Analysis

  • max time kernel
    32s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2024 02:02

General

  • Target

    f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe

  • Size

    1.8MB

  • MD5

    5513ba120b37a0384b2beaac145cea34

  • SHA1

    265914c39c9709afe425f1b95bc7059b43cd1578

  • SHA256

    f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce

  • SHA512

    7ec94f417aa2cfbe2cf96e4b617e4f9052b555ea19fc9d0ca74340ce243101acfcb6c225e02e8341f1165d94e4cee97862c50985c433340f34356c989fcbd484

  • SSDEEP

    49152:CYr2qXw+wp7iVIp60KRDEc+CSSqCQdVLrsfB3nkrHor:kYwp7i/0WDZte54nyHor

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe
    "C:\Users\Admin\AppData\Local\Temp\f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe
        "C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CEA5.tmp\CEA6.tmp\CEA7.bat C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778
              6⤵
                PID:1800
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:2
                6⤵
                  PID:836
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:8
                  6⤵
                    PID:1300
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1440 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:8
                    6⤵
                      PID:300
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1892 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:1
                      6⤵
                        PID:840
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1904 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:1
                        6⤵
                          PID:1600
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2148 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:2
                          6⤵
                            PID:3292
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=2032,i,750145467879224055,14573684811165027524,131072 /prefetch:1
                            6⤵
                              PID:3316
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2436
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                              6⤵
                              • Checks processor information in registry
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:1128
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.0.1973984473\1342185228" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1252 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dc99275-6378-401c-aee2-3e916a331c64} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 1324 10ad8058 gpu
                                7⤵
                                  PID:2244
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.1.38466447\1580264963" -parentBuildID 20221007134813 -prefsHandle 1508 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f23d13a-66c8-4592-a7b8-08208f55bf3e} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 1536 f8ed258 socket
                                  7⤵
                                    PID:2336
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.2.2061216034\733566373" -childID 1 -isForBrowser -prefsHandle 2200 -prefMapHandle 2196 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e11bda11-c4ee-4788-974e-4af15dbc0166} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 2260 199e5358 tab
                                    7⤵
                                      PID:2888
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.3.143158820\952057950" -childID 2 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbed8261-4483-4324-931d-75b8ed9dff5f} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 2988 1dad4a58 tab
                                      7⤵
                                        PID:2544
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.4.43057313\1610499545" -childID 3 -isForBrowser -prefsHandle 3720 -prefMapHandle 3524 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f814a806-58cb-42b1-ae88-acb02d851694} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 3616 1bd9c458 tab
                                        7⤵
                                          PID:3704
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.5.833534531\1612614412" -childID 4 -isForBrowser -prefsHandle 3796 -prefMapHandle 3812 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88342b5a-b7e4-4089-80d2-fdd0217901b2} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 3828 1f5fcc58 tab
                                          7⤵
                                            PID:3724
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1128.6.174624359\681696808" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 760 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecd91e93-ecbc-414c-8ac5-e92320231121} 1128 "\\.\pipe\gecko-crash-server-pipe.1128" 4000 206b1858 tab
                                            7⤵
                                              PID:3732
                                    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                                      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
                                      3⤵
                                        PID:2372
                                      • C:\Users\Admin\1000029002\d42f45addf.exe
                                        "C:\Users\Admin\1000029002\d42f45addf.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3304
                                      • C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe"
                                        3⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Loads dropped DLL
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of FindShellTrayWindow
                                        PID:1496
                                        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
                                          4⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Identifies Wine through registry keys
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3960
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                    1⤵
                                      PID:1568

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\1000029002\d42f45addf.exe

                                      Filesize

                                      2.5MB

                                      MD5

                                      e70b307e33e856cc9cb70a59a32102da

                                      SHA1

                                      24b6d3e99b0e5ee94b7b591c40f7ac2b0ba6f555

                                      SHA256

                                      8d7e591c16734d05b2b7d4b074a16ce05dc89d904d63e6de9add91aaeef4cccd

                                      SHA512

                                      0c59c31f54214c1875a9314f689346c4755371bfbbfd245f3c90a00cd32b3ff8a378fdcd1b4fd597a956b39d310e3b31993103990166013ff5c61c15e63aa50b

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                      Filesize

