Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 15:25

General

  • Target

    aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe

  • Size

    1.8MB

  • MD5

    be9279ae8e72bd3949041c5d612c9fa0

  • SHA1

    4dbce3694977610ff0aefeff93dfd83955a2b97e

  • SHA256

    aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6

  • SHA512

    723e0489a74951b28619ee433bf9fae53f294a31a47e2843d43b8b34f88ea4a350375a837a98903f1236e9e86308d97dd22ea763877a59f02888beb10c00246c

  • SSDEEP

    49152:LUwzmoIrmSmUwvkdjfVWwshUl5cy0kS5xJw6:LUQIrREkdjA5eGyqbt

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 55 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe
    "C:\Users\Admin\AppData\Local\Temp\aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Users\Admin\AppData\Local\Temp\1000006001\38fca796db.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\38fca796db.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHJJECBKKE.exe"
          4⤵
            PID:6972
            • C:\Users\Admin\AppData\Local\Temp\EHJJECBKKE.exe
              "C:\Users\Admin\AppData\Local\Temp\EHJJECBKKE.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:7080
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHDHJEBFBF.exe"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:6996
        • C:\Users\Admin\AppData\Local\Temp\1000010001\69fe6f9294.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\69fe6f9294.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A911.tmp\A912.tmp\A913.bat C:\Users\Admin\AppData\Local\Temp\1000010001\69fe6f9294.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3148
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              5⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3480
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffeb9e4ab58,0x7ffeb9e4ab68,0x7ffeb9e4ab78
                6⤵
                  PID:1492
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:2
                  6⤵
                    PID:2816
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:8
                    6⤵
                      PID:4528
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1900 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:8
                      6⤵
                        PID:3252
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:1
                        6⤵
                          PID:3272
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:1
                          6⤵
                            PID:2080
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:1
                            6⤵
                              PID:5612
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 --field-trial-handle=2200,i,6394304447541009493,11935829468335327037,131072 /prefetch:2
                              6⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:6192
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                            5⤵
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:4352
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffeb9cf3cb8,0x7ffeb9cf3cc8,0x7ffeb9cf3cd8
                              6⤵
                                PID:2392
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
                                6⤵
                                  PID:1108
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
                                  6⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1836
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
                                  6⤵
                                    PID:4988
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
                                    6⤵
                                      PID:2608
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                                      6⤵
                                        PID:4408
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
                                        6⤵
                                          PID:6132
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
                                          6⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:6368
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
                                          6⤵
                                            PID:6496
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
                                            6⤵
                                              PID:6504
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
                                              6⤵
                                                PID:6728
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
                                                6⤵
                                                  PID:6736
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
                                                  6⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:6308
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13786562487543768080,12283869641936441588,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2920 /prefetch:2
                                                  6⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:7052
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                                5⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2324
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                  6⤵
                                                  • Checks processor information in registry
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2152
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.0.1107938817\1610053767" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22035 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22be7227-7411-49c0-98ab-6976d1360235} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 1840 1b862e0d458 gpu
                                                    7⤵
                                                      PID:712
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.1.1835959923\797782370" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 22886 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c6d71a-9369-473f-8d26-8beae36802b6} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 2436 1b84ea84d58 socket
                                                      7⤵
                                                        PID:2212
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.2.1184062084\1354519612" -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 22924 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7595a914-d3df-45ef-a59c-f2de56fb4d98} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 3272 1b86584b958 tab
                                                        7⤵
                                                          PID:1828
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.3.297973513\1536161421" -childID 2 -isForBrowser -prefsHandle 2980 -prefMapHandle 3124 -prefsLen 27575 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c3f0c65-20f5-4b47-b5c9-51ac3ac7a19f} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 2968 1b84ea76b58 tab
                                                          7⤵
                                                            PID:5192
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.4.349218032\1608961938" -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5200 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9db1f39f-618c-4210-854e-4e30657af2f1} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 5244 1b86a6bef58 tab
                                                            7⤵
                                                              PID:5588
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.5.114590502\2035661826" -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5372 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7dd4b6b-bf15-495f-8519-d07bb274186a} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 5408 1b86ae7fb58 tab
                                                              7⤵
                                                                PID:5684
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2152.6.170471861\886261559" -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02fe976-39fd-4637-b555-da5ca3dcd74d} 2152 "\\.\pipe\gecko-crash-server-pipe.2152" 5684 1b86ae80458 tab
                                                                7⤵
                                                                  PID:5808
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:1452
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:5388
                                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                          1⤵
                                                            PID:5584
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:3184
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6912
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:7104

