Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 17:53

General

  • Target

    506ecb56dcf6b280d4f553a0fb009ba1760251e411916ab715701b53ae8fe943.exe

  • Size

    1.8MB

  • MD5

    8bc520e6b221e7998eb73c10c830fbd6

  • SHA1

    8a825403f8bff789c60e4dfb67ead847c957b0d4

  • SHA256

    506ecb56dcf6b280d4f553a0fb009ba1760251e411916ab715701b53ae8fe943

  • SHA512

    58d087c499275776e155cb38782f3eca9bdcb516a5707023eb60f31e99ace240076f59ce0c1fc8b7c7382583edfa0f29a68fde23c891a6f0d28de0d3703c94d6

  • SSDEEP

    24576:TRsfk8Fos8kPJBixYoH3z0w2qb3vHzwB+IS34ZNPIwvCpqJ56J1dag7cR7HI0LTZ:TIkxs8DxYY0w2kvsFtz6J2DM0L69Mt

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\506ecb56dcf6b280d4f553a0fb009ba1760251e411916ab715701b53ae8fe943.exe
    "C:\Users\Admin\AppData\Local\Temp\506ecb56dcf6b280d4f553a0fb009ba1760251e411916ab715701b53ae8fe943.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\1000006001\3d12ee6466.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\3d12ee6466.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
          4⤵
            PID:6760
            • C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe
              "C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:6848
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe"
            4⤵
              PID:6816
              • C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe
                "C:\Users\Admin\AppData\Local\Temp\HJDAFIEHIE.exe"
                5⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:6924
          • C:\Users\Admin\AppData\Local\Temp\1000010001\9f0c7c6bc4.exe
            "C:\Users\Admin\AppData\Local\Temp\1000010001\9f0c7c6bc4.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2192
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BF68.tmp\BF78.tmp\BF79.bat C:\Users\Admin\AppData\Local\Temp\1000010001\9f0c7c6bc4.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4652
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
                5⤵
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:1604
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffceab3ab58,0x7ffceab3ab68,0x7ffceab3ab78
                  6⤵
                    PID:5076
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=2272,i,17397441100992295909,1428235289898779820,131072 /prefetch:2
                    6⤵
                      PID:4132
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=2272,i,17397441100992295909,1428235289898779820,131072 /prefetch:8
                      6⤵
                        PID:4136
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1900 --field-trial-handle=2272,i,17397441100992295909,1428235289898779820,131072 /prefetch:8
                        6⤵
                          PID:1436
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=2272,i,17397441100992295909,1428235289898779820,131072 /prefetch:1
                          6⤵
                            PID:5240
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=2272,i,17397441100992295909,1428235289898779820,131072 /prefetch:1
                            6⤵
                              PID:5280
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4056 --field-trial-handle=2272,i,17397441100992295909,1428235289898779820,131072 /prefetch:1
                              6⤵
                                PID:6088
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1484 --field-trial-handle=2272,i,17397441100992295909,1428235289898779820,131072 /prefetch:2
                                6⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:6924
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
                              5⤵
                              • Enumerates system info in registry
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:976
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffcea9e3cb8,0x7ffcea9e3cc8,0x7ffcea9e3cd8
                                6⤵
                                  PID:4380
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
                                  6⤵
                                    PID:3312
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
                                    6⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1240
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
                                    6⤵
                                      PID:760
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                                      6⤵
                                        PID:4580
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                                        6⤵
                                          PID:3180
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
                                          6⤵
                                            PID:5876
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
                                            6⤵
                                              PID:6580
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
                                              6⤵
                                                PID:6588
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
                                                6⤵
                                                  PID:6960
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
                                                  6⤵
                                                    PID:6968
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
                                                    6⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:6360
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
                                                    6⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:6828
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2079173150008775675,18009799664299847800,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4776 /prefetch:2
                                                    6⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:5328
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                                  5⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2768
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                                    6⤵
                                                    • Checks processor information in registry
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SendNotifyMessage
                                                    • Suspicious use of SetWindowsHookEx
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4020
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.0.99064562\390398480" -parentBuildID 20230214051806 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c318e2c-e2fa-4860-a172-7e0265fd3530} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 1828 1f50b40e858 gpu
                                                      7⤵
                                                        PID:5012
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.1.593226687\1477498662" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f37102d-3baa-4547-93cb-349913250a89} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 2420 1f50a220b58 socket
                                                        7⤵
                                                          PID:844
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.2.2074304939\1313740049" -childID 1 -isForBrowser -prefsHandle 2680 -prefMapHandle 3020 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c7a7eb3-90ba-438f-ae52-01d9a35b5eee} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 2884 1f57e43eb58 tab
                                                          7⤵
                                                            PID:2640
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.3.985046418\344815380" -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 27549 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02f31a5b-c850-4949-8a93-4565deb066f6} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 3616 1f5112b2158 tab
                                                            7⤵
                                                              PID:1032
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.4.1842136520\808764092" -childID 3 -isForBrowser -prefsHandle 5248 -prefMapHandle 5244 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0641db10-878c-424f-acc4-ba18574b1ddf} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 5260 1f512ee4e58 tab
                                                              7⤵
                                                                PID:6004
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.5.897487004\1036686051" -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70be7ac0-888c-4990-a7e5-e8698bc1387e} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 5392 1f513023358 tab
                                                                7⤵
                                                                  PID:5652
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4020.6.2128720154\1761339821" -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 940 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {641bce93-0dba-4e5f-b074-7252a18acb48} 4020 "\\.\pipe\gecko-crash-server-pipe.4020" 5672 1f513023058 tab
                                                                  7⤵
                                                                    PID:6060
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:3456
                                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                          1⤵
                                                            PID:5660
                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                            1⤵
                                                              PID:5700
                                                            • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                              C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                              1⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:3888
                                                            • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                              C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                                                              1⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:6552

