Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 14:13

General

  • Target

    f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e.exe

  • Size

    1.8MB

  • MD5

    99b800d074dc4121cdc4a127276b9f6e

  • SHA1

    c2099c6ed0cd5be77000c13cda849a84fd7bf662

  • SHA256

    f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e

  • SHA512

    b317716aefab1fd83b3fa6c0057c613e98deb55f577b50d4a4ad93fa2ec71e25994ae28549c3f0d03396ce9a721c83afb6d0c754c2cd46eb85159484d6e315ba

  • SSDEEP

    49152:hz8Y6VEcforjruAZLG6oBSTglgpJAwCXWFzmMEcK0jhF:18Y6VJforjr7gwTDDVCXWFzTEcJh

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e.exe
    "C:\Users\Admin\AppData\Local\Temp\f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3336
      • C:\Users\Admin\AppData\Local\Temp\1000006001\c601e7652d.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\c601e7652d.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1672
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEGHJDGIJE.exe"
          4⤵
            PID:6544
            • C:\Users\Admin\AppData\Local\Temp\JEGHJDGIJE.exe
              "C:\Users\Admin\AppData\Local\Temp\JEGHJDGIJE.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:6648
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGCFHDAKEC.exe"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:6568
        • C:\Users\Admin\AppData\Local\Temp\1000010001\308a927c7d.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\308a927c7d.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4764
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9579.tmp\957A.tmp\957B.bat C:\Users\Admin\AppData\Local\Temp\1000010001\308a927c7d.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1064
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              5⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:428
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffdb44fab58,0x7ffdb44fab68,0x7ffdb44fab78
                6⤵
                  PID:1616
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=2076,i,588440497534370141,17402869598132430841,131072 /prefetch:2
                  6⤵
                    PID:2260
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=2076,i,588440497534370141,17402869598132430841,131072 /prefetch:8
                    6⤵
                      PID:2020
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1928 --field-trial-handle=2076,i,588440497534370141,17402869598132430841,131072 /prefetch:8
                      6⤵
                        PID:2336
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=2076,i,588440497534370141,17402869598132430841,131072 /prefetch:1
                        6⤵
                          PID:5224
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=2076,i,588440497534370141,17402869598132430841,131072 /prefetch:1
                          6⤵
                            PID:5392
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3832 --field-trial-handle=2076,i,588440497534370141,17402869598132430841,131072 /prefetch:1
                            6⤵
                              PID:5532
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=2076,i,588440497534370141,17402869598132430841,131072 /prefetch:2
                              6⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:752
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                            5⤵
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:2132
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffdb43a3cb8,0x7ffdb43a3cc8,0x7ffdb43a3cd8
                              6⤵
                                PID:788
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
                                6⤵
                                  PID:4840
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
                                  6⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5088
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
                                  6⤵
                                    PID:3016
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
                                    6⤵
                                      PID:3776
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:8
                                      6⤵
                                        PID:1872
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
                                        6⤵
                                          PID:5992
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
                                          6⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:6968
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
                                          6⤵
                                            PID:7140
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
                                            6⤵
                                              PID:7148
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
                                              6⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:6264
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                                              6⤵
                                                PID:6408
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
                                                6⤵
                                                  PID:6416
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,17252982373147123838,16022805892615979072,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5084 /prefetch:2
                                                  6⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5996
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                                5⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:1032
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                  6⤵
                                                  • Checks processor information in registry
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4960
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4960.0.1984878429\470709438" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e838378-fc42-460f-a0f6-673179bebe17} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" 1852 1911a504758 gpu
                                                    7⤵
                                                      PID:1428
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4960.1.1393697439\2138781652" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b45f0daf-0373-410c-ab9d-76760fc1299c} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" 2436 1910d684a58 socket
                                                      7⤵
                                                        PID:4812
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4960.2.783664339\447743898" -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f374fbca-76c9-4876-8b80-6dd29b233d31} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" 3260 1911c94a258 tab
                                                        7⤵
                                                          PID:2644
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4960.3.835206591\1752524233" -childID 2 -isForBrowser -prefsHandle 3020 -prefMapHandle 2820 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd0fd30a-6d9e-4930-86c7-1256914e189d} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" 2944 19120010258 tab
                                                          7⤵
                                                            PID:4124
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4960.4.2011479136\469374948" -childID 3 -isForBrowser -prefsHandle 5212 -prefMapHandle 5208 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3cba376-18fa-448f-b429-d70b0ae5ee1a} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" 5164 19122267258 tab
                                                            7⤵
                                                              PID:5848
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4960.5.2123704327\42767227" -childID 4 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d01f2f70-26fe-4c04-8970-4626e5a09226} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" 5336 191222d1258 tab
                                                              7⤵
                                                                PID:5384
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4960.6.1217473469\1566978807" -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5536 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67d13495-73d5-4d53-add4-b1eaf7b72102} 4960 "\\.\pipe\gecko-crash-server-pipe.4960" 5236 19122346c58 tab
                                                                7⤵
                                                                  PID:5400
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:1032
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:5640
                                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                          1⤵
                                                            PID:5848
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6920
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6960