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\ProgramData\DAEGIIECGHCBFHJKEHDB

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            7146ba5897357bbe4651b1a1c3f38bf4

                                                            SHA1

                                                            67c4acb51c5be9288844643339f4ce8df02dcf29

                                                            SHA256

                                                            3e37c161501694341ab73a098fccedad90fc0827a6d80c7186485d5f2c1d8d66

                                                            SHA512

                                                            4818d9a311a4c542d600630048ef212118e7a08d4bf7486ba1d144cab27ab80e52933182b021a632474320da72ffad795acc2e0867b4b6f838be6d4fed53b247

                                                          • C:\ProgramData\mozglue.dll

                                                            Filesize

                                                            593KB

                                                            MD5

                                                            c8fd9be83bc728cc04beffafc2907fe9

                                                            SHA1

                                                            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                            SHA256

                                                            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                            SHA512

                                                            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                          • C:\ProgramData\nss3.dll

                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            1cc453cdf74f31e4d913ff9c10acdde2

                                                            SHA1

                                                            6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                            SHA256

                                                            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                            SHA512

                                                            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            216B

                                                            MD5

                                                            72e91617c6220d5b6f779867a84c154f

                                                            SHA1

                                                            e12b59186ce9f5c6d511ab9f067e38a052059c3b

                                                            SHA256

                                                            c5e5ee65b27b86bfaa6242a3216d0e2ca94123acf13522d09fc82b50ef1dfa27

                                                            SHA512

                                                            228ff700b257a160ad847725b8f45d92169489943b016ff123d4e44d6150f4b6f10ca470e9dfcd54f9bbffb56a0ca7588c1c8beb8992d19bf3fb85e37ace5b43

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            8331fa9dc34188d1f58f04139abc1445

                                                            SHA1

                                                            edf25f3d4d3c0750a71b99eb5cc1d4230988f9db

                                                            SHA256

                                                            735257e20eb5755d24d926063d4eb91230594f40d3724f6f1335d854f3201e0d

                                                            SHA512

                                                            1d3c052394dac630ced5cb63150c4ce1f3d623e0dc7886c2ac4d473c6337ac7a588f211656fbd84f3f950947a962ec7ad7b23dced7af590790bd54262501ff7f

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                            Filesize

                                                            524B

                                                            MD5

                                                            655b21524e3c4e3d601755e2272cf5a3

                                                            SHA1

                                                            4a44c76f09c81a24bb6b589080f24f73908e4fdc

                                                            SHA256

                                                            4345554b6523290e01a9322669ef2fcaaf2676f413456a2ad4b89215a0825184

                                                            SHA512

                                                            e52cfbaaf7da06ee777e279851c73dc805118150fee82665a1500b20a929af46319fc90e683fac34e987a43b46737cdc3c5f10283e7d2fb4e20a522e9d589000

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            05c912a25c832004b765535c0964326a

                                                            SHA1

                                                            f8f64cb03fa867dc92556ed3a2c80921c1cf9b97

                                                            SHA256

                                                            4add8219ed3154e92a2097ee07d6ae727fa07a18124c7a3844d9e39a8a96105d

                                                            SHA512

                                                            92832c0e3059f8208f135246a3976e4470c60b9238515cf3f829f93ca18a8b5a179c32871e9069bdd30277a9c126211ed507fc02db678514e4712cadce074731

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                            Filesize

                                                            144KB

                                                            MD5

                                                            3cb15518e3e6aafcab3debd887ba592f

                                                            SHA1

                                                            ef73dc838fe9a264917b050b98d51a367b4fcc9e

                                                            SHA256

                                                            b70d28021714f52b619a1659f2cbb6d00a6c02a4ac1dcf4fa3a533539e98084a

                                                            SHA512

                                                            d22ac1f13e4ff28e2e84bba2d76ee61186fadc1f1ba41ddd290c6f0270c4d15975e2088f2ba38c0adcf9e2a0ee0a126a8fcb50a00a64302002b92f812c027498

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5724fcf2-3850-4a0d-b48b-37e7881c3c74.tmp

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            b1f23e041eeb8288f59c6339bb53c4be

