Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 17:06

General

  • Target

    538982ed425cfad7ee22aa81e0630a564a2a0628a1cae45a6c5ad47969c48a5e.exe

  • Size

    1.9MB

  • MD5

    f0ec9b272157493bffff098208f614d5

  • SHA1

    e78ea4ed8aace1b9ce8a4ffde1ae87c9cbe94df6

  • SHA256

    538982ed425cfad7ee22aa81e0630a564a2a0628a1cae45a6c5ad47969c48a5e

  • SHA512

    a72a92b028a626480e058b432d7a5ada270b60c073255f2385814084927a6727da139a0c39295f83946e269af0bb1eeb654713766c75d94d9e579efeda9f2d69

  • SSDEEP

    49152:nCLjB4MFD1H9WZ9yNJ0P1REZrPMtqFkFeIJp2:CvB4MFhQZ9yNJqRyrMtqFqJp

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\538982ed425cfad7ee22aa81e0630a564a2a0628a1cae45a6c5ad47969c48a5e.exe
    "C:\Users\Admin\AppData\Local\Temp\538982ed425cfad7ee22aa81e0630a564a2a0628a1cae45a6c5ad47969c48a5e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Users\Admin\AppData\Local\Temp\1000006001\14db28840d.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\14db28840d.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:896
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AEBGIEGCFH.exe"
          4⤵
            PID:6480
            • C:\Users\Admin\AppData\Local\Temp\AEBGIEGCFH.exe
              "C:\Users\Admin\AppData\Local\Temp\AEBGIEGCFH.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:6576
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBAKFIIJJK.exe"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:6508
        • C:\Users\Admin\AppData\Local\Temp\1000010001\7f80092a3d.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\7f80092a3d.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\A2C9.tmp\A2CA.bat C:\Users\Admin\AppData\Local\Temp\1000010001\7f80092a3d.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              5⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4404
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffe42eab58,0x7fffe42eab68,0x7fffe42eab78
                6⤵
                  PID:3732
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=2200,i,3354463292964182713,9566765831596430665,131072 /prefetch:2
                  6⤵
                    PID:3416
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 --field-trial-handle=2200,i,3354463292964182713,9566765831596430665,131072 /prefetch:8
                    6⤵
                      PID:4636
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1892 --field-trial-handle=2200,i,3354463292964182713,9566765831596430665,131072 /prefetch:8
                      6⤵
                        PID:3112
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=2200,i,3354463292964182713,9566765831596430665,131072 /prefetch:1
                        6⤵
                          PID:2804
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=2200,i,3354463292964182713,9566765831596430665,131072 /prefetch:1
                          6⤵
                            PID:2900
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4144 --field-trial-handle=2200,i,3354463292964182713,9566765831596430665,131072 /prefetch:1
                            6⤵
                              PID:6076
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 --field-trial-handle=2200,i,3354463292964182713,9566765831596430665,131072 /prefetch:2
                              6⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:6808
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                            5⤵
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:2816
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffe0de3cb8,0x7fffe0de3cc8,0x7fffe0de3cd8
                              6⤵
                                PID:5044
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
                                6⤵
                                  PID:3428
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
                                  6⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3420
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
                                  6⤵
                                    PID:2288
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
                                    6⤵
                                      PID:1064
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
                                      6⤵
                                        PID:4788
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
                                        6⤵
                                          PID:6052
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
                                          6⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:6996
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:8
                                          6⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:7084
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
                                          6⤵
                                            PID:6228
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
                                            6⤵
                                              PID:6244
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
                                              6⤵
                                                PID:2472
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
                                                6⤵
                                                  PID:5180
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,3511764429212433109,3519781869885286793,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5844 /prefetch:2
                                                  6⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:1676
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                                5⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:1932
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                  6⤵
                                                  • Checks processor information in registry
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  • Suspicious use of SetWindowsHookEx
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3716
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.0.699601166\1372038969" -parentBuildID 20230214051806 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abc20984-8c65-4f3f-9085-e5f92e8d5ff4} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 1828 275bbc0fb58 gpu
                                                    7⤵
                                                      PID:3592
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.1.134722490\517054976" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4e90018-42d2-4600-8e22-450d534ec8ba} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 2388 275aee84d58 socket
                                                      7⤵
                                                        PID:1868
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.2.642873418\1141964977" -childID 1 -isForBrowser -prefsHandle 3304 -prefMapHandle 3300 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aaaf121-8e1b-4d64-9dc4-7f80dbf9c0fe} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 3316 275beb4ee58 tab
                                                        7⤵
                                                          PID:3404
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.3.1426672973\1904544768" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3808 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40769d19-bcbf-4de1-976b-12fa42bba677} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 3820 275c0ed4358 tab
                                                          7⤵
                                                            PID:2140
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.4.2079963083\923722212" -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5268 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39123916-8eb7-4cab-b713-7d065dadbb1e} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 5280 275c3752158 tab
                                                            7⤵
                                                              PID:5820
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.5.2007661645\1843932029" -childID 4 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33e1d982-3376-4e9a-8512-c1d08b7e9393} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 5296 275c3960458 tab
                                                              7⤵
                                                                PID:5772
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3716.6.996308039\140543946" -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c3bca90-addc-42d2-994d-b42d5bf21627} 3716 "\\.\pipe\gecko-crash-server-pipe.3716" 5396 275c3962858 tab
                                                                7⤵
                                                                  PID:5816
                                                    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                      C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                      1⤵
                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                      • Checks BIOS information in registry
                                                      • Executes dropped EXE
                                                      • Identifies Wine through registry keys
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:3276
                                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                      1⤵
                                                        PID:5432
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:5480
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:5924
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:7052
                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:2640