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\ProgramData\mozglue.dll

                                                            Filesize

                                                            593KB

                                                            MD5

                                                            c8fd9be83bc728cc04beffafc2907fe9

                                                            SHA1

                                                            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                            SHA256

                                                            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                            SHA512

                                                            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                          • C:\ProgramData\nss3.dll

                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            1cc453cdf74f31e4d913ff9c10acdde2

                                                            SHA1

                                                            6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                            SHA256

                                                            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                            SHA512

                                                            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\60c29c9a-beae-4f52-a00c-1a4e975209cc.tmp

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            48fe2eddee321f2fb498cc7a45fea89f

                                                            SHA1

                                                            497bdb5a6231fca1eb211786a013f88d8cd96211

                                                            SHA256

                                                            5164b72c30ce5ff8e247196d5898c0cff4b9e110633c00439cf01ef96c221f34

                                                            SHA512

                                                            b81c82d66a1a82538fc22cdb35b2220c8678400ed7bb9735565e38dc8ef3b95b02594acabef1010a3cb49d5d5e5e95ffae4ba49bdefe1dee60f349cb516cee3a

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                                                            Filesize

                                                            67KB

                                                            MD5

                                                            51c3c3d00a4a5a9d730c04c615f2639b

                                                            SHA1

                                                            3b92cce727fc1fb03e982eb611935218c821948f

                                                            SHA256

                                                            cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                            SHA512

                                                            7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

                                                            Filesize

                                                            33KB

                                                            MD5

                                                            1c0c8433626cac08202f23a1dae54325

                                                            SHA1

                                                            3a5700eeeacd9f9d6b17c2707f75f29308658cd3

                                                            SHA256

                                                            7aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3

                                                            SHA512

                                                            da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

                                                            Filesize

                                                            36KB

                                                            MD5

                                                            103d7813f0ccc7445b4b9a4b34fc74bf

                                                            SHA1

                                                            ed862e8ebd885acde6115c340e59e50e74e3633b

                                                            SHA256

                                                            0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                            SHA512

                                                            0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            216B

                                                            MD5

                                                            378f43432b80086bf459de680ce34abd

                                                            SHA1

                                                            04baae100f7cf613da297d9018d946c13ef58b74

                                                            SHA256

                                                            09925822e61c0dab9e953f711281f6f57889b324963c5c3a90d67d756c2e8784

                                                            SHA512

                                                            49d81cb80e7130300d420820940c8451166d6eaaf5d3aaf7ad83a9bc2fe3e63628e17b20e2974afc2be09ffc784b3063be7d8bee90cb112aa528a0572e203bf9

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            973302c6af5bc5a3cdfeba1e39f9b68c

                                                            SHA1

                                                            db058aabce3cbff28144a09271a20a3a15137696

                                                            SHA256

                                                            be68bb4cd1b805f1a9e3901796281cc9d4bd4afb8fac9f98ddd6cc19e784aebb

                                                            SHA512

                                                            8c2b17901fe308ef72393f367c8f2ecaca765ea92cd4005a2bf8a06fa52367ec27a6e5afbd747f0ab4d2bab68e5bdde718f5dca9e9a4c6e526a12b36af7e45f9

