                                                        SHA1

                                                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                        SHA256

                                                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                        SHA512

                                                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                        Filesize

                                                        372B

                                                        MD5

                                                        8be33af717bb1b67fbd61c3f4b807e9e

                                                        SHA1

                                                        7cf17656d174d951957ff36810e874a134dd49e0

                                                        SHA256

                                                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                        SHA512

                                                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                        Filesize

                                                        11.8MB

                                                        MD5

                                                        33bf7b0439480effb9fb212efce87b13

                                                        SHA1

                                                        cee50f2745edc6dc291887b6075ca64d716f495a

                                                        SHA256

                                                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                        SHA512

                                                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        688bed3676d2104e7f17ae1cd2c59404

                                                        SHA1

                                                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                        SHA256

                                                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                        SHA512

                                                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        937326fead5fd401f6cca9118bd9ade9

                                                        SHA1

                                                        4526a57d4ae14ed29b37632c72aef3c408189d91

                                                        SHA256

                                                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                        SHA512

                                                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\places.sqlite-wal

                                                        Filesize

                                                        992KB

                                                        MD5

                                                        294d2b91b49407298b1975242c727320

                                                        SHA1

                                                        6cbcdf0269cc7dc61f36520b4606bcea0c44f964

                                                        SHA256

                                                        2968736876d68d8cb270d9867b23acca23ab3ee6c8b94ec6ba6077f699494324

                                                        SHA512

                                                        1da8b69316dfdcd2a6da5350847738c8cd73b9286ccd5634ea7e10c08ac6920f75f891c16ec97ad0ac9b14470d5b796a0451c461cc472b3b819d5b1289d602da

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs-1.js

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        e242e1c9af325df9470ceda429bada2a

                                                        SHA1

                                                        46198e08d79d6ba5e40993ddea59198336cc7981

                                                        SHA256

                                                        d7b3cfc2255f0e8677a4aeaf91b0ab42093f25b7c138d57f899e07598bcf05c4

                                                        SHA512

                                                        1adf94e8de4dd12460da099ca4da5f5f60ae0642b76ea204d1542cbdfc59ce22129e8b66d1467bc583597b6652a3cac4d616f02b9591ca13c71c190c8d6c3415

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs-1.js

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        9eae6b05a8a6de88566abf694e431ac9

                                                        SHA1

                                                        ddce0f1e6ab4cef5b3c61cb0b42248ffec030440

                                                        SHA256

                                                        a034f70cf02daf376cb8a3b02ee0b6a1f1017c2a54f6857cf5cb0a634879e273

                                                        SHA512

                                                        5d325c1aeb8c0c197181d9d127c68fe3f9d9040b741b2b71aa3e861553be8307f2e8dd6b788869846c7b4185e905670d0374e5d36f2ca58e68e962484893311b

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs-1.js

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        a29db17c3827b4246374ac43aaccf2d6

                                                        SHA1

                                                        98bdec89650792968765321fc70a4022ab5227ad

                                                        SHA256

                                                        a715e91be03afaa44fdcb15f4feaa4d6a9b88e38fad4ae1bdc5c0116d46f5883

                                                        SHA512

                                                        d91312873fde69d0ae25eeeb9530a3f04d622c53e7a725e1ef9ea1ed1f38f292d3713877ef40d33602b0fc0d94a7c6df2abee42fa1e65c8e1e54dc92f9392a26

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\prefs.js

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        f4a3230cf9d17d1f04a14a5c3d27fb0c

                                                        SHA1

                                                        f88823655bf21e2e2bdddf406bb83c020f6f5afe

                                                        SHA256

                                                        d68446687ff9f0c8c40015a337d1aa57577110b6fef67586599d2f2a29070478

                                                        SHA512

                                                        0bbcf3c5abb336aeb4417fab9926241f22b9b41752848be1ffdc8d9a65af5352aac72a91e10b897a25db3f7f867d967df65947a3b534c3c8a5a68c539afad23a

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vg8iw5f0.default-release\sessionstore-backups\recovery.jsonlz4

                                                        Filesize

                                                        4KB

                                                        MD5

                                                        7da412f4268d7d4c31bfe37bf3e47486

                                                        SHA1

                                                        43c90a5971041c283a063dc7d238a69e06da3322

                                                        SHA256

                                                        cf883748540b3c545d929e92b1c4a76b7621e1ec49d4a63f5f1d1a770df0f1e3

                                                        SHA512

                                                        b4fb1cca58867218a53e5399783cfe8959dc502f992ed97bedb8b2c54b976dce37ccb74c9f7320620da5636a659f2b7e0e3867c7d4727f9e527f9435e59e0d41

                                                      • \??\pipe\LOCAL\crashpad_3604_KWMZMUFWFXJVVZYJ

                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                      • memory/2716-2-0x00000000004F1000-0x000000000051F000-memory.dmp

                                                        Filesize

                                                        184KB

                                                      • memory/2716-5-0x00000000004F0000-0x00000000009A9000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2716-0-0x00000000004F0000-0x00000000009A9000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2716-15-0x00000000004F0000-0x00000000009A9000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2716-3-0x00000000004F0000-0x00000000009A9000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2716-1-0x0000000077724000-0x0000000077726000-memory.dmp

                                                        Filesize

                                                        8KB

                                                      • memory/2872-524-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2500-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-380-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2524-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-20-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-19-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-18-0x00000000007B1000-0x00000000007DF000-memory.dmp

                                                        Filesize

                                                        184KB

                                                      • memory/2872-2522-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-379-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-17-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-373-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-368-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-367-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2507-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2506-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2502-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-1426-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2377-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2458-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-2501-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/2872-241-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/3216-339-0x0000000000B80000-0x000000000176B000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/3216-129-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                        Filesize

                                                        972KB

                                                      • memory/3216-320-0x0000000000B80000-0x000000000176B000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/3216-36-0x0000000000B80000-0x000000000176B000-memory.dmp

                                                        Filesize

                                                        11.9MB

                                                      • memory/6476-2504-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/6476-2505-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/6516-636-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/6516-615-0x00000000007B0000-0x0000000000C69000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/6700-343-0x0000000000220000-0x00000000006D9000-memory.dmp

                                                        Filesize

                                                        4.7MB

                                                      • memory/6700-366-0x0000000000220000-0x00000000006D9000-memory.dmp

                                                        Filesize

                                                        4.7MB