Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 15:25

General

  • Target

    aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe

  • Size

    1.8MB

  • MD5

    be9279ae8e72bd3949041c5d612c9fa0

  • SHA1

    4dbce3694977610ff0aefeff93dfd83955a2b97e

  • SHA256

    aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6

  • SHA512

    723e0489a74951b28619ee433bf9fae53f294a31a47e2843d43b8b34f88ea4a350375a837a98903f1236e9e86308d97dd22ea763877a59f02888beb10c00246c

  • SSDEEP

    49152:LUwzmoIrmSmUwvkdjfVWwshUl5cy0kS5xJw6:LUQIrREkdjA5eGyqbt

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe
    "C:\Users\Admin\AppData\Local\Temp\aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Users\Admin\AppData\Local\Temp\1000006001\d371ab667f.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\d371ab667f.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1432
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"
          4⤵
            PID:6624
            • C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe
              "C:\Users\Admin\AppData\Local\Temp\KJEHDHIEGI.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:6728
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJDGIIEBFC.exe"
            4⤵
            • Checks computer location settings
            • Suspicious use of SetWindowsHookEx
            PID:6648
        • C:\Users\Admin\AppData\Local\Temp\1000010001\f444765c53.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\f444765c53.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:512
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DA14.tmp\DA15.tmp\DA16.bat C:\Users\Admin\AppData\Local\Temp\1000010001\f444765c53.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              5⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3860
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9cc1fab58,0x7ff9cc1fab68,0x7ff9cc1fab78
                6⤵
                  PID:3948
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1944,i,10794703219248478415,7772555083818506129,131072 /prefetch:2
                  6⤵
                    PID:4500
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 --field-trial-handle=1944,i,10794703219248478415,7772555083818506129,131072 /prefetch:8
                    6⤵
                      PID:4444
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1944,i,10794703219248478415,7772555083818506129,131072 /prefetch:8
                      6⤵
                        PID:4684
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1944,i,10794703219248478415,7772555083818506129,131072 /prefetch:1
                        6⤵
                          PID:2616
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1944,i,10794703219248478415,7772555083818506129,131072 /prefetch:1
                          6⤵
                            PID:2728
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3404 --field-trial-handle=1944,i,10794703219248478415,7772555083818506129,131072 /prefetch:1
                            6⤵
                              PID:5420
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1944,i,10794703219248478415,7772555083818506129,131072 /prefetch:2
                              6⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:6524
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                            5⤵
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:1712
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9cc0a46f8,0x7ff9cc0a4708,0x7ff9cc0a4718
                              6⤵
                                PID:4456
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10918878027752242380,8173731352688284148,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
                                6⤵
                                  PID:4772
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,10918878027752242380,8173731352688284148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
                                  6⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4508
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,10918878027752242380,8173731352688284148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
                                  6⤵
                                    PID:5020
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10918878027752242380,8173731352688284148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
                                    6⤵
                                      PID:2980
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10918878027752242380,8173731352688284148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
                                      6⤵
                                        PID:5124
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,10918878027752242380,8173731352688284148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
                                        6⤵
                                          PID:5928
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,10918878027752242380,8173731352688284148,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 /prefetch:2
                                          6⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:5368
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                        5⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:4392
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                          6⤵
                                          • Checks processor information in registry
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          • Suspicious use of SetWindowsHookEx
                                          • Suspicious use of WriteProcessMemory
                                          PID:1796
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.0.831420655\1268806913" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcbb6e62-c273-4350-891e-188e28a9ab3c} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 1840 22409124d58 gpu
                                            7⤵
                                              PID:3196
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.1.164978642\1051803920" -parentBuildID 20230214051806 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {412652de-dd06-4189-a935-5196fba222e6} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 2472 22407f23e58 socket
                                              7⤵
                                                PID:1184
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.2.1506298897\690861838" -childID 1 -isForBrowser -prefsHandle 2816 -prefMapHandle 3036 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17693844-440a-4239-a128-8774794b0754} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 3028 22407f97b58 tab
                                                7⤵
                                                  PID:2688
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.3.1897431045\787949855" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1922ef68-c6a7-47c4-96da-b6ff2815ce9a} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 3688 2240b810b58 tab
                                                  7⤵
                                                    PID:5312
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.4.2025805679\1679852716" -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5080 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4e52e43-17ef-4605-a8a0-1694ef0360f9} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 5116 2240f3b2858 tab
                                                    7⤵
                                                      PID:5496
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.5.1575281508\1693442721" -childID 4 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {312e83e1-6799-436d-9f0c-35069aabfed7} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 5356 2240f3b3158 tab
                                                      7⤵
                                                        PID:5516
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1796.6.1678343556\2034785253" -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5536 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d06aa30-4b4b-4b09-9111-89f80cf9345e} 1796 "\\.\pipe\gecko-crash-server-pipe.1796" 5548 2240f3e4358 tab
                                                        7⤵
                                                          PID:5456
                                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                              1⤵
                                                PID:4828
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:5568
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:5864
                                                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                    1⤵
                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                    • Checks BIOS information in registry
                                                    • Executes dropped EXE
                                                    • Identifies Wine through registry keys
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:6160
                                                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                    1⤵
                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                    • Checks BIOS information in registry
                                                    • Executes dropped EXE
                                                    • Identifies Wine through registry keys
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:1252