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                            Filesize

                                                            524B

                                                            MD5

                                                            ea85f921404f7bd93997a9e45ae31c84

                                                            SHA1

                                                            5644e849f7274f64b75b5b5e8642d1b27e7b55bf

                                                            SHA256

                                                            a5b4e6fb643975a8c85572aefcc048d9cc00ccda9868356932c40029f4e920b5

                                                            SHA512

                                                            06a40d04d6a16dff5363b0941509086de6fb9f047fcf9ee9d79f41eb89a0be445b286aa05ca6c848d55fef61becf6d613fcd8d973d318ce18dde6a8e7dccb5c7

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                            Filesize

                                                            144KB

                                                            MD5

                                                            8db6f21bbd7bf4081f7338e35f2107fd

                                                            SHA1

                                                            83bc1e8311f1a492dc07703aca2ef0f012b53ec0

                                                            SHA256

                                                            c6af2c71ec1f1c16aac61e6a63a563f9ccd9c12d09c08db9668f2da8805a84da

                                                            SHA512

                                                            1217c620c3e2c8cd2edf52ad8cb1a20164cba635dded554220e51682000df838bdbb7fe5876c5c4b4b01d0bab11676ca92860d4a11e732fba9beae0d27512c89

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            b03d35a1e3ffb7a9f63b3f24a32b8e85

                                                            SHA1

                                                            878b3c3c4877e1f132819392c12b7de69e1a500a

                                                            SHA256

                                                            832cc8b01bdcc3a2edda654aed8b35bd35b4b308f2843187157e805c61c90435

                                                            SHA512

                                                            fe947eea87acd7d8052bf802f5e1e0105379f07f84160ac51b7771c9d03ae0822b5d56e2ef09b13f0a16b53071df3001f4fe4f255307096477d3db2c9671ee23

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            8db5917f9989b14874593acc38addada

                                                            SHA1

                                                            e2f1f19709d00cef4c7b8e1bca9a82855380a888

                                                            SHA256

                                                            69518d96a22b831de7923bc73ef0ce86cd8394befe8e1c20bf4f95285a15cc63

                                                            SHA512

                                                            39a70a4207338e819b5dd8dcb5b2b4edaa136a27d51edadac3f76f7de224c54753173a13a55667129f0310b3bbc9f258da0a5b9a7f8b7be6c3c45b64a04e40a2

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6f169567-6a38-4af8-a1b0-b57776f754bb.tmp

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            07b2fb8d114dcc69619e54657ba90450

                                                            SHA1

                                                            f8d683422b14edfdb4c76294ab19842a4c64f5be

                                                            SHA256

                                                            986556fe7d5bb6bb8e1abacedb3e04dc748e00e3173f526c076df1823553c676

                                                            SHA512

                                                            63ef16d18b3f426fe03514a3c730958953546418774fab098d529203e9f3fb049dbfbdd468a1021ed9bc1fb2a715fc181eaef2ed3430cd75d82f6e29c31f1ae0

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            216B

                                                            MD5

                                                            bf12fef5502687e7246ae54a858e92a4

                                                            SHA1

                                                            2185b11144c91111b72030b6b916386bd630e419

                                                            SHA256

                                                            777753f4b41a98ad4dceb60d36be1aa668d4b8ad37fac2e65c4904486d5eae0a

                                                            SHA512

                                                            41655a533a014b1476468436c8066e31e19a78ada148102d3ad42ce4c546495ab9eaf867e58db2d7cf2e578a359bff781613baa6dc3bcf9bea0eb2142686fb4b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            f422900e1870765d0278bbc6cfa6e483

                                                            SHA1

                                                            6940f571aff39f510c63d285e995a17cf1ef82a2

                                                            SHA256

                                                            07713fd754a6c2780809ace9007c74d52ba2ac4ada2c4b3ddd2da5530b9ba78b

                                                            SHA512

                                                            48b4cd6457a6da03223ae82df4fe10d9603232a680dbe6d7dd426eba727cd3440c1e79412d634cfed18824cd6cabcc79b458b7b5d4b477b26d2042c335959790

