amadey | a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd

Analysis

max time kernel
149s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/08/2024, 02:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
Size

1.8MB
MD5

541a410ec2e96f6ce14befd4312b3478
SHA1

69824f49bb7b180904632f865652429a5762c290
SHA256

a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd
SHA512

3f2fed505a34b92c40251c2d66838e92ae0d9f8323f9a7ad3edf0103c46dffa086b5574713a92dd4f23088faedd151ed959cd70e2a609f3add39f090f03cd046
SSDEEP

49152:+IB/3VYp0sZrvCFF5QLCmg8hxPm1eL5Z:+K/NsZrkF5Qpjm1eL/

Score

10^/10

amadey stealc 0657d1 default kora credential_access discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

default

http://185.215.113.24

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe

Executes dropped EXE 7 IoCs

pid	Process
2628	explorti.exe
4740	explorti.exe
2912	e228930212.exe
4184	aa9a0b8129.exe
4028	e320a0a595.exe
2320	explorti.exe
1688	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
Key opened	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Wine	explorti.exe

Loads dropped DLL 4 IoCs

pid	Process
4028	e320a0a595.exe
4028	e320a0a595.exe
4184	aa9a0b8129.exe
4184	aa9a0b8129.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\e228930212.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e228930212.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2912-408-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-547-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-548-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-608-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-797-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-799-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-906-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2669-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2713-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2717-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2719-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2721-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2726-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2733-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe
behavioral2/memory/2912-2735-0x0000000000790000-0x0000000001275000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs

pid	Process
4216	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
2628	explorti.exe
4740	explorti.exe
2912	e228930212.exe
4184	aa9a0b8129.exe
2912	e228930212.exe
4184	aa9a0b8129.exe
2912	e228930212.exe
4184	aa9a0b8129.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2320	explorti.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
1688	explorti.exe
2912	e228930212.exe
2912	e228930212.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3560	4184	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e228930212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa9a0b8129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e320a0a595.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e320a0a595.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aa9a0b8129.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e320a0a595.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aa9a0b8129.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4216	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
4216	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
2628	explorti.exe
2628	explorti.exe
4740	explorti.exe
4740	explorti.exe
4028	e320a0a595.exe
4028	e320a0a595.exe
4028	e320a0a595.exe
4028	e320a0a595.exe
4184	aa9a0b8129.exe
4184	aa9a0b8129.exe
4184	aa9a0b8129.exe
4184	aa9a0b8129.exe
2320	explorti.exe
2320	explorti.exe
1688	explorti.exe
1688	explorti.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe
Token: SeDebugPrivilege	380	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4216	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
380	firefox.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe
2912	e228930212.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2912	e228930212.exe
4184	aa9a0b8129.exe
380	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2628	4216	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe	78
PID 4216 wrote to memory of 2628	4216	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe	78
PID 4216 wrote to memory of 2628	4216	a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe	78
PID 2628 wrote to memory of 2912	2628	explorti.exe	80
PID 2628 wrote to memory of 2912	2628	explorti.exe	80
PID 2628 wrote to memory of 2912	2628	explorti.exe	80
PID 2628 wrote to memory of 4184	2628	explorti.exe	81
PID 2628 wrote to memory of 4184	2628	explorti.exe	81
PID 2628 wrote to memory of 4184	2628	explorti.exe	81
PID 2912 wrote to memory of 1484	2912	e228930212.exe	82
PID 2912 wrote to memory of 1484	2912	e228930212.exe	82
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 1484 wrote to memory of 380	1484	firefox.exe	85
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86
PID 380 wrote to memory of 1416	380	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe
"C:\Users\Admin\AppData\Local\Temp\a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\1000036001\e228930212.exe
    "C:\Users\Admin\AppData\Local\Temp\1000036001\e228930212.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60d4f4f1-79b9-43c4-9cb5-c9ab983007e1} 380 "\\.\pipe\gecko-crash-server-pipe.380" gpu
        6⤵
        
        PID:1416
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5ca3284-47ba-4a14-970d-5ec18683a6c2} 380 "\\.\pipe\gecko-crash-server-pipe.380" socket
        6⤵
        
        PID:5072
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 3124 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fb8a340-7b05-48d8-aee5-ff00f8ce6f8a} 380 "\\.\pipe\gecko-crash-server-pipe.380" tab
        6⤵
        
        PID:5048
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2712 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7550c068-7d5d-4ab3-b121-e0b94fe7d88d} 380 "\\.\pipe\gecko-crash-server-pipe.380" tab
        6⤵
        