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\ProgramData\GIJKKKFCFHCFIECBGDHI

                                                    Filesize

                                                    6KB

                                                    MD5

                                                    f8dd2b77af5e561646073eaf77d0c4ca

                                                    SHA1

                                                    faa527e40c0a52273a632611d59f4fe2b32bca0b

                                                    SHA256

                                                    67990c0a4823bcddfe31f3bf60717d95fbd4025ccde75238f916df3b25b20e9e

                                                    SHA512

                                                    d1952011a0c66b20092a1984924f2084ab6d93c6f50e9eb502104a78f8e544e275ef8b9f25558974c43ba02ee945f1807d3aa2daa1380ee0c2e9c712744d53f0

                                                  • C:\ProgramData\mozglue.dll

                                                    Filesize

                                                    593KB

                                                    MD5

                                                    c8fd9be83bc728cc04beffafc2907fe9

                                                    SHA1

                                                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                    SHA256

                                                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                    SHA512

                                                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                  • C:\ProgramData\nss3.dll

                                                    Filesize

                                                    2.0MB

                                                    MD5

                                                    1cc453cdf74f31e4d913ff9c10acdde2

                                                    SHA1

                                                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                    SHA256

                                                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                    SHA512

                                                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                                                    Filesize

                                                    67KB

                                                    MD5

                                                    51c3c3d00a4a5a9d730c04c615f2639b

                                                    SHA1

                                                    3b92cce727fc1fb03e982eb611935218c821948f

                                                    SHA256

                                                    cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                    SHA512

                                                    7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                    Filesize

                                                    240B

                                                    MD5

                                                    bc1268fa9954f866d613174f6860f1e5

                                                    SHA1

                                                    c7c92cf287c86ac95872f8092f52247b5569717d

                                                    SHA256

                                                    a2ae997ee922213d9658a7d605158bd6e71287723a0a5cdf190018dc653b32a8

                                                    SHA512

                                                    18dd3bbe85421228652ed6fb979458221bc25cd9cb755577bb5f3413db0786cbacfc17a4570d3ccf6992c7400c32b908603a4765449a6c0ed281c04fca61b2d4

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    bc9f6616a4f07adfc26ec91e921121d8

                                                    SHA1

                                                    bdb5d8573b0b5b4258d740f1b39a38fb259aa326

                                                    SHA256

                                                    a19b398f1187463955d569ae14cb35bcd91e72b7ba062147d098f3dbee25bd4d

                                                    SHA512

                                                    30d36cdf5437343fc631d2fe651e865df65721aef3a4147aac2b43502659dea2c3021389b00d8656c9bd7c7c7a53f00af0d4f04d6e6fbce9004329481f1b643d

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    44d062fb33720b873e2316d45962c9fd

                                                    SHA1

                                                    7a266b27e565205371aa3f81e65ecf03fc03cf99

                                                    SHA256

                                                    943c731d37475128b000f30f59e8d5f124c1a7bebe04ec184fd61b69a5c6ef7a

                                                    SHA512

                                                    77fb0c58f33d81b88f147ff2b9f629865b7cbbf5de292554cbf91db65d9e6c00f0a0547da0dc387ff38748010dd04ad9cbc61fc441a6d03c1405e9149eedbc9e