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            50dbaa6307180649657ed06f61324f7f

                                                            SHA1

                                                            efe8db6562fabb726f98825a5bf9a8b67e3e7031

                                                            SHA256

                                                            e22a79d124c016ebb5741f4c4d7062c27f4e6787c00bef78d387f4b2129151a5

                                                            SHA512

                                                            64bb4635086beb51d8af7e8ad20a3a5a744063e770d6b127762f28353192a837ed00285b8a165f4f6535c100269f376c88f04b2c7524a84c2e165e9d0a2b88bc

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            46295cac801e5d4857d09837238a6394

                                                            SHA1

                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                            SHA256

                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                            SHA512

                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            206702161f94c5cd39fadd03f4014d98

                                                            SHA1

                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                            SHA256

                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                            SHA512

                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            51924c8752708ba87982dbc8a569b37b

                                                            SHA1

                                                            5b24b1b9a53974c4cbede27f2ac25d1e66d3a84e

                                                            SHA256

                                                            f614365d207aa868ca7ef88e45ed0882e81d875c6361e87e98bfaf4d815fd611

                                                            SHA512

                                                            e8eacb87278710c7db608003ad39708654cef2aad0a414adb44150bd42aa3aa5437e1f0fd69c6135915a6f7d7c8f354df2ebdbe67ef172c5a99d725dcf915cf7

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vzqinq9r.default-release\activity-stream.discovery_stream.json

                                                            Filesize

                                                            22KB

                                                            MD5

                                                            02fb48fe51afcb6763d2ba0bde6f3eb9

                                                            SHA1

                                                            e428a44e43e756506abc0c62ae0255758173d6b3

                                                            SHA256

                                                            09b0cb1acdaee14c874d64ec63bfa09bfbe03ed24dd25ac499599a45012c0df1

                                                            SHA512

                                                            c879a159f220cc5b9bce281d23e1248460c27dffd0ba334c5e772a471737849567ab23f73d6b9bfaeb896358e0871d2a103febd0b7ed71ac855823b44ad6cb7a

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vzqinq9r.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            22KB

                                                            MD5

                                                            e3ccdd9bbc88cec40a367c30c38e2234

                                                            SHA1

                                                            90227f8c2e086c659b35d81f85bc52eea7a10134

                                                            SHA256

                                                            f8ffb0da9122e92ca7017e5da312a50e039b0b96c3d7e020276d92d8a6a73aa2

                                                            SHA512

                                                            2fb5eb4330623f06b68a16348caca52ef2a68da1114f41e1a4494aa6823001583aa021acab617d6a91e8f1e3a152c2bf94d5ef5e0e0c1a255c20b3b0d89dbd00

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vzqinq9r.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                            Filesize

                                                            13KB

                                                            MD5

                                                            3f7ef36b71acc33610b882b50a96a612

                                                            SHA1

                                                            dbcee009d381427c3c385c62b802e79e6c96c649

                                                            SHA256

                                                            c3a41d46e2570c2236add57ce7e50ce4d627426da6e8f0a152fe8ff5ccdd8427

                                                            SHA512

                                                            510cf0b71f0a291e8d4b9aececf2d0a119ce52e75e67b469442299a0aa293dbb99a82835872b0baf80aab0dbe7b8570294ced05e6e2535087dd69d8613963a42

                                                          • C:\Users\Admin\AppData\Local\Temp\1000006001\c601e7652d.exe

                                                            Filesize

                                                            2.4MB

                                                            MD5

                                                            3cf711041254d965f4d100dfd2af83b5

                                                            SHA1

                                                            567f213eabaf61bf82e941631dbecd518b61d089

                                                            SHA256

                                                            77e9b3740b0e2fd375cd1981ce2ad2ece335200794fa7eb92d4befee2094b9ce

                                                            SHA512

                                                            629f3136a6ebacf69800ed96000709c28ac096937c75cacb262394922779ab6cc613dd496e263ac02b41b998daa570771b68fd6a79b5d73fb3c4a45ef0bdb718