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\ProgramData\mozglue.dll

                                                              Filesize

                                                              593KB

                                                              MD5

                                                              c8fd9be83bc728cc04beffafc2907fe9

                                                              SHA1

                                                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                              SHA256

                                                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                              SHA512

                                                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                            • C:\ProgramData\nss3.dll

                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              1cc453cdf74f31e4d913ff9c10acdde2

                                                              SHA1

                                                              6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                              SHA256

                                                              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                              SHA512

                                                              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                              Filesize

                                                              240B

                                                              MD5

                                                              9d69f099509dc85254858f147bb1d9a5

                                                              SHA1

                                                              1ff277b1c965e1a14bcba0357b6d94b982b5e416

                                                              SHA256

                                                              e0528d57de9a08e551f18941fffc3b3a4537739158a17f5ef5552c74f31d6335

                                                              SHA512

                                                              dc00cdfaa05fb0358d5fe54673b65bb577400c38f43b65a67e1f053e50a422bf651b8f51e85a98748b034840b43cade7d93abc1b7f05322ccf6fb2e9fc26de01

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              0096916593645a96d713321d51d9da9a

                                                              SHA1

                                                              dfa129ba04cb576a2e6ad1a3811161ae69d0cb3d

                                                              SHA256

                                                              5245279b90ef55d21baa09e5249483f64a8ebd93fa3742591458a5d5a9c47257

                                                              SHA512

                                                              00ec6d87f16f2798d99055bdb761f403c175d665e6d5688402ec6406c86e0160658d2c083d903fca0da2f2f2f8b336184af93e8ded2b575bd6e6acc6d34905d3

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              b62f46d8eb93476a092333a1dc79e50f

                                                              SHA1

                                                              4194da915059ebcc162783274621e16f857f8cab

                                                              SHA256

                                                              ed29b71c53523bb9bd56d5ea02a6da2c81b9be075ccdea19ae821f112a26daf9

                                                              SHA512

                                                              261b54695b00dce2bf4852069ac1d884277ae5dab5a0d5f837da75fdc939aa45ad19ce988129338fd98f75f0063ead971f34ca0e1cb36b6ea5eb18d93f5022a0

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                              Filesize

                                                              2B

                                                              MD5

                                                              d751713988987e9331980363e24189ce

                                                              SHA1

                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                              SHA256