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                    Filesize

                                                    2B

                                                    MD5

                                                    d751713988987e9331980363e24189ce

                                                    SHA1

                                                    97d170e1550eee4afc0af065b78cda302a97674c

                                                    SHA256

                                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                    SHA512

                                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                    Filesize

                                                    524B

                                                    MD5

                                                    be3ea7e5ddbaf55350e941d3aa6c4398

                                                    SHA1

                                                    a80ff2521ed409608b1a965700bedbe9449bab24

                                                    SHA256

                                                    ee92156ce4d22d3993327fe40496df923d39c92d414bfd6c9c0ed65bb6067ee3

                                                    SHA512

                                                    514c872383c34baac95952647fe56fe20533bdef554c314f2561aad575e384f697387b526e80a17d126aae8be5ef99bcffd29f35ca64a4f5ef9ed7e29c381edd

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    75c7842e0a4d2238058546d18c1ebdc5

                                                    SHA1

                                                    4ef725cd708d67b4f79689359aebb729943695b3

                                                    SHA256

                                                    8a1277fe570cb73e9a5d15c7a70c919f6443b5b652979a2309477fc797faa14b

                                                    SHA512

                                                    bbda784e4c9a9869d2fe285aa03efe606a9f926c98339b4762ea2ae0c5e405738bae8186f06bf3030d9be277d6720672ced7a3ba507f44a87977c4a2ab7b15ba

                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                    Filesize

                                                    144KB

                                                    MD5

                                                    cb890dea5979f82867cb33c31d8ee2d4

                                                    SHA1

                                                    5e432707d43f564d230ba35c4c9e7ec8d01081fc

                                                    SHA256

                                                    273d9ef9a3a01fe0aa792b8889391e3740e7a49ade6bba3c05dcc0d4179299fc

                                                    SHA512

                                                    2344764620d71ad5a8dfbf8cb00974a3aee8f6dba32c5b4e3d9fba7fedfcc10952a2dc7cd77ecdb372be9297e52308390430591506cd427af018fb3f30abb735

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                    Filesize

                                                    152B

                                                    MD5

                                                    de1d175f3af722d1feb1c205f4e92d1e

                                                    SHA1

                                                    019cf8527a9b94bd0b35418bf7be8348be5a1c39

                                                    SHA256

                                                    1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924

                                                    SHA512

                                                    f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                    Filesize

                                                    152B

                                                    MD5

                                                    06b496d28461d5c01fc81bc2be6a9978

                                                    SHA1

                                                    36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa

                                                    SHA256

                                                    e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507

                                                    SHA512

                                                    6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

                                                    Filesize

                                                    36KB

                                                    MD5

                                                    103d7813f0ccc7445b4b9a4b34fc74bf

                                                    SHA1

                                                    ed862e8ebd885acde6115c340e59e50e74e3633b

                                                    SHA256

                                                    0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                    SHA512

                                                    0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                    Filesize

                                                    216B

                                                    MD5

                                                    dc6495b5ccbf7eee7134ce9bcc6b87d9

                                                    SHA1

                                                    90188677e21228a7bd8b1fc04b952f3377646b80

                                                    SHA256

                                                    0757d23645862ed44679fde2c58532a727be7ebd24685fc226a061762e6135c2

                                                    SHA512

                                                    19550bf72c16e3b1244629a6063ac1230cd166222fda8f2a050b0d75f9f0b681c9808719db1c25c236e9a0f725cc24bc203f2a6ac26da1b5a80773ed8691b871

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    b2373541270f55ec72e6c026c36817f3

                                                    SHA1

                                                    e37d8023f684344a439d8df3dc1431053ffb052a

                                                    SHA256

                                                    0cb235250648d27e25e44d82766c696e8f5591d84703f4f3893ab781ccc2c3bd

                                                    SHA512

                                                    4cda2fc3a2c3c1b950cacf87fd58d3d784c9c0153613a099f940fc878138bdd0ff0e2a5c0806ecbc74e36f1ad830f875e705465b516e7e9daa69405c07a38f7f

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                    Filesize