                                                          • C:\Users\Admin\AppData\Local\Temp\1000010001\308a927c7d.exe

                                                            Filesize

                                                            89KB

                                                            MD5

                                                            bc08b445116ecc06852a929a5d302c4a

                                                            SHA1

                                                            a78aa42220b90d47b4cf63119e6082f06b295f57

                                                            SHA256

                                                            5b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6

                                                            SHA512

                                                            657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf

                                                          • C:\Users\Admin\AppData\Local\Temp\9579.tmp\957A.tmp\957B.bat

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            de9423d9c334ba3dba7dc874aa7dbc28

                                                            SHA1

                                                            bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                                            SHA256

                                                            a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                                            SHA512

                                                            63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            99b800d074dc4121cdc4a127276b9f6e

                                                            SHA1

                                                            c2099c6ed0cd5be77000c13cda849a84fd7bf662

                                                            SHA256

                                                            f97ff5194352acfd96ba9dce6341293f59c10a1aa7b716f5643840abde275e3e

                                                            SHA512

                                                            b317716aefab1fd83b3fa6c0057c613e98deb55f577b50d4a4ad93fa2ec71e25994ae28549c3f0d03396ce9a721c83afb6d0c754c2cd46eb85159484d6e315ba

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                            Filesize

                                                            442KB

                                                            MD5

                                                            85430baed3398695717b0263807cf97c

                                                            SHA1

                                                            fffbee923cea216f50fce5d54219a188a5100f41

                                                            SHA256

                                                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                            SHA512

                                                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                            Filesize

                                                            8.0MB

                                                            MD5

                                                            a01c5ecd6108350ae23d2cddf0e77c17

                                                            SHA1

                                                            c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                            SHA256

                                                            345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                            SHA512

                                                            b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\cookies.sqlite-wal

                                                            Filesize

                                                            256KB

                                                            MD5

                                                            329aa5f0974245068956a53af0cabc40

                                                            SHA1

                                                            c9df2b524965c3590d4be2e7a1a79c566d480b05

                                                            SHA256

                                                            eebab12597a1ef34a474c6df1ab74f426651e069520a829d4d726da6abdc8da6

                                                            SHA512

                                                            a9f142c15b2d5c95943f9c95c57a6fe1a8783d6e1b2a3444d4d27256c454958547e2837577321a9a66c1e79a4000145e49be6ca3f93b7cb4c8c15ca06aefebfa

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                            Filesize

                                                            997KB

                                                            MD5

                                                            fe3355639648c417e8307c6d051e3e37

                                                            SHA1

                                                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                            SHA256

                                                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                            SHA512

                                                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                            Filesize

                                                            116B

                                                            MD5

                                                            3d33cdc0b3d281e67dd52e14435dd04f

                                                            SHA1

                                                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                            SHA256

                                                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                            SHA512

                                                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                            Filesize

                                                            479B

                                                            MD5

                                                            49ddb419d96dceb9069018535fb2e2fc

                                                            SHA1

                                                            62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                            SHA256

                                                            2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                            SHA512

                                                            48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                            Filesize

                                                            372B

                                                            MD5

                                                            8be33af717bb1b67fbd61c3f4b807e9e

                                                            SHA1

                                                            7cf17656d174d951957ff36810e874a134dd49e0

                                                            SHA256

                                                            e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                            SHA512

                                                            6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                            Filesize

                                                            11.8MB

                                                            MD5

                                                            33bf7b0439480effb9fb212efce87b13

                                                            SHA1

                                                            cee50f2745edc6dc291887b6075ca64d716f495a

                                                            SHA256

                                                            8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                            SHA512

                                                            d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            688bed3676d2104e7f17ae1cd2c59404

                                                            SHA1

                                                            952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                            SHA256

                                                            33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                            SHA512

                                                            7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            937326fead5fd401f6cca9118bd9ade9

                                                            SHA1

                                                            4526a57d4ae14ed29b37632c72aef3c408189d91

                                                            SHA256

                                                            68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                            SHA512