                                                            SHA1

                                                            219cfc38bd29e259c34948889daaf69ffc022917

                                                            SHA256

                                                            6c1bf304a8963bcbe8e7fe62d2645819e1b8731f172761173c91ada1e00c54e6

                                                            SHA512

                                                            05a019d829ab8f037545805da5122f9160311658d4e9ab9e9903e9da33ea79f5d0b6beb013bad1999a02d88937de73b21c1f5d97a5159b391d56607506959af0

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            b88c419948b22d8f079311239c952096

                                                            SHA1

                                                            57bde0e55d3ad4c555f1dae4224a64a0d2375da9

                                                            SHA256

                                                            d424881e070ffbdcf8801a339813bcd5dbdd9c1d121d197e7924adceeed0ab4a

                                                            SHA512

                                                            76bcb75c16d21cb2f452f19562c2d311e3741c6aaf22128ec6b2c37159c9b28c3337ff6a57a38430b0c249d6d4eca7185a859ca32515dc44de106fb0a45d6c3b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            8f99c482b569e51ec044a39d33e5aa9d

                                                            SHA1

                                                            c4118d25e83679a64720b0c32ae30aa6fab0fe26

                                                            SHA256

                                                            cc73e826d62a46c84cc26263266fb7015c15180e3844062e35305875b1180895

                                                            SHA512

                                                            2693cc5e9b465a2296700d2563469b53460b82b87125793a638e9efd6b69b30fe232206b194b31fd07b85f9dc50b7aed92bf96845827d695088638b8574a8ab8

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                                            Filesize

                                                            67KB

                                                            MD5

                                                            51c3c3d00a4a5a9d730c04c615f2639b

                                                            SHA1

                                                            3b92cce727fc1fb03e982eb611935218c821948f

                                                            SHA256

                                                            cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                            SHA512

                                                            7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

                                                            Filesize

                                                            33KB

                                                            MD5

                                                            1c0c8433626cac08202f23a1dae54325

                                                            SHA1

                                                            3a5700eeeacd9f9d6b17c2707f75f29308658cd3

                                                            SHA256

                                                            7aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3

                                                            SHA512

                                                            da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

                                                            Filesize

                                                            36KB

                                                            MD5

                                                            103d7813f0ccc7445b4b9a4b34fc74bf

                                                            SHA1

                                                            ed862e8ebd885acde6115c340e59e50e74e3633b

                                                            SHA256

                                                            0ccaf58bb2aa430724873fa21515e5f3fbd875390288aade3823ec16962bc27b

                                                            SHA512

                                                            0723baca97705968a068676f74ac01bd492dac94a4fba391de578b6357b79c4aca5412f564dc0ea7ae5b6145256c7f8f22e8a4823f41e2baf50d201ec073be1f

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            216B

                                                            MD5

                                                            daf6d0c89db3e2bf44f23905048cfd15

                                                            SHA1

                                                            0f3e88bd5ac3b25d381dd1a109058139fa134f86

                                                            SHA256

                                                            02e0e788fa5e0b2cbf88373ad9b98599166e9fdadfce1a96b4e149b50852a9cc

                                                            SHA512

                                                            a056be4e7d3bc4ed118ffa2aabcb72a77190c56a167a3889912e9cc1b84c7beb916d25f6c9e7ada812d2c4758575470d299b4df01bc5b77ea7e68f597938458b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            fe590e11ee26e19a3f8aed889f46259d

                                                            SHA1

                                                            a7f65b3b1a2353bf6495336f473fa1ee762364f4

                                                            SHA256

                                                            f2237efa7665d208f3fc1eb0d99bd008cb2cf784df5f018e4dd8f0aa5f68d700

                                                            SHA512

                                                            d989d1a80c8d68313c7cca808c6c71b9ed8a8cc7eee44adb9f7fe2cd83a035e139052b56019d06bc5fdde596577cf75f13308e5d115878b4d4a97bd5339635f5

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            66e59aec1ddc25bee02b1c3c5002440e

                                                            SHA1

                                                            a2aa4c2bf7d7b96d77ca8692fbe61fccb2795850

                                                            SHA256

                                                            108df612d33637cac81679d54edfaf42275803b841fc960290a75cdb36b0e979

                                                            SHA512

                                                            60f9f58baf7b83df530244cd4144604c278bcbe5a8d07ff29e1406013bb95d11d000aecf521e18d024714a3764a59fb3160c574d64f611bfbe6f7f5d95943704