                                                    6KB

                                                    MD5

                                                    b0cc9cb93674a0060c3f0c0ba05d3360

                                                    SHA1

                                                    a3519a16ac3d9f1b77dcd3eaab2f3d5eb11551f6

                                                    SHA256

                                                    3d9f152599d926f5481555fa4efc9063b41ed767280685c6a6e34db2b0acf12c

                                                    SHA512

                                                    455ccc16f73840e2ba467b7b2bcdd69bed6bcc4c56497af7c10d23a684da407bbc59656800a38ce96127b139e181db8728d88102a367cf8daf585acca963e8ef

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                    Filesize

                                                    6KB

                                                    MD5

                                                    825b74505be5dbeed3a89ba0dc0c1258

                                                    SHA1

                                                    741d57cec26f5e2474d9ba4354a3658325af424c

                                                    SHA256

                                                    b94c12f3faf1ae6c8f7b6cbe93480bbe29dde4a08d06e64b3d8fcbb63208ef48

                                                    SHA512

                                                    e5956adf1e2f02705df503b25096203ff6bc9e610a9920ae3a356c854a5a5d1e626f9ef124a443efbf03e34a786d45f704dbb8836203a14fbb74888e7651bf0b

                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                    Filesize

                                                    11KB

                                                    MD5

                                                    774b4c42298d9211912168f1840a7e74

                                                    SHA1

                                                    73f367cbdaa24913d0238e9ede984feb0a578096

                                                    SHA256

                                                    1aff2c3ffaac2227efede926609fac830625e8dd05d7a77c973addad2042183f

                                                    SHA512

                                                    c0e23f857b5de7cb0759ddd6bb66590a5c127fc198bbed9bd175757de1f9c96c573df7dd743ac02138eb00086eda031eaa2d109c0f55ffff240cf4718adf831c

                                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kmthw6b9.default-release\activity-stream.discovery_stream.json.tmp

                                                    Filesize

                                                    23KB

                                                    MD5

                                                    b78b7c5520e370eb9d26e4a213e7da88

                                                    SHA1

                                                    8c247927ac72d6fd34bbb0b84b78c5b7292790ad

                                                    SHA256

                                                    b6f79581a2a084b4a93836ede352d3138da2e19ce71ef5db526f034ae2db54b4

                                                    SHA512

                                                    c29dc6700488d7285c7861709d77f1abaad0610e3b31a9ef9b264c3f0edf43018fec71a6e113b64417d77de286bbf8dc316337c6a54b3e10513c8a93865bdfc7

                                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kmthw6b9.default-release\activity-stream.discovery_stream.json.tmp

                                                    Filesize

                                                    23KB

                                                    MD5

                                                    659489f0e9aaac66718f6cba4189829d

                                                    SHA1

                                                    669a46d4e42f6532215d03a26146778e70acd3ed

                                                    SHA256

                                                    76d39ccb20be4ac24a031b99ea5c8bcb570e291b4dd961f7595bf13a3d0ead28

                                                    SHA512

                                                    a9e9d2331b47dd43310a1a019220dc8cc1b4308cc801f5e2ef8120895203a6b8c6d30e624c893e3460c226766619c0725222b2d5cc71178f3194f1f94d1d2d1f

                                                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kmthw6b9.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                    Filesize

                                                    13KB

                                                    MD5

                                                    e227601def2451ae31dd296295f67c65

                                                    SHA1

                                                    dbd97da99296dfcaba68c1d4334d83baaff9154c

                                                    SHA256

                                                    191e6a2c80d98be6c57731e1f718b40b2677bdc366b028e993be7e3bf8bb3bf9

                                                    SHA512

                                                    cb83a9c6d205552971a5d71ce28a6b8ce1941319c9985b40d0d0127777f071807e87b6058a05df9e4506331dc865af675ab1ce4a5a8d098d23c1fdc958e03f38

                                                  • C:\Users\Admin\AppData\Local\Temp\1000006001\d371ab667f.exe

                                                    Filesize

                                                    2.4MB

                                                    MD5

                                                    c03d62f485ea79a178992f22c713c4a5

                                                    SHA1

                                                    aa16eb2b07a4b91b44c9e484923eb8bbcaf893d0

                                                    SHA256

                                                    546b5457cd26c9230fc49a456197aeeb761241adc2dd2774c37b1d3189968cb9

                                                    SHA512

                                                    3051d67889704c3adfe2748612d88b40acdde17b3fcf54ef8ae7466bd38b121db130300b53c9db9a981292507cf830d99bcd86ccacf320ec0198faa40af043fb