                                                            b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\places.sqlite-wal

                                                            Filesize

                                                            992KB

                                                            MD5

                                                            946d2887d668a337e292f1c99a14915e

                                                            SHA1

                                                            c56e24ad19a0c571bb8f5e50cafad3bd2e72515e

                                                            SHA256

                                                            b04d063a9e51037afc4f5e52953703239c84aa49b6027b904180ce7380357230

                                                            SHA512

                                                            dbbcfe44fc5c2bca501f89aeb60aeb72fa174c6cb80e018f3d577fabc3dec64856fadbcef1e953ffe89518daa01385e5bd1346094980e44274ced39e52ffe168

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\prefs-1.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            f54c54bba108a52b3930693ffd5d2a3b

                                                            SHA1

                                                            235800a87466b3535ef6879073347dab0f495d14

                                                            SHA256

                                                            fdf6a1786aef43161ed18d76b7b843988cb85bcb2c5b75d85b540af7981c0456

                                                            SHA512

                                                            a22430ad0a8557d40fc157fb9a4debd5039105f26dddf3f77c6f204973996a2db6c25e0a01764bea1bd9eff5605d1d59644b2242dc554b29e8fb0b54974c1497

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\prefs-1.js

                                                            Filesize

                                                            8KB

                                                            MD5

                                                            cb42db92ffc77ea0e707f7e511520ad8

                                                            SHA1

                                                            59e43c2272e9b5ef79272629aef6034ae5cee41b

                                                            SHA256

                                                            08bdaae8246e9f4d51b0e72e7a2d8eb9f3b871bf72213422518ee4d60bc89920

                                                            SHA512

                                                            2e8c867fec46822893e2a87c6951c6e761500964a5f2d6952b181f8db2837e7c6b7ab92da4cfcc4134451af4fdbd7056bddc058189ecb762759ae550ee9915d1

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            a73e5f872b946f34c5e102e5bdc50244

                                                            SHA1

                                                            1440cc425f2409c7381bcb849a9a6bcc97bf220e

                                                            SHA256

                                                            de253458123b049ec690cbb21b7b9f1affd66a7ec826a408dc5d1107fe3502b1

                                                            SHA512

                                                            6c374d5ecd775f3ce03aa7e71577a2160e7c7968b7cd9b8ca58b8fe268065a8d2bded64665e51175fcb69b7c1865aff95d469bc717663c803d557bbda1bc1b03

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vzqinq9r.default-release\sessionstore-backups\recovery.jsonlz4

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            d4487b278f7567d0dca390ab0c7a3d60

                                                            SHA1

                                                            7076da2a022d314b68b5b99ce014146c81683d6d

                                                            SHA256

                                                            6f05eccb4e8eefcdc30e91cd18c074d108901ab46e5c3e6527e95c95e88845cd

                                                            SHA512

                                                            23352ed1ab5bd40becfbb1e99197c275f58802d8f780e7ef35047d3b870ea0d80c5363faed604c4cc52c996c078b5bf54b07f0d3d618ca26570c5f6c5a7ba212

                                                          • \??\pipe\LOCAL\crashpad_2132_DCPWJVLOHZRCIOUQ

                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          • memory/1672-37-0x0000000000370000-0x0000000000F5B000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/1672-314-0x0000000000370000-0x0000000000F5B000-memory.dmp

                                                            Filesize

                                                            11.9MB

                                                          • memory/1672-111-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                            Filesize

                                                            972KB

                                                          • memory/3336-637-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-302-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2534-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2531-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2518-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-425-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2517-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-382-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-381-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-370-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2516-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2511-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-18-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-19-0x0000000000161000-0x000000000018F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/3336-20-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-21-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2510-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-395-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2472-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-1954-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3336-2446-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4808-0-0x0000000000D10000-0x00000000011C9000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4808-2-0x0000000000D11000-0x0000000000D3F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/4808-1-0x00000000770D6000-0x00000000770D8000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/4808-17-0x0000000000D10000-0x00000000011C9000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4808-3-0x0000000000D10000-0x00000000011C9000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/4808-5-0x0000000000D10000-0x00000000011C9000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6648-318-0x0000000000910000-0x0000000000DC9000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6648-361-0x0000000000910000-0x0000000000DC9000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6920-427-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6920-426-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6960-2513-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6960-2515-0x0000000000160000-0x0000000000619000-memory.dmp

                                                            Filesize

                                                            4.7MB