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            b594dfac094bb4902be89bc1e7c7e9ef

                                                            SHA1

                                                            e3b1ea40470a55782733ba4660b893745348c4b5

                                                            SHA256

                                                            f3b05dd2385f11850dd59e4a32e21c4444e1bee72bc615642f63a8778eaaee81

                                                            SHA512

                                                            e90ce649a7225dcfbb4bf7a7c6d82e4dde6001603cfb6b3e7e98f4cb80577bbf233538d54a13ef3b22dc38661fc925dc9df315658a7595bd22eed4efe0363662

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            46295cac801e5d4857d09837238a6394

                                                            SHA1

                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                            SHA256

                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                            SHA512

                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            206702161f94c5cd39fadd03f4014d98

                                                            SHA1

                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                            SHA256

                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                            SHA512

                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            d38942c9a77057aa742a5f10cbee5147

                                                            SHA1

                                                            1e55c57dbe89fd6b3181b9c102883ee87b9dafb4

                                                            SHA256

                                                            bf5c25238fcfd4a2f791c5c355b7db4cf27664e903e245124cac6e06bd41e892

                                                            SHA512

                                                            00528b12c9c1235e1c310a470122cb46c1c6bdc14f9c26eb68925c35ee2b31f0d5f5ff1d3f3a8f924818933eaca24b0812ee1d181141040c8711833f3d2bb37c

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            22KB

                                                            MD5

                                                            0786b053d264943916126989a85f70be

                                                            SHA1

                                                            6b8a1bde03fa35e508a53c1a77ce3cc6033bc6f1

                                                            SHA256

                                                            7ea6d81e7cdb993680156dbb713c6a4cd24b9ad324efd1dcfc5e1835db7a7bdf

                                                            SHA512

                                                            fe6471c974209b84bedc1bb655781ecba3c9962134f0de4a4154b7170e48736fcfd0a7bc586048e903bd44f0804308f9671f4a4a7d140beeb4f3304e3d4ccb41

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                            Filesize

                                                            13KB

                                                            MD5

                                                            3f81dc9d813f50b04afae38c6ea1dce6

                                                            SHA1

                                                            3b788479ae3a20c9dc910f3bbcc8a69314220125

                                                            SHA256

                                                            41929b327c0bce9bfb0ab993d7a3424a649fa622ccf250f78f9a8f6345197a8c

                                                            SHA512

                                                            9b81ec7738a677a16942d348e6f4811d4d3f0028717719a2de674a61232877d2ac071624372cc24de6ae4875a2ad1d543b2b5308029ecb8a988bf2e804b9374f

                                                          • C:\Users\Admin\AppData\Local\Temp\1000006001\38fca796db.exe

                                                            Filesize

                                                            2.4MB

                                                            MD5

                                                            c03d62f485ea79a178992f22c713c4a5

                                                            SHA1

                                                            aa16eb2b07a4b91b44c9e484923eb8bbcaf893d0

                                                            SHA256

                                                            546b5457cd26c9230fc49a456197aeeb761241adc2dd2774c37b1d3189968cb9

                                                            SHA512

                                                            3051d67889704c3adfe2748612d88b40acdde17b3fcf54ef8ae7466bd38b121db130300b53c9db9a981292507cf830d99bcd86ccacf320ec0198faa40af043fb

                                                          • C:\Users\Admin\AppData\Local\Temp\1000010001\69fe6f9294.exe

                                                            Filesize

                                                            89KB

                                                            MD5

                                                            bc08b445116ecc06852a929a5d302c4a

                                                            SHA1

                                                            a78aa42220b90d47b4cf63119e6082f06b295f57

                                                            SHA256

                                                            5b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6

                                                            SHA512

                                                            657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf

                                                          • C:\Users\Admin\AppData\Local\Temp\A911.tmp\A912.tmp\A913.bat

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            de9423d9c334ba3dba7dc874aa7dbc28

                                                            SHA1

                                                            bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                                            SHA256

                                                            a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                                            SHA512

                                                            63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            be9279ae8e72bd3949041c5d612c9fa0