                                                  • C:\Users\Admin\AppData\Local\Temp\1000010001\f444765c53.exe

                                                    Filesize

                                                    89KB

                                                    MD5

                                                    bc08b445116ecc06852a929a5d302c4a

                                                    SHA1

                                                    a78aa42220b90d47b4cf63119e6082f06b295f57

                                                    SHA256

                                                    5b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6

                                                    SHA512

                                                    657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf

                                                  • C:\Users\Admin\AppData\Local\Temp\DA14.tmp\DA15.tmp\DA16.bat

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    de9423d9c334ba3dba7dc874aa7dbc28

                                                    SHA1

                                                    bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                                    SHA256

                                                    a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                                    SHA512

                                                    63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                    Filesize

                                                    1.8MB

                                                    MD5

                                                    be9279ae8e72bd3949041c5d612c9fa0

                                                    SHA1

                                                    4dbce3694977610ff0aefeff93dfd83955a2b97e

                                                    SHA256

                                                    aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6

                                                    SHA512

                                                    723e0489a74951b28619ee433bf9fae53f294a31a47e2843d43b8b34f88ea4a350375a837a98903f1236e9e86308d97dd22ea763877a59f02888beb10c00246c

                                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                    Filesize

                                                    442KB

                                                    MD5

                                                    85430baed3398695717b0263807cf97c

                                                    SHA1

                                                    fffbee923cea216f50fce5d54219a188a5100f41

                                                    SHA256

                                                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                    SHA512

                                                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                    Filesize

                                                    8.0MB

                                                    MD5

                                                    a01c5ecd6108350ae23d2cddf0e77c17

                                                    SHA1

                                                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                    SHA256

                                                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                    SHA512

                                                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\cookies.sqlite-wal

                                                    Filesize

                                                    256KB

                                                    MD5

                                                    e57d782b22a312536c4d4f32b25e5f2d

                                                    SHA1

                                                    1532b1300689b062ae9b4f9c860fe567c6c8c786

                                                    SHA256

                                                    725507715cf79234534dc50daea1e245b86dd275939154e276b2ec32cac66b33

                                                    SHA512

                                                    fe3ee4517c4b6fbd8818fe12c607a6d5b35dfbc88d819292151d19ec18b0d26462bcb0715815d141c754a30fb2f7775f976e738c48e37808d716fdca0f12b755

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                    Filesize

                                                    997KB

                                                    MD5

                                                    fe3355639648c417e8307c6d051e3e37

                                                    SHA1

                                                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                    SHA256

                                                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                    SHA512

                                                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                    Filesize

                                                    116B

                                                    MD5

                                                    3d33cdc0b3d281e67dd52e14435dd04f

                                                    SHA1

                                                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                    SHA256

                                                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                    SHA512

                                                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                    Filesize

                                                    479B

                                                    MD5

                                                    49ddb419d96dceb9069018535fb2e2fc

                                                    SHA1

                                                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                    SHA256

                                                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                    SHA512

                                                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                    Filesize

                                                    372B

                                                    MD5

                                                    8be33af717bb1b67fbd61c3f4b807e9e

                                                    SHA1

                                                    7cf17656d174d951957ff36810e874a134dd49e0

                                                    SHA256

                                                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                    SHA512

                                                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                    Filesize

                                                    11.8MB

                                                    MD5

                                                    33bf7b0439480effb9fb212efce87b13

                                                    SHA1

                                                    cee50f2745edc6dc291887b6075ca64d716f495a

                                                    SHA256

                                                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                    SHA512

                                                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    688bed3676d2104e7f17ae1cd2c59404

                                                    SHA1

                                                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                    SHA256

                                                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                    SHA512

                                                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    937326fead5fd401f6cca9118bd9ade9