                                      2KB

                                      MD5

                                      03ff65d684d0c7a95e846ece8e37fcbf

                                      SHA1

                                      cd669d009471059381f7ed4bba1870a24a861b81

                                      SHA256

                                      7d6d7f3244d8518729df2e95e5cae365eb4aa013bf98827fd596415639248891

                                      SHA512

                                      76a17c9c0eaf6d5885c0486d6dc6374bb306f75800370a6eb2b78fbf26072250592384f2f610577b4a966a7343b7b86efa8957e31f67487ad99c2a718fa950c2

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      96fba9e8594731fac5416a649f1a0f9e

                                      SHA1

                                      2e6ccdee3c1ce66a44c1e45e475ccdfabde3bd8a

                                      SHA256

                                      7f13fef3ac7cc801c98135efbdefe2e5b1bb950cb3d3a3e9df45fda7e8441f0d

                                      SHA512

                                      b6c278b3b7650ec28a4336db7169f5fee4160e4b28dacd2d92dbc2dca96a02a7e0655fb0dd6c25d17af9d2876fc280b88a7cc141c54caaab8296dd2b257712c1

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      d0863918fb413bc7aceee3cd94003d43

                                      SHA1

                                      725b270bd6da9f48894aaaf6d19dbf2f349b7ea1

                                      SHA256

                                      914d6b5aa4e0172d3736acc544eb05b8d411b09dc6bdfaa34616291795a709c0

                                      SHA512

                                      25576a9d96391784ac576d002fea6af5aed376a16cf2b4f0dc3770c8612b3ce8e67d20a17ad7159bf5fbde24cc79e20fa994fb11fe6e2f821dfcaca79d9ba1bf

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

                                      Filesize

                                      16B

                                      MD5

                                      18e723571b00fb1694a3bad6c78e4054

                                      SHA1

                                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                      SHA256

                                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                      SHA512

                                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                                      Filesize

                                      264KB

                                      MD5

                                      f50f89a0a91564d0b8a211f8921aa7de

                                      SHA1

                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                      SHA256

                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                      SHA512

                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\activity-stream.discovery_stream.json.tmp

                                      Filesize

                                      23KB

                                      MD5

                                      4fa148cb6fee80f059eff5a08c913cc5

                                      SHA1

                                      975fae2afb4a7dc3278bbd7886f0c739ead0e2a5

                                      SHA256

                                      5a78a19af6a3d2d4983c18c638d078bb2dbaf4a813df4624300c9be36865b542

                                      SHA512

                                      6a1e137eb8de57b7cc1686d8b1b83c9c68989052ceef3885aa81e1c2a10fe9d401c8f75f84e0979549bcfb151c2e03cbf9259db83f1bc220e4ec09c36adff893

                                    • C:\Users\Admin\AppData\Local\Temp\1000020001\c81c483364.exe

                                      Filesize

                                      89KB

                                      MD5

                                      f19f62959c79af73e6353063cfab9482

                                      SHA1

                                      8f62871b4c9a2ab35033561e4dc0d478e629391a

                                      SHA256

                                      bafb29d6c0e54ea3dc758787b59dd494d24bc0d96806c8569fb2d026e2c50c65

                                      SHA512

                                      46cb00fbf95292c7ed2c3603a9be660b1fb35de1f6f8bf34b6e2131ec8c140e6b5df5e22a582a35e7cbe71c0aedaa1b3d7e532d3bf82f7148e25a8f8d22a28ed

                                    • C:\Users\Admin\AppData\Local\Temp\1000030001\77d7353e97.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      84eccb1551a0f935ffb90b1ba34f252c

                                      SHA1

                                      f61b51e32e704d120f5ce4cfa396056f11df7cf5

                                      SHA256

                                      bed9c9b34238e724d9c237dfa440010c8743b29330ed688b5f01a0bea8d15cfd

                                      SHA512

                                      0cb0d40bed2927de85ec4338d2a19d2bec49487e8ada6b375a9b034e168324a1a85f9c0937560e9d2628487b7302ca6a84e50fd3b717df20fb0c08e07c5aade7

                                    • C:\Users\Admin\AppData\Local\Temp\CEA5.tmp\CEA6.tmp\CEA7.bat

                                      Filesize

                                      2KB

                                      MD5

                                      de9423d9c334ba3dba7dc874aa7dbc28

                                      SHA1

                                      bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                      SHA256