                                                            SHA1

                                                            4dbce3694977610ff0aefeff93dfd83955a2b97e

                                                            SHA256

                                                            aa8b65064e8a489be284a77c7f8353c4ef7728c72aa60d0ae44dcd74f3b07bb6

                                                            SHA512

                                                            723e0489a74951b28619ee433bf9fae53f294a31a47e2843d43b8b34f88ea4a350375a837a98903f1236e9e86308d97dd22ea763877a59f02888beb10c00246c

                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                            Filesize

                                                            768KB

                                                            MD5

                                                            8a5bb8959735941439a7ca88d86581ad

                                                            SHA1

                                                            8320582c79dd4563e10b3929de546f9f810651f5

                                                            SHA256

                                                            489b98dc1520a910533dab7183b8d3473de19bc5f5481846fcf689310b23191c

                                                            SHA512

                                                            6b56d3230e45b39ca50d0384feb8f4651507aa49c520d994d7aa2f130473542153a62826f61d6dc50ba10c47b19f1d1f2d15a494b39909526141194271417faa

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                            Filesize

                                                            442KB

                                                            MD5

                                                            85430baed3398695717b0263807cf97c

                                                            SHA1

                                                            fffbee923cea216f50fce5d54219a188a5100f41

                                                            SHA256

                                                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                            SHA512

                                                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                            Filesize

                                                            8.0MB

                                                            MD5

                                                            a01c5ecd6108350ae23d2cddf0e77c17

                                                            SHA1

                                                            c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                            SHA256

                                                            345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                            SHA512

                                                            b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\cookies.sqlite-wal

                                                            Filesize

                                                            256KB

                                                            MD5

                                                            6f35eec265031f5392ab5280302c7534

                                                            SHA1

                                                            1c02d828be829979f7089b36e5c9d0cc295964f3

                                                            SHA256

                                                            dcc3d1bc5b86c0102214498310eab146b2c4cc69f22c86e9c4e001e9bf198adb

                                                            SHA512

                                                            947a346be5c18e0d5135c4eaac62f361fec1fe1fae92d342902245c4f1f0a58d132c629847634e49c4fc42e673d3ca5a7bd6ef3db13ea204b26149a8ee9be0a9

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                            Filesize

                                                            997KB

                                                            MD5

                                                            fe3355639648c417e8307c6d051e3e37

                                                            SHA1

                                                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                            SHA256

                                                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                            SHA512

                                                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                            Filesize

                                                            116B

                                                            MD5

                                                            3d33cdc0b3d281e67dd52e14435dd04f

                                                            SHA1

                                                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                            SHA256

                                                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                            SHA512

                                                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                            Filesize

                                                            479B

                                                            MD5

                                                            49ddb419d96dceb9069018535fb2e2fc

                                                            SHA1

                                                            62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                            SHA256

                                                            2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                            SHA512

                                                            48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                            Filesize

                                                            372B

                                                            MD5

                                                            8be33af717bb1b67fbd61c3f4b807e9e

                                                            SHA1

                                                            7cf17656d174d951957ff36810e874a134dd49e0

                                                            SHA256

                                                            e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                            SHA512

                                                            6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                            Filesize

                                                            11.8MB

                                                            MD5

                                                            33bf7b0439480effb9fb212efce87b13

                                                            SHA1

                                                            cee50f2745edc6dc291887b6075ca64d716f495a

                                                            SHA256

                                                            8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                            SHA512

                                                            d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            688bed3676d2104e7f17ae1cd2c59404

                                                            SHA1

                                                            952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                            SHA256

                                                            33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                            SHA512

                                                            7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            937326fead5fd401f6cca9118bd9ade9

                                                            SHA1

                                                            4526a57d4ae14ed29b37632c72aef3c408189d91

                                                            SHA256

                                                            68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                            SHA512

                                                            b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\places.sqlite-wal

                                                            Filesize

                                                            992KB

                                                            MD5

                                                            370680270f41db3431ad35e07a4f355a

                                                            SHA1

                                                            d624f55f1771196c43556b71ed50a84395c1a9b5

                                                            SHA256

                                                            f65ee9de68c484f02044813b2ce5b3902dc4f12738b9604fcbe362d62562d1fd

                                                            SHA512

                                                            12d1ffcb801d0a878e73f599e9797679354c4d3873f8c2cda9ebe93eb857e26781f0943fc715c7875d635f3ec723e4a32926876e911f8f1b24fe1ed9338a6d4c

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs-1.js

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            678b07760f06aa35ef9143e5e302ec0a