                                                    SHA1

                                                    4526a57d4ae14ed29b37632c72aef3c408189d91

                                                    SHA256

                                                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                    SHA512

                                                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\places.sqlite-wal

                                                    Filesize

                                                    992KB

                                                    MD5

                                                    3bb015c9955015b9f9145bc25195af0f

                                                    SHA1

                                                    5abdb3c561585783dad7ef3a0390b1335541e40f

                                                    SHA256

                                                    51dd2cf3e61df2b2d5e757f4b0257198e94bc7b0ac2c1dd61479999469ef1988

                                                    SHA512

                                                    f8a4a1316ce3807aa670d7b3ba502c792f15088762c25dd03aed8f48dcda3359f7beb739b3961a256e079d119ef4faef6f4584541856ebce87f90a5800aebf0c

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\prefs-1.js

                                                    Filesize

                                                    8KB

                                                    MD5

                                                    3e73533a943bf181911c4916494f23ee

                                                    SHA1

                                                    61745d12ca71153551028eadc936125c8a6134b4

                                                    SHA256

                                                    f4678b0e4889fa4cdd4eba137740ca3fc507cddb11278ee4669c7146c7fdb053

                                                    SHA512

                                                    f62ff0973b67142091c65807a2a11261449b645f0025749510556e437f19f2c2579c5ab55918293859c9cf9ca06ed091ce26274fa8480e528ebae2fe837d3952

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\prefs.js

                                                    Filesize

                                                    6KB

                                                    MD5

                                                    2794d8a349fb07ead1e43bc46e069bd5

                                                    SHA1

                                                    a6f2fab8a139af69cbbc3993ee8551b5f95b6a59

                                                    SHA256

                                                    831b6ccdd58b9ff281ea600f2d1adeb355a6b49f1b9386db7643a58522ffa14b

                                                    SHA512

                                                    29f33a63a1ac4c79d56525bb75d3f2bd849242c768ad50a1b6da1bcb284ff9b922f2d8e1bc75667e186bd51650794ed49b6af37fde72b2a82a9a0708546740aa

                                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kmthw6b9.default-release\sessionstore-backups\recovery.jsonlz4

                                                    Filesize

                                                    4KB

                                                    MD5

                                                    7867310f5c48aefa37e49a87d4c57567

                                                    SHA1

                                                    35660e0bde753b5e42a333b23444f08c41dab00e

                                                    SHA256

                                                    2f470dcac83db9355d2096c4a6c8943673426207b4436fadba7c7501840d6158

                                                    SHA512

                                                    37904d4176dfd50674f62bbb06631ad46b80102a42e3c2eccf44b6db5e9d711e57519d8b17bd5c46d29a121b84a876b5c883bae43af2dccb2661c567b54ef681

                                                  • \??\pipe\crashpad_3860_OXWXHXJWJZZIWTIH

                                                    MD5

                                                    d41d8cd98f00b204e9800998ecf8427e

                                                    SHA1

                                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                    SHA256

                                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                    SHA512

                                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                  • memory/1252-2438-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/1252-2440-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/1432-314-0x00000000009A0000-0x0000000001598000-memory.dmp

                                                    Filesize

                                                    12.0MB

                                                  • memory/1432-309-0x00000000009A0000-0x0000000001598000-memory.dmp

                                                    Filesize

                                                    12.0MB

                                                  • memory/1432-36-0x00000000009A0000-0x0000000001598000-memory.dmp

                                                    Filesize

                                                    12.0MB

                                                  • memory/1432-76-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                    Filesize

                                                    972KB

                                                  • memory/2828-5-0x00000000006C0000-0x0000000000B73000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/2828-16-0x00000000006C0000-0x0000000000B73000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/2828-1-0x0000000077244000-0x0000000077246000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/2828-2-0x00000000006C1000-0x00000000006EF000-memory.dmp

                                                    Filesize

                                                    184KB

                                                  • memory/2828-3-0x00000000006C0000-0x0000000000B73000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/2828-0-0x00000000006C0000-0x0000000000B73000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2435-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-358-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-17-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-357-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-18-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-19-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-364-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-603-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2456-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2455-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-1468-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2357-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2402-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2442-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-359-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2434-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-370-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2436-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-20-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-221-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/5092-2441-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/6160-733-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/6160-604-0x00000000002F0000-0x00000000007A3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/6728-339-0x0000000000720000-0x0000000000BD3000-memory.dmp

                                                    Filesize

                                                    4.7MB

                                                  • memory/6728-318-0x0000000000720000-0x0000000000BD3000-memory.dmp

                                                    Filesize

                                                    4.7MB