                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                              SHA512

                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                              Filesize

                                                              522B

                                                              MD5

                                                              a34b923b524d8411bbbb47b15878b09a

                                                              SHA1

                                                              11de3bd923bf75c779d27534aeda1a2d3a6f3ddd

                                                              SHA256

                                                              13941012f0c184dd1445a0a01a26031b74440b5f5a1ee5fe2c8a3b384e7bd03f

                                                              SHA512

                                                              88bcd3916d5c1016eed0201a94eeaae640656bfef1ea63902f37726fb63f826d888d6f3f67006de90da2a3bec3c0bea2b9fb87ceb92e5a7720415ff4883a0194

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              b8ad1ad3961f3023d7af3186bee2f5d8

                                                              SHA1

                                                              2c4204ee94802fc2aea8d84db35dbe5c81255631

                                                              SHA256

                                                              86841012832e6e541f6a2625451c3c7608fb3ee0aed455fc5b54732e5033353b

                                                              SHA512

                                                              dd5e2cd16a58ba05e07af5f135e2e6bb3ed0b6d9a4e79f7c6dad299f3e5856ec6288e2b8477326adf5d14fbaf505202a804264762a1fd78bea3edb7d5c80d5f0

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                              Filesize

                                                              144KB

                                                              MD5

                                                              50cf75d85e197efb4a3ef238bb5ca3cb

                                                              SHA1

                                                              cc5d7bba75bd88d96b054b9fc6dab9e0ed61b61c

                                                              SHA256

                                                              e6b567e084935462ea9970d88b86bb9d03d5bd137bf74d4c63b8f6d5258ebf75

                                                              SHA512

                                                              f43439f705336880e94dc340ac005a58ff7075d107a67f99e229995a821798b587de4e2af5bdc68c0f0bc817562ac3a8c140c2a99ef81d1a999493b7dc705208

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              3f42f939f0a7c91eef0187527bc7babc

                                                              SHA1

                                                              66d141ee21ab2de3a37f1d92e327aa184d828fd5

                                                              SHA256

                                                              64a131bb18bd4844b4ea4b6bc84727c638b94523be764dad0b1407394c457c6d

                                                              SHA512

                                                              18d62cb1f7d7229c37432e83f2356c865099caa9d43f716b465e8624d9288b1a3024bba84a1e83f6721c31a71eecdadf4118848ce4a63bf1230be4e16ead4178

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              b297afa13018b3e24efaf2b905677172

                                                              SHA1

                                                              6d6d01d9b35901af0f4976d0819bab393e920f98

                                                              SHA256

                                                              e810acf7bb28b7577c33ad7b22b3b849858e45e9c16ba316b0ba945ef48337dc

                                                              SHA512

                                                              72dc4db9a40e9e0947c2d58835a75077d65f1f1939463aad5a81368be891890d8d19d1d9df858c957b5a43998ef6100b29710231496636cabc66a1e3a1cc6c2c

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                                              Filesize

                                                              67KB

                                                              MD5

                                                              51c3c3d00a4a5a9d730c04c615f2639b

                                                              SHA1

                                                              3b92cce727fc1fb03e982eb611935218c821948f

                                                              SHA256

                                                              cb1e96afd2fec2b2b445be2f46c6b90db19c2ed2f0278f57f7490a299e88c19f

                                                              SHA512

                                                              7af8ec3160e4dbae2c3359146c0a82c32a02697d332138c391e4295d00f49ed1070857a0afe16222c5cea1cafffc4d26df525543f187be43a59967df1e919542

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

                                                              Filesize

                                                              38KB

                                                              MD5

                                                              c3aa6e31c125d83fb2eabcc9e33843dd

                                                              SHA1

                                                              ad91b78e1a9853ee876b77b82f75100ff5690d11

                                                              SHA256

                                                              c32b5cffb8ac92df9bd9340b75b8d0772a071af36df5b27879e45f6112f9b5b4

                                                              SHA512

                                                              897efddeb2d96e24aca43385cfb86a065034c4bb045c2e2b7391572e0ddd4a820b70fa83854de5048d7b7316fc9fa2f078924aab62206a7a135aaf91176a4c6b