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\ProgramData\mozglue.dll

                                                            Filesize

                                                            593KB

                                                            MD5

                                                            c8fd9be83bc728cc04beffafc2907fe9

                                                            SHA1

                                                            95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                            SHA256

                                                            ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                            SHA512

                                                            fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                          • C:\ProgramData\nss3.dll

                                                            Filesize

                                                            2.0MB

                                                            MD5

                                                            1cc453cdf74f31e4d913ff9c10acdde2

                                                            SHA1

                                                            6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                            SHA256

                                                            ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                            SHA512

                                                            dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            216B

                                                            MD5

                                                            5010217290ebed42a45186cf10b9350b

                                                            SHA1

                                                            b6f42296e64341c74ce034a43d0dbeb4803f0b99

                                                            SHA256

                                                            a8221279694a5809ae413f26f0520efee5c97f9c4b0f6e2179cc236b7f8ed587

                                                            SHA512

                                                            da8cdc37fc6646d59073eda2abcbb06f6ac9c2e8a99cee14332440d4d8a7437bb22eca0261be1827ab031baef0551cf359a7be3f75c8a825e249cb54c4292b5f

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            3d85edb9c159ef0a8d0389cb4eb5a5a8

                                                            SHA1

                                                            b5473a88222ede8e6613a7697090f874a7a6fa4f

                                                            SHA256

                                                            3f5c0a6f66d8842a7e1cd290c6f7909b306089efa9d049b3c3eaa47972de4e3c

                                                            SHA512

                                                            2c75a30b90940500ef1687926d807d1cbb4b86dc2dff64c3b2b995af9c543eae3e942c78ae00752080994d9c77bbc128c65e5cba21808bbfde106fe29d5d5ca1

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                            Filesize

                                                            2B

                                                            MD5

                                                            d751713988987e9331980363e24189ce

                                                            SHA1

                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                            SHA256

                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                            SHA512

                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                            Filesize