                                                            SHA1

                                                            daa4d674161ba2378111b0641955513e678471fd

                                                            SHA256

                                                            6e164b3ba2575a3d00a8e12b8be3df05a6acae039a1a5c8f2736a86fb965cf4e

                                                            SHA512

                                                            c7d38a5da1abc1b18f4a36167f062e041bcc697713f1e2dac5f9e772557b3fac4efefba593d75550a6e21cb8f3bdf15984d8d0248962100533f73a4e81b16aa6

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs-1.js

                                                            Filesize

                                                            8KB

                                                            MD5

                                                            340c322cac4a49279b07e03f5bca8f0a

                                                            SHA1

                                                            a504a9e1cea0e7a92933ef2dc67ec92fa188491d

                                                            SHA256

                                                            685840b098efacd6351090901fb0047124c213b2dd21fae09265ae57ff360a20

                                                            SHA512

                                                            c0e271221f6de6e7298fa3e77f380336cbe553333a809d4a589ef2ca23110df5d769b476ed2578fa13e72a1f4dc7d9c4f4c29cdf988eab531b5c09ef24c9e017

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            4df6724633b09fc12be6cc6f2db30134

                                                            SHA1

                                                            af48ac2b5d2d4ea12dcd80f7b9e07d562e8de770

                                                            SHA256

                                                            494e8a3c13a9099289e076a5329cba38ab303ed0c6203265829894189e5b98c3

                                                            SHA512

                                                            c2881435a9139d37fc7ae243ef4b6ac5cf20f51f3d1860cb151f10b04d21d95a96543e3957e1fa12da9e4214b573ba9409b42aadbf4390ee4ab4f83b3db810bb

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\sessionstore-backups\recovery.jsonlz4

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            c200c241697c176ee888c312072eb040

                                                            SHA1

                                                            d5877f760bf866ee94601a929fd4fdf948ed3c9a

                                                            SHA256

                                                            1b98a6a69b3e2e865cf1d3ccf35dd0b3b03618bf24d6b30a62c847a1e06629bb

                                                            SHA512

                                                            bce11e0cc3774299c9c17202416d67ef9aabe3c07566822fa293d4c860a71850e575e6375c6152d80243e4da98a2fdfd95dbd55dd0bc58a6c237ec9133074eb6

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9zavgj1i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                                                            Filesize

                                                            512KB

                                                            MD5

                                                            f6a7b3b8ea095397fe08a2ff2dbe2224

                                                            SHA1

                                                            17f2b77a5c42d8634521d00b5c08395411d63360

                                                            SHA256

                                                            a51631c8005fbdee18dbd5605ba4c2443d106984413bfaa4e045699f12b0b6f2

                                                            SHA512

                                                            a46b4b729b17895fc86bc84461034762ce0ae6a2af73ed244705687d9ef6b5e7ffff2a43058245f2ff8fca5f6a4457e521ddb0b8e4b2fde41aeb00c196845b6e

                                                          • \??\pipe\LOCAL\crashpad_4352_SXNAHSXFKOQZJNGK

                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          • memory/2684-315-0x0000000000980000-0x0000000001578000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/2684-36-0x0000000000980000-0x0000000001578000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/2684-125-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                            Filesize

                                                            972KB

                                                          • memory/2684-345-0x0000000000980000-0x0000000001578000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/3184-389-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3184-399-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3248-3-0x0000000000E20000-0x00000000012D3000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3248-0-0x0000000000E20000-0x00000000012D3000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3248-15-0x0000000000E20000-0x00000000012D3000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3248-4-0x0000000000E20000-0x00000000012D3000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3248-2-0x0000000000E21000-0x0000000000E4F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/3248-1-0x0000000077856000-0x0000000077858000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/3260-19-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-377-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-527-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-20-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-349-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-18-0x00000000000B1000-0x00000000000DF000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/3260-17-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-409-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2547-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-1185-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2161-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2485-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-387-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-251-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2526-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2546-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2533-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2530-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2531-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/3260-2532-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6912-2529-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/6912-2528-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/7080-350-0x0000000000340000-0x00000000007F3000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/7080-376-0x0000000000340000-0x00000000007F3000-memory.dmp

                                                            Filesize

                                                            4.7MB

                                                          • memory/7104-2551-0x00000000000B0000-0x0000000000563000-memory.dmp

                                                            Filesize

                                                            4.7MB