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                              Filesize

                                                              216B

                                                              MD5

                                                              1857d8a4a18bf842fcb8793c5fb60fed

                                                              SHA1

                                                              6ddbad0e83ebb0fbb431e8b5ad3c3f87e129982c

                                                              SHA256

                                                              5ea6ac2ab1593e49679e18cdffaf51a2fe74c072ffe9d1cd4d64291e34c6e56d

                                                              SHA512

                                                              d563b956964a7d0fa40c5a5ab11951d638e330d8ade77b2c4fd39834cfa16d2172a0b96d78fb760b937242f9ab3225a2718e5b58444cb4802ab04f681bad8d58

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              8fe49fabd691bb9df75ea0f2f8bcb89d

                                                              SHA1

                                                              42434a4d0a37a50e046707283b8925aec67bdd7e

                                                              SHA256

                                                              ebe7e3903f940d0ad42ff175c8d4453856bb1603bb0148c3084cb1afeff41dd0

                                                              SHA512

                                                              4ba70a974f271352b9d2861519dbe80517511645a658d95faf446762b6c83d54385f78c7b556bc287c76f8da9835ad4df5bfc05699bfdafb74ad3901615ad20d

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                              Filesize

                                                              5KB

                                                              MD5

                                                              f953f77deb2cd7d2dbbe20005775b751

                                                              SHA1

                                                              21ac9c4ef6bf69c3e63ab4f49496c9e48c02a6a5

                                                              SHA256

                                                              150d2cea24308db767a21865dd8d3992679f8e17ebc45ed34a2978a3a752a4d7

                                                              SHA512

                                                              8d6da0245cc63183da2bebc8ac849634977721238677dea09cf20840b8738c5343743968569ae3b8fd800637203a2f8669b6245a70fad9a2372727f8b971218a

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              285f37ba937be9b420404905c22a4ca1

                                                              SHA1

                                                              a73a465692b634d82f26ced1d7f16b971f4f7713

                                                              SHA256

                                                              574d41c3c0238133a86e6c8754e83fb7fafe2c40fcb862cb7431e70e360629b4

                                                              SHA512

                                                              04e65bcc89691c6c896739e6a6e69457ee793ae51038bfa715ebf2d58f4c3f4363fd13b257c167de3ae2339c540fb4689d6a178ac4e8999497d7dd79aac77638

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                              Filesize

                                                              16B

                                                              MD5

                                                              206702161f94c5cd39fadd03f4014d98

                                                              SHA1

                                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                              SHA256

                                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                              SHA512

                                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                              Filesize

                                                              16B

                                                              MD5

                                                              46295cac801e5d4857d09837238a6394

                                                              SHA1

                                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                              SHA256

                                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                              SHA512

                                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              f04bd945fa5218093a3395cc94b8e073

                                                              SHA1

                                                              c8c4bc963f3ae63a0d02110176bfd0746ce54e32

                                                              SHA256

                                                              e9d8569c9e32a2b04a2e141226eb5a9cea93eafd684148c59ea6351d07780f29

                                                              SHA512

                                                              9e4e20e190fe125502a349bfe1292a8bdc508f76dd1bddda81408accb9644ca3d1416d095afa4b42e6840cd5eabadd47bc5ff47832509dfd619cb0c20370a631

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                              Filesize

                                                              11KB

                                                              MD5

                                                              54a0c4e1490a756ef031813080258bd8

                                                              SHA1

                                                              eded205d77105e85a34970ef34029a67d3b8408f

                                                              SHA256

                                                              69663995d9d5ef95eee01e6503d679974f0829130768469c6e9a796eff0203e1

                                                              SHA512

                                                              9b94752f32209315a28d49a74851340b7b3394a2bf729a7ff3795e87cae4c930f6661824af4e52ec9a4e445f0046923b6bc9d8c0f0a7b6b58257829806559962

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bj62taxj.default-release\activity-stream.discovery_stream.json.tmp