                                                            524B

                                                            MD5

                                                            1a927058a89eefb1164075f552edbcdf

                                                            SHA1

                                                            3f64c4167fc2b74918830e5cf4dc9dd3b710a718

                                                            SHA256

                                                            01f612b1beb03ab8229ad25b32145334f43aa7fab0dc4b59d2117be5af4e1878

                                                            SHA512

                                                            691820ddc8f6c5188c52ebecda8265fa9c495ccd50a549a63db2156c0c9801b3d7b03e9ba6f632ddc1903998aa428632db482a0e06a3addd3fe124effa7c8b74

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            0fe505c569c80b01d5da204c36e87017

                                                            SHA1

                                                            b12a7e876c81569641f9e529abf464dce54e5bce

                                                            SHA256

                                                            e5f8171359c9342064db283b65fcb7693752a8438a84ff173232dda7a83ec3c7

                                                            SHA512

                                                            b38e90bf590d2544b8255893adcbd7ecbca68a148bd8cb51b4834cd484999185ffb0e9c3b775d7afbf2b06d14c1aa61e08d9aa1602a9108cc0c602ad1af4a10b

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                            Filesize

                                                            144KB

                                                            MD5

                                                            a58bc9b64e85793f2989f2cdcc181b09

                                                            SHA1

                                                            82bb15e58d598f2bf6722ad7a9ed946e8dde653f

                                                            SHA256

                                                            2fb57a0bbf6cd7f66f1b7a60f3cf7159175002114ad861cd16341a3491e061b0

                                                            SHA512

                                                            f4e4ad13241d3b3cf2cedc7ed5042afd48b9e58db0d97f70395b412f08b32f0bf9d5d6522204c1c87460e46be087124b6d1965610b6ddaf2948b7343d968e8a5

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            6c1de55e8af0859bea07b6af77782896

                                                            SHA1

                                                            d5efde7bcf31d692d697ebbc54ccd13fb3624856

                                                            SHA256

                                                            130afd8eb97d11640a28231e9314983eee9eff75964c93abd71e84e6412f710f

                                                            SHA512

                                                            9664d41b0b1767ddc4012318fca427edf9606c525f868a5ba98e5987bf5e71e4710dd19a0ed7223c706588b5803f3b118ee949c51d6fd99696049befff5fd510

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            0176e968a02096540e4a096219a8fe34

                                                            SHA1

                                                            cd301ea619d7c92daf64446caea1f1293da48373

                                                            SHA256

                                                            f9319c68cc75bc8e334037d946cc89ad65605606c1bfd12a2fe2ebd711b14067

                                                            SHA512

                                                            b6aba8640823d43f8968ff31a2e5a48b6f6def43ea6f83cef801294ea1ca9eb1fa16cec516893485b650d7b4407e34536b380712fb72bc9da581cc2e1e0ae2d8

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                                            Filesize

                                                            67KB

                                                            MD5

                                                            51c3c3d00a4a5a9d730c04c615f2639b

                                                            SHA1

                                                            3b92cce727fc1fb03e982eb611935218c821948f

                                                            SHA256

                                                            cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                            SHA512

                                                            7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

                                                            Filesize

                                                            33KB

                                                            MD5

                                                            1c0c8433626cac08202f23a1dae54325

                                                            SHA1

                                                            3a5700eeeacd9f9d6b17c2707f75f29308658cd3

                                                            SHA256

                                                            7aad4c7a174a145a4f9f11506145b521631ee2cb1ca2f7617b900ba515b31cd3

                                                            SHA512

                                                            da693d1d63c9971cb80792063f0e8d3335edb67ee1dcde4040d0dc8f44398f99d9f683eaab8cf44ebf5cdb78eae6672d43fd9ed9b45a526a80a311d8c77bcc8c