                                      a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                      SHA512

                                      63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                      Filesize

                                      442KB

                                      MD5

                                      85430baed3398695717b0263807cf97c

                                      SHA1

                                      fffbee923cea216f50fce5d54219a188a5100f41

                                      SHA256

                                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                      SHA512

                                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                      Filesize

                                      8.0MB

                                      MD5

                                      a01c5ecd6108350ae23d2cddf0e77c17

                                      SHA1

                                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                      SHA256

                                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                      SHA512

                                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\db\data.safe.bin

                                      Filesize

                                      9KB

                                      MD5

                                      6e85ad44a4eb57e461e0ed2afe76e816

                                      SHA1

                                      8e47caf5f20422a7c1e864f0cd237ee8aba71fc5

                                      SHA256

                                      95e57d06ddeee72dcdfd3a2e99c0e09f391a083b38c2ebad4dda1df7f78f989e

                                      SHA512

                                      3ae1774100b48a908ed6bfe8b8771642d72a4bfb9d2dd8d545592a199608b322df924762f7234d32a705ce0695e15ef671cef565f96955427d2aeb13db6e381c

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\datareporting\glean\pending_pings\50f8dc44-9442-4b3c-9e75-bbb57fc3e2e0

                                      Filesize

                                      733B

                                      MD5

                                      9f86d31eea205037842a2de2ede16f14

                                      SHA1

                                      ff499a3e5ddb8951638a8071f6ce7d12c41a578d

                                      SHA256

                                      98c9689d184b142cdb25eac4f83c53748d0b7a793afd2176f6714dd643399cfa

                                      SHA512

                                      733012182f88c81f14524894be801d63249d9a4bd913cadd0463fa0f4db0a71059bd9065c60980a1d85e1ea4072f046c5eff307d835af673408fd7590d6012ee

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                      Filesize

                                      997KB

                                      MD5

                                      fe3355639648c417e8307c6d051e3e37

                                      SHA1

                                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                      SHA256

                                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                      SHA512

                                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                      Filesize

                                      116B

                                      MD5

                                      3d33cdc0b3d281e67dd52e14435dd04f

                                      SHA1

                                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                      SHA256

                                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                      SHA512

                                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                      Filesize

                                      479B

                                      MD5

                                      49ddb419d96dceb9069018535fb2e2fc

                                      SHA1

                                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                      SHA256

                                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                      SHA512

                                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                      Filesize

                                      372B

                                      MD5

                                      8be33af717bb1b67fbd61c3f4b807e9e

                                      SHA1

                                      7cf17656d174d951957ff36810e874a134dd49e0

                                      SHA256

                                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                      SHA512

                                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                      Filesize

                                      11.8MB

                                      MD5

                                      33bf7b0439480effb9fb212efce87b13

                                      SHA1

                                      cee50f2745edc6dc291887b6075ca64d716f495a

                                      SHA256

                                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                      SHA512

                                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                      Filesize

                                      1KB

                                      MD5

                                      688bed3676d2104e7f17ae1cd2c59404

                                      SHA1

                                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                      SHA256

                                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                      SHA512

                                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                      Filesize

                                      1KB

                                      MD5

                                      937326fead5fd401f6cca9118bd9ade9

                                      SHA1

                                      4526a57d4ae14ed29b37632c72aef3c408189d91

                                      SHA256

                                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                      SHA512

                                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

                                      Filesize

                                      7KB

                                      MD5

                                      73d5dac23cd74f0ccf1b4a84e471a11f

                                      SHA1

                                      c5a51474c5831b81c5d03733767ef2b8ee39adc5

                                      SHA256

                                      3a83a040f15ad17f3e25694142a2f6e971e075a1e9bd9f048104906d40bc5317

                                      SHA512

                                      e7cbb47f3862df2537151cf7b07d9738740cb328d074bbe17e5ce9929d8c2af8b40205b2888fb0496a3bcebbb9d7cab4e9fe217c29194e9f6b41ffd212846753

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

                                      Filesize

                                      6KB

                                      MD5

                                      d7db84fd8f9d1f12fbc55e04d7752aeb

                                      SHA1

                                      a4e8339f2f68f3541b9053addb92f9a3b92b9eb5

                                      SHA256

                                      af74e1998801ec2018d949120be6b3cdffbcb8383b608766b3f24baebf3be969

                                      SHA512

                                      286c4f65e22d409afa94a0cbb6211f037cccc9690bd9217d564f89c2e0f1e5dd67ff89deb8e5153e51dcc015678d910a71501b0c94b1586c0a8bf70e9d44a59e