                                                              Filesize

                                                              22KB

                                                              MD5

                                                              1d09b29a1cc0f2bc473e6b5e7b454dc1

                                                              SHA1

                                                              cbf963e13b2071ef15e8c5aa987a85a5c5d30480

                                                              SHA256

                                                              b4e4e4a02b4e7de8e3c57d95dee4fe8390e8025a1cc37218d2bfe0c3e365fa8b

                                                              SHA512

                                                              9fe03b056bee7553682bdf0db4fa6214a4789e79f82ffbf89a59f81052b730855664c5f798c0079ad8bd3b3b25528244fe579167e24359cff85d8875ed0bc28c

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bj62taxj.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                                                              Filesize

                                                              13KB

                                                              MD5

                                                              4a0a01f91485d36cd6b00d5e15dacbd6

                                                              SHA1

                                                              df3859652d01d6d952bf3d00d517d9df3fdd7c8e

                                                              SHA256

                                                              3b428989b22f91a428848849b93ed6a4aaba18d7a861957d2da2b53fa969f4aa

                                                              SHA512

                                                              2ce15eded43dcdf453ee1bc41596bb0a6eb84679ced145349d68a8f541194881aa8d5681e4b9e9bc08fbff28dccd9cbdeb4e4784569b94b98a3429bee58b1d19

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bj62taxj.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

                                                              Filesize

                                                              9KB

                                                              MD5

                                                              06c615f5a88d8c54847951f1a1907fdb

                                                              SHA1

                                                              32c1203b32c2f0b8171e172c92e3a7411a7081c5

                                                              SHA256

                                                              943e07e4f6fc973b4ec17c9d8e5223c53f2bea8ccdf03e6033447f9772c42fe0

                                                              SHA512

                                                              81cb4420ae1440eee08fa7ecb44ad791e4188fa1f5a5c654ff4c7103a61ae740043907b68601c057314db666e9ef5945c2e4294a783a19b10acb07124601a2a3

                                                            • C:\Users\Admin\AppData\Local\Temp\1000006001\3d12ee6466.exe

                                                              Filesize

                                                              2.4MB

                                                              MD5

                                                              c03d62f485ea79a178992f22c713c4a5

                                                              SHA1

                                                              aa16eb2b07a4b91b44c9e484923eb8bbcaf893d0

                                                              SHA256

                                                              546b5457cd26c9230fc49a456197aeeb761241adc2dd2774c37b1d3189968cb9

                                                              SHA512

                                                              3051d67889704c3adfe2748612d88b40acdde17b3fcf54ef8ae7466bd38b121db130300b53c9db9a981292507cf830d99bcd86ccacf320ec0198faa40af043fb

                                                            • C:\Users\Admin\AppData\Local\Temp\1000010001\9f0c7c6bc4.exe

                                                              Filesize

                                                              89KB

                                                              MD5

                                                              bc08b445116ecc06852a929a5d302c4a

                                                              SHA1

                                                              a78aa42220b90d47b4cf63119e6082f06b295f57

                                                              SHA256

                                                              5b232254dd2d33eb576516116977c884fba81d5a8427f742a73655f9e076efc6

                                                              SHA512

                                                              657a21d453112fb909be4005e0cab1ebf467840e275a159eb535b486432ffa0bfcc60da92475b26f08a0ea481c927654520a43163e04e34324551cb3bfd69fdf

                                                            • C:\Users\Admin\AppData\Local\Temp\BF68.tmp\BF78.tmp\BF79.bat

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              de9423d9c334ba3dba7dc874aa7dbc28

                                                              SHA1

                                                              bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                                              SHA256

                                                              a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                                              SHA512

                                                              63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                                            • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                                              Filesize

                                                              1.8MB

                                                              MD5

                                                              8bc520e6b221e7998eb73c10c830fbd6

                                                              SHA1

                                                              8a825403f8bff789c60e4dfb67ead847c957b0d4

                                                              SHA256

                                                              506ecb56dcf6b280d4f553a0fb009ba1760251e411916ab715701b53ae8fe943

                                                              SHA512

                                                              58d087c499275776e155cb38782f3eca9bdcb516a5707023eb60f31e99ace240076f59ce0c1fc8b7c7382583edfa0f29a68fde23c891a6f0d28de0d3703c94d6