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

                                                            Filesize

                                                            38KB

                                                            MD5

                                                            c3aa6e31c125d83fb2eabcc9e33843dd

                                                            SHA1

                                                            ad91b78e1a9853ee876b77b82f75100ff5690d11

                                                            SHA256

                                                            c32b5cffb8ac92df9bd9340b75b8d0772a071af36df5b27879e45f6112f9b5b4

                                                            SHA512

                                                            897efddeb2d96e24aca43385cfb86a065034c4bb045c2e2b7391572e0ddd4a820b70fa83854de5048d7b7316fc9fa2f078924aab62206a7a135aaf91176a4c6b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            216B

                                                            MD5

                                                            591e800b1ecbdc4d331f9163df124a6a

                                                            SHA1

                                                            e8896f46a8b87995d85cc265f826728ba7ad09ed

                                                            SHA256

                                                            911838859c75f61e5f7ef5f54030d9f6622a19e64a3b53167adbaf1dca48889c

                                                            SHA512

                                                            6708a6798da8491de0029e962ab3e6b8c1870f8f34f257d5860c5beb3788a5a5a759712e78820d4f041767502211d09910f26ab03dd55822b08a67e7398b35c3

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            9bb31742d97dd3db91f59edc650f0c75

                                                            SHA1

                                                            d2b43e52e00dcf7084dd1b86d01f28f49cf0f0cc

                                                            SHA256

                                                            67f12f0321e6216cd18824b232cd695bf46edb8ca309d75b955d603165f7c110

                                                            SHA512

                                                            2d6894d7448b0f8dc537da8689b2d99c7324e86d8a2379778a69ee27bbd110465c81768469d177489829792c0cef4c4cf75e8f0fa1d573e5e2344f08a751dbe5

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            a9e50ba3ab847cd4d5a86c74887892ff

                                                            SHA1

                                                            35dcdc9dd02180488fc36d30388b63b25465ab4d

                                                            SHA256

                                                            7e9420b873deee7cbc835ff5a869e83b0f8c037d1661a459b1aee4eb540a417e

                                                            SHA512

                                                            56c2070cb108baaefd8042f0141d2a8e7caca0cbd4049de66e82774c836a1efa1285469a35f89576918f6ce3547987032c57a397378e09eb4b2f3240e491d731

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            2c6d3b917702e849cc23e440a8d6163c

                                                            SHA1

                                                            3d81710de5bb065f9a0acbecc467e246ebeb9bb5

                                                            SHA256

                                                            acb8df2575a0fdaa42fcb6c2c1f76f2d08daaeaa6142fcfa02e3d0c1c1130855

                                                            SHA512

                                                            9f76fdb9340b590b3489589bb7079d2e0db4aa62ebeed4e0797c5e0fa9f703149e5b0fc4c3b2b19f82e6306b6242c5a0833db48ab92c07554e7ac9f396ca1a0b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            206702161f94c5cd39fadd03f4014d98

                                                            SHA1

                                                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                            SHA256

                                                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                            SHA512

                                                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            46295cac801e5d4857d09837238a6394

                                                            SHA1

                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                            SHA256

                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                            SHA512

                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            c1ac6ecd3927b8e323b858fd8f98a576

                                                            SHA1

                                                            fdeb8e7a80932c7edc76c3ca24708ca494ae13c8

                                                            SHA256

                                                            1e555d31d8ad0ae622a145fc6766e9b789c33325e3590f8507f177a6473b29ce

                                                            SHA512

                                                            de9f2a4dd0bab9d12b41fd270eafeb2b163ea894268346683fe11ae34e29536928e3b0d61b7302872bab4489de50444523773f8e9632565829c3593c5ad2681e

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            886092f2d4d92f5e533228d74bb908ff

                                                            SHA1

                                                            15b2c6fb5dd7b57fab0c0d982fd0fade770d4390

                                                            SHA256

                                                            25793fc4c101af72612a05a7cfe19eaebc61f2a8a7eda0680b390f69e51f1e0c

                                                            SHA512

                                                            ae6b335c344f768a289992af8da9ad07627cdcd74e5107b64f0eb2094fa5107768c91a90b8700e8a018e277bc279592bec281ccd8c2cdbf7c2c60fdec09525ec