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs-1.js

                                      Filesize

                                      7KB

                                      MD5

                                      0992874738f1bc1d3a1d96ab6e6d7ad2

                                      SHA1

                                      7b007fa124a724cd46b3cfba01f8bca049289a44

                                      SHA256

                                      68bc324c508ee15aabde79735fc4e8705c78ea7e0c310864213eeab4a124f766

                                      SHA512

                                      6af6b4b18bcc2e2e301bf5ea8af381262c71036a58962e4e9a4fed1c860869f4418265872ff96de95e4bc0322bf1b766aab6654271c9d451690fd9beb8207c6e

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\prefs.js

                                      Filesize

                                      6KB

                                      MD5

                                      4bfc440c9844ef6450c9959948352816

                                      SHA1

                                      5fd1756501797187c9d116dfcf43ea7dae93088c

                                      SHA256

                                      3d3b8303df2bb07f959e32cb5509fc9f402667dcda721a450d913337be10888f

                                      SHA512

                                      eb58937cb55c7b706f112bb102c81338b2a490011c43cde7791787c9cdf029e2ca889c5ee8387d61ef660510fe17a801f4190a03e9d2403ab3ffb5e36491f070

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tg2k5l8.default-release\sessionstore-backups\recovery.jsonlz4

                                      Filesize

                                      4KB

                                      MD5

                                      19092fe999575aa0925d7909f86ef2e4

                                      SHA1

                                      bb200306e34da2f8541cb3958a3d70db27550b12

                                      SHA256

                                      c9b44c4068a3c256395ebd21798ac37edc8ff92cfec830b3f509e3b5b33305e7

                                      SHA512

                                      b54e7fee78d9d8c7115f81eb383d6f7a050cecaed406119160eb78de05c5e6da678bd838f3edf95cfe57d0819eceeea9f710bbf829f6d805ad74fe685387f860

                                    • \??\pipe\crashpad_1856_ACOSULWVUVBXHGSN

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • \Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      5513ba120b37a0384b2beaac145cea34

                                      SHA1

                                      265914c39c9709afe425f1b95bc7059b43cd1578

                                      SHA256

                                      f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce

                                      SHA512

                                      7ec94f417aa2cfbe2cf96e4b617e4f9052b555ea19fc9d0ca74340ce243101acfcb6c225e02e8341f1165d94e4cee97862c50985c433340f34356c989fcbd484

                                    • memory/1496-281-0x0000000000C20000-0x00000000010E2000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2064-333-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-101-0x0000000006020000-0x00000000064CA000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-320-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-321-0x0000000006020000-0x00000000064CA000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-325-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-326-0x00000000068D0000-0x00000000096B0000-memory.dmp

                                      Filesize

                                      45.9MB

                                    • memory/2064-483-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-298-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-474-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-467-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-465-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-283-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-234-0x00000000068D0000-0x00000000096B0000-memory.dmp

                                      Filesize

                                      45.9MB

                                    • memory/2064-432-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-21-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-19-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-18-0x0000000000E91000-0x0000000000EBF000-memory.dmp

                                      Filesize

                                      184KB

                                    • memory/2064-463-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-461-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-17-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-459-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-421-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-446-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-307-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2064-430-0x0000000000E90000-0x000000000133A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2296-3-0x0000000000CB0000-0x000000000115A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2296-0-0x0000000000CB0000-0x000000000115A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2296-1-0x00000000773B0000-0x00000000773B2000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2296-15-0x0000000000CB0000-0x000000000115A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2296-16-0x00000000071A0000-0x000000000764A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2296-2-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

                                      Filesize

                                      184KB

                                    • memory/2296-4-0x0000000000CB0000-0x000000000115A000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/3304-297-0x0000000000400000-0x00000000031E0000-memory.dmp

                                      Filesize

                                      45.9MB

                                    • memory/3960-466-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-462-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-422-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-464-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-447-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-460-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-335-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-468-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-433-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-475-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-431-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-327-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/3960-484-0x0000000001360000-0x0000000001822000-memory.dmp

                                      Filesize

                                      4.8MB