                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                                              Filesize

                                                              442KB

                                                              MD5

                                                              85430baed3398695717b0263807cf97c

                                                              SHA1

                                                              fffbee923cea216f50fce5d54219a188a5100f41

                                                              SHA256

                                                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                              SHA512

                                                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                                              Filesize

                                                              8.0MB

                                                              MD5

                                                              a01c5ecd6108350ae23d2cddf0e77c17

                                                              SHA1

                                                              c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                              SHA256

                                                              345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                              SHA512

                                                              b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\cookies.sqlite-wal

                                                              Filesize

                                                              256KB

                                                              MD5

                                                              569bf2320f0837639c809c3bf9b3fda7

                                                              SHA1

                                                              eea8fdfbdbea5f4f17418b87933e154a93cf3064

                                                              SHA256

                                                              6e0ea9906111d3c1d359574da80970823b8433a7d39f302c8199e56a45d94fd1

                                                              SHA512

                                                              80339351fe830938e43cc9cec38f769aa22f14561391bb8b81a29c57807b4182f286b9ebba1fabf3ad424bd77589e1c8f8d14e1568b03c50760280b4bb0f80e0

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                                              Filesize

                                                              997KB

                                                              MD5

                                                              fe3355639648c417e8307c6d051e3e37

                                                              SHA1

                                                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                              SHA256

                                                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                              SHA512

                                                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                                              Filesize

                                                              116B

                                                              MD5

                                                              3d33cdc0b3d281e67dd52e14435dd04f

                                                              SHA1

                                                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                              SHA256

                                                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                              SHA512

                                                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                                              Filesize

                                                              479B

                                                              MD5

                                                              49ddb419d96dceb9069018535fb2e2fc

                                                              SHA1

                                                              62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                              SHA256

                                                              2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                              SHA512

                                                              48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                                              Filesize

                                                              372B

                                                              MD5

                                                              8be33af717bb1b67fbd61c3f4b807e9e

                                                              SHA1

                                                              7cf17656d174d951957ff36810e874a134dd49e0

                                                              SHA256

                                                              e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                              SHA512

                                                              6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                                              Filesize

                                                              11.8MB

                                                              MD5

                                                              33bf7b0439480effb9fb212efce87b13

                                                              SHA1

                                                              cee50f2745edc6dc291887b6075ca64d716f495a

                                                              SHA256

                                                              8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                              SHA512

                                                              d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              688bed3676d2104e7f17ae1cd2c59404

                                                              SHA1

                                                              952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                              SHA256

                                                              33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                              SHA512

                                                              7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              937326fead5fd401f6cca9118bd9ade9

                                                              SHA1

                                                              4526a57d4ae14ed29b37632c72aef3c408189d91

                                                              SHA256

                                                              68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                              SHA512

                                                              b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\places.sqlite-wal

                                                              Filesize

                                                              992KB

                                                              MD5

                                                              5b84a398c58e8bb9cc2b1bb26d21a2c4

                                                              SHA1

                                                              a5f4f0d25b4b9f89265ae9539d870facd138a9a9

                                                              SHA256

                                                              d736323de29bc776aec11aa342bd26ee4e99ccfe25c0d6817000743cd1dfb897

                                                              SHA512

                                                              29988e1aec6de9cd4d40cdec113025af8124d72d999b2e5abf4b360b80bcb9844db898c6f27611d08323f52e7057058689085808a6f6915f86dc558bc15cc762

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\prefs-1.js

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              231356e58e34a2287c6b8dcb813303fe

                                                              SHA1

                                                              7ab962bad6ddbf165ade36bac9fd32f54eac772f

                                                              SHA256

                                                              bd928b1ba909444cf1b187d4b1fc0af788f644aae700f588b3ef0cf74219f535

                                                              SHA512

                                                              c25818a02cbbdcef873afe2d703b942042e5821249c497574d3d262af3b2a265fe01abbd3003f620a9491b45376114c2bd0ce6d8836513b49ad1caf1c69d3878