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            22KB

                                                            MD5

                                                            70674d594594d5c2481b998312bc7707

                                                            SHA1

                                                            a5dad49918ea2b379c66c6de33ab79e6d8903d91

                                                            SHA256

                                                            2b3246c9ced17c0b37a21da43b8515eb768008e2befa6e37d70252973a91ac9f

                                                            SHA512

                                                            490b7996826279d103c9c281faab02d88ae8ad82243989c3f93955feabacc83923d966afd3980226e956bc175c48c4a66fabb04444b3e0c7042af82130c74e58

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\activity-stream.discovery_stream.json.tmp

                                                            Filesize

                                                            22KB

                                                            MD5

                                                            a6c1e0f467d92d9ed8d3eb4795b0b57b

                                                            SHA1

                                                            6751978ff01f027de6e86a0cd0efb15bb148d22f

                                                            SHA256

                                                            b6e1ebcd8db9e87c98cc82c3cfa5c304ce22550c132ae6ce756d4f2f6f4ca91a

                                                            SHA512

                                                            978c53710b872e58e5b1199628123b05c8364c1d9a2d88cc0206b48f8bf07e6901071fe131c44118aa0288c898402bf2143f712a49560ff8fdf34efef2772360

                                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                            Filesize

                                                            13KB

                                                            MD5

                                                            afd058457f4b84f520c3ecbc9a96a8b1

                                                            SHA1

                                                            2c482e97a7c071b7cf1ffd880b49828c515a49a3

                                                            SHA256

                                                            0a9b6c9a29baa77ca6ca968408a2fde159bf5d5bda1ee820c52c91b3490e7c01

                                                            SHA512

                                                            6a9a16482893454d77ca85a97eecedc0a117245c2aa0c584f940e4d9d57e248155f331137ddc390f99bd61b40d40d4f59849431497ab23bde4184b34353ec2e7

                                                          • C:\Users\Admin\AppData\Local\Temp\1000006001\14db28840d.exe

                                                            Filesize

                                                            2.4MB

                                                            MD5

                                                            c03d62f485ea79a178992f22c713c4a5

                                                            SHA1

                                                            aa16eb2b07a4b91b44c9e484923eb8bbcaf893d0

                                                            SHA256

                                                            546b5457cd26c9230fc49a456197aeeb761241adc2dd2774c37b1d3189968cb9

                                                            SHA512

                                                            3051d67889704c3adfe2748612d88b40acdde17b3fcf54ef8ae7466bd38b121db130300b53c9db9a981292507cf830d99bcd86ccacf320ec0198faa40af043fb

                                                          • C:\Users\Admin\AppData\Local\Temp\1000010001\7f80092a3d.exe

                                                            Filesize

                                                            89KB

                                                            MD5

                                                            bc08b445116ecc06852a929a5d302c4a

                                                            SHA1

                                                            a78aa42220b90d47b4cf63119e6082f06b295f57

                                                            SHA256

                                                            5b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6

                                                            SHA512

                                                            657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf

                                                          • C:\Users\Admin\AppData\Local\Temp\A2C8.tmp\A2C9.tmp\A2CA.bat

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            de9423d9c334ba3dba7dc874aa7dbc28

                                                            SHA1

                                                            bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                                            SHA256

                                                            a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                                            SHA512

                                                            63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                                          • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                            Filesize

                                                            1.9MB

                                                            MD5

                                                            f0ec9b272157493bffff098208f614d5

                                                            SHA1

                                                            e78ea4ed8aace1b9ce8a4ffde1ae87c9cbe94df6

                                                            SHA256

                                                            538982ed425cfad7ee22aa81e0630a564a2a0628a1cae45a6c5ad47969c48a5e

                                                            SHA512

                                                            a72a92b028a626480e058b432d7a5ada270b60c073255f2385814084927a6727da139a0c39295f83946e269af0bb1eeb654713766c75d94d9e579efeda9f2d69

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                            Filesize

                                                            442KB

                                                            MD5

                                                            85430baed3398695717b0263807cf97c

                                                            SHA1

                                                            fffbee923cea216f50fce5d54219a188a5100f41

                                                            SHA256

                                                            a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                            SHA512

                                                            06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                            Filesize

                                                            8.0MB

                                                            MD5

                                                            a01c5ecd6108350ae23d2cddf0e77c17

                                                            SHA1

                                                            c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                            SHA256

                                                            345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                            SHA512

                                                            b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\cookies.sqlite-wal

                                                            Filesize

                                                            256KB

                                                            MD5

                                                            55d7e2de68ff4ed976ac6003d2e66519

                                                            SHA1

                                                            0ade0f9b3a65968be444abdf10c314e006c60447

                                                            SHA256

                                                            f9344744ffef669a2bc929ca9fe3d6a97513294ae27321983eb5e8e7715aeb66

                                                            SHA512

                                                            9ac7a7ddc928d3c6c0b5b9e4ca8a14419aa3b301517da8db93aa8ac8d3d7b3709c1c01838566d1c114675d07e2e7a2cc806c0ca1bebe317172f2e386ce71f9c4

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                            Filesize

                                                            997KB

                                                            MD5

                                                            fe3355639648c417e8307c6d051e3e37

                                                            SHA1

                                                            f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                            SHA256

                                                            1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                            SHA512

                                                            8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                            Filesize

                                                            116B

                                                            MD5

                                                            3d33cdc0b3d281e67dd52e14435dd04f

                                                            SHA1

                                                            4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                            SHA256

                                                            f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                            SHA512

                                                            a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                            Filesize

                                                            479B

                                                            MD5

                                                            49ddb419d96dceb9069018535fb2e2fc

                                                            SHA1

                                                            62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                            SHA256

                                                            2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                            SHA512

                                                            48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                            Filesize

                                                            372B

                                                            MD5

                                                            8be33af717bb1b67fbd61c3f4b807e9e

                                                            SHA1

                                                            7cf17656d174d951957ff36810e874a134dd49e0

                                                            SHA256

                                                            e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                            SHA512

                                                            6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                            Filesize

                                                            11.8MB

                                                            MD5

                                                            33bf7b0439480effb9fb212efce87b13

                                                            SHA1

                                                            cee50f2745edc6dc291887b6075ca64d716f495a

                                                            SHA256

                                                            8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                            SHA512

                                                            d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            688bed3676d2104e7f17ae1cd2c59404

                                                            SHA1

                                                            952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                            SHA256

                                                            33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                            SHA512

                                                            7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            937326fead5fd401f6cca9118bd9ade9

                                                            SHA1

                                                            4526a57d4ae14ed29b37632c72aef3c408189d91

                                                            SHA256

                                                            68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                            SHA512

                                                            b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\places.sqlite-wal

                                                            Filesize

                                                            992KB

                                                            MD5

                                                            1ed9aa47724b8a43903a5a0d724dafab

                                                            SHA1

                                                            f923073c1a072db3f080033a6f6d2a0a73e79bd5

                                                            SHA256

                                                            d8b055d5d5b844247ac0aac9faf99e91d29a419ff2075009db96e8d56afe8a54

                                                            SHA512

                                                            d6c72038ef98b68c10dc30639563964977ab7d98c326106bee862d581fa6497823ff99e7f54ca8d0c26c3fcb3dd4215d956936ec15ffd1a28a2456dab37bb1eb