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\prefs-1.js

                                                              Filesize

                                                              8KB

                                                              MD5

                                                              12fd66e435bbdc1d2d01372f9d5ea82e

                                                              SHA1

                                                              2017196c2fb2aa1fc5535de3f065afd0f69f664b

                                                              SHA256

                                                              ac97337cc9b19a093e73607c9f30b702a9c91c72a307e8e1eaf314276fadcbbf

                                                              SHA512

                                                              8333975a4a4bfc94500127f077ff3e002512446d3da668d385029a1b8f9b62ab958a167a08c2bfbc297712d0a3b1e2af5aed1c22b286cf4ea2fc125e2c9d1df6

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\prefs.js

                                                              Filesize

                                                              6KB

                                                              MD5

                                                              2d2c9cfeaae07ef44dbee5693ef7aba5

                                                              SHA1

                                                              897fca56cac886e5d5c3dc4ba163613879b5b0bc

                                                              SHA256

                                                              d2fc7b9916c51e0c4d02368ffd06e4d02400620c6d91d3403ea3bcffcf1761b8

                                                              SHA512

                                                              075a72f5e2f9f1da07d1be30f7550e00af56f3e04e27d66553c0afd7d70df1e793d01f3cf9d528e24c31dde5e8a3f1b0c362d51439ad924521dfefa83a7a0406

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bj62taxj.default-release\sessionstore-backups\recovery.jsonlz4

                                                              Filesize

                                                              4KB

                                                              MD5

                                                              a80793534029cf4abe537542e8655fe8

                                                              SHA1

                                                              b1fd0f754193e4927432500d0ffeea845b3b4aef

                                                              SHA256

                                                              c02472a24eaff6fa841c990ad94c1fcc42c14fd623e94e15f288acd58e3f2f3f

                                                              SHA512

                                                              67de57a3c0b25d299009100271d3cd521cd448940eea4f04f73a0801c34c81215cb18f03a436e2e5f22613332edc733cdb3b580312201c6285eb1ba3fe143b2f

                                                            • \??\pipe\LOCAL\crashpad_976_ZDPMAVECWCZVTTNI

                                                              MD5

                                                              d41d8cd98f00b204e9800998ecf8427e

                                                              SHA1

                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                              SHA256

                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                              SHA512

                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                            • memory/1968-2497-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-2508-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-398-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-375-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-2528-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-413-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-2527-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-2514-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-2510-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-2509-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-227-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-21-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-20-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-19-0x0000000000C61000-0x0000000000C8F000-memory.dmp

                                                              Filesize

                                                              184KB

                                                            • memory/1968-2469-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-16-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-2439-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-1777-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-333-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/1968-633-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/2008-37-0x0000000000DB0000-0x00000000019A8000-memory.dmp

                                                              Filesize

                                                              12.0MB

                                                            • memory/2008-323-0x0000000000DB0000-0x00000000019A8000-memory.dmp

                                                              Filesize

                                                              12.0MB

                                                            • memory/2008-314-0x0000000000DB0000-0x00000000019A8000-memory.dmp

                                                              Filesize

                                                              12.0MB

                                                            • memory/2008-114-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                              Filesize

                                                              972KB

                                                            • memory/3888-2242-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/5116-18-0x0000000000BC0000-0x000000000107A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/5116-3-0x0000000000BC0000-0x000000000107A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/5116-2-0x0000000000BC1000-0x0000000000BEF000-memory.dmp

                                                              Filesize

                                                              184KB

                                                            • memory/5116-5-0x0000000000BC0000-0x000000000107A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/5116-0-0x0000000000BC0000-0x000000000107A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/5116-1-0x00000000779E6000-0x00000000779E8000-memory.dmp

                                                              Filesize

                                                              8KB

                                                            • memory/6552-2512-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/6552-2513-0x0000000000C60000-0x000000000111A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/6848-324-0x00000000004B0000-0x000000000096A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/6848-368-0x00000000004B0000-0x000000000096A000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/6924-334-0x0000000000F40000-0x00000000013FA000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                            • memory/6924-374-0x0000000000F40000-0x00000000013FA000-memory.dmp

                                                              Filesize

                                                              4.7MB