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\prefs-1.js

                                                            Filesize

                                                            8KB

                                                            MD5

                                                            dc537c6d43346ee2835fca664b14c2b2

                                                            SHA1

                                                            c21660bde21d7e51b00a29d456eadd1df0209035

                                                            SHA256

                                                            9d87365e165bb2d8ae547115fa24ebf6d3d7aa1e1b281c6e61e765ac1a317db9

                                                            SHA512

                                                            49954fe52b1eea0167f3af7a3753100e3f22acaf3a3957bf154dbb859c32cb45e4f6b3bfa8e27a87a5c9ae3ed6e43af0c4344ab196fc40560ed75549831647b7

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\prefs-1.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            b596ddc7b086a44f4634e989ca545e55

                                                            SHA1

                                                            74eb8f323645c04a76fd56b8185f403a79ac28c3

                                                            SHA256

                                                            d3926a2c67f3baa00a5522e75058a3a6d5eca27f16e38246cc332c91a9573b8d

                                                            SHA512

                                                            62d70814dad40c7069737d43fa70de5a423eb81f3a7db3ad6d08ea82cf12890592a31d78dd2afb84a309716fe8ab76e1a8aa2bf68f6b3a02914450da65de9b9e

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\prefs.js

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            e678ca0c547267502c3c6aa9308d9931

                                                            SHA1

                                                            22dae42208b15d4b8922e64b42546069d2f7db01

                                                            SHA256

                                                            1bc091aedacf95c8fe0d346be2c8d7acf5beb418eedd140fe634f01cc14e19ec

                                                            SHA512

                                                            fc3f325abd3aecb067c7deac9dca5d4c62a78515f78132b1d807268bd3244b707aefba9ca699cbe3ea0085eb8e0e4de6716546ad7993f4c6cd327b9f1f0268da

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nnjr4yd.default-release\sessionstore-backups\recovery.jsonlz4

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            4bcd66d0c3f5607d997239ea5686b79b

                                                            SHA1

                                                            ab48858341c4250addb4363e604a283205612e85

                                                            SHA256

                                                            84de19e293cf4ea47857d93151458e5e85192bec6336528430b62eaf360fbe97

                                                            SHA512

                                                            ca92fe490de6609fa177875c4a97810872efc49f56901e2a8c8de9e01e83a5e72d9ad4b97a6434e2dc3736a22c39188d41c670d8ba12c0d38094f77ddf987414

                                                          • \??\pipe\LOCAL\crashpad_2816_IQWRDNAEJMLYQBQJ

                                                            MD5

                                                            d41d8cd98f00b204e9800998ecf8427e

                                                            SHA1

                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                            SHA256

                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                            SHA512

                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          • memory/896-39-0x0000000000120000-0x0000000000D18000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/896-323-0x0000000000120000-0x0000000000D18000-memory.dmp

                                                            Filesize

                                                            12.0MB

                                                          • memory/896-109-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                            Filesize

                                                            972KB

                                                          • memory/1624-17-0x0000000000FA0000-0x0000000001478000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/1624-2-0x0000000000FA1000-0x0000000000FCF000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/1624-1-0x00000000775C6000-0x00000000775C8000-memory.dmp

                                                            Filesize

                                                            8KB

                                                          • memory/1624-5-0x0000000000FA0000-0x0000000001478000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/1624-3-0x0000000000FA0000-0x0000000001478000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/1624-0-0x0000000000FA0000-0x0000000001478000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/2640-2532-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/2640-2533-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/3276-23-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/3276-57-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-20-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2529-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-393-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-390-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-391-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2547-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-18-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2546-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-646-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-1625-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2458-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-270-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-21-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2488-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-327-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-19-0x0000000000351000-0x000000000037F000-memory.dmp

                                                            Filesize

                                                            184KB

                                                          • memory/5024-2526-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2527-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2528-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-423-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/5024-2530-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/6576-328-0x0000000000F60000-0x0000000001438000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/6576-344-0x0000000000F60000-0x0000000001438000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/7052-2475-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB

                                                          • memory/7052-2464-0x0000000000350000-0x0000000000828000-memory.dmp

                                                            Filesize

                                                            4.8MB