        PID:3524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4636 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4628 -prefMapHandle 4624 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c62385-d1f6-4d4a-a2b1-ace0267242fd} 380 "\\.\pipe\gecko-crash-server-pipe.380" utility
        6⤵
        Checks processor information in registry
        
        PID:2040
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 3 -isForBrowser -prefsHandle 3632 -prefMapHandle 5244 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efc09ca7-b920-41e2-afcc-8c360cca992d} 380 "\\.\pipe\gecko-crash-server-pipe.380" tab
        6⤵
        
        PID:2476
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5516 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a3c6c2c-45e4-49f0-b6e4-4f612d7ef872} 380 "\\.\pipe\gecko-crash-server-pipe.380" tab
        6⤵
        
        PID:1484
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 5 -isForBrowser -prefsHandle 5956 -prefMapHandle 5952 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59f3c19c-9634-467d-b4c8-316f31d21a9e} 380 "\\.\pipe\gecko-crash-server-pipe.380" tab
        6⤵
        
        PID:1964
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6200 -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 6180 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8ed49e4-2425-4c37-a713-02b0297fe959} 380 "\\.\pipe\gecko-crash-server-pipe.380" tab
        6⤵
        
        PID:4512
- - C:\Users\Admin\1000037002\aa9a0b8129.exe
    "C:\Users\Admin\1000037002\aa9a0b8129.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 2320
      4⤵
      Program crash
      PID:3560
- - C:\Users\Admin\AppData\Local\Temp\1000038001\e320a0a595.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\e320a0a595.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4028

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4184 -ip 4184
1⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AFCBKFHJJJKKFHIDAAKF

Filesize
11KB

MD5
354a22089f686f0c7d7d582163b8e231

SHA1
1f2429e54053fa1c12fee3d432b44760962afdfc

SHA256
5b07b33dc100a4712b0d624f934969fdff93f8f58f1eb9a78da580b0da374477

SHA512
8882b59841336a649ba41db7155af680a70828e6293369a7138ece8da1a2e21abf322c26d4edaf938e70deab0b2c9f8e583b81ada67997d5ce8ce5b3a8b84786

Download Submit
C:\ProgramData\ECGDHIDA

Filesize
114KB

MD5
a33481b308bc347cac2e395b7ff3532a

SHA1
fd6a52ce42334a2286d8e1807619afc12593111f

SHA256
6909d34d9fbe1e8b19456853f3080f897d7e40bc84db970413fd3083073c83aa

SHA512
a19ea96ac4f90f11162724c73cfe51bbe49e675d0677e25273a910db7edddeb3768291ecd6d19326afdbb181219cdf04661f3ad261c8230e487c13f45603bf83

Download Submit
C:\ProgramData\KFCFIEHC

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\freebl3.dll

Filesize
88KB

MD5
090904823bd5bf4ad45d0d8a1e7939ea

SHA1
a38d514765293ab572278d1582e7662d780f1861

SHA256
bf210ad2f98c8e69e4694882590272042f6674cce73b7b0ca9dff0b485c2c58e

SHA512
35b05b1c574284ce6aba1f9fb18a73e065b78a51f073dbe95f9bfbc330f3b1a9b7f85d0a6eb13635842ef07cdc9beee7bb3930762114ee3c9c42dbfd68362b47

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
93KB

MD5
915b693b06e755d222e1329b417c9dbd

SHA1
7115c319850d3c649a9f382b2ac4c8b26bc8be4c

SHA256
65a7cfdc0dd8ca4179c30606c322862e6e78ed66860961e8457ae71f6d82ba7f

SHA512
b81710e1c6f577b6003cc4400307659c81953ccd7d6c7c41f8b76fc2abed1efd3c4b2154e16ddc7bbefa3a474f9e5b4ce665cb1e0d394c9a6389b5300b62b1fe

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
96KB

MD5
a49290246a286edc65ad6dbc43c097b1

SHA1
cd77c111037ffff0b4b6d3407842f8d7d868a621

SHA256
f84c1009f092235777c6484ff52e82f9ce4aa80b0bc5258426d94a84608e287c

SHA512
440de7a7b0dc6231a50b2fc6f7b3183a5569183368dd734dd26f1397b86face0f7085c8c80bfcb87262eccedbcea31911273a239bb6e883d859e900908a237e6

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
99KB

MD5
6bbd0c755101635ee77db7f161317b90

SHA1
74311d109338164be12bf84082636426b8f10588

SHA256
bcfd4ce464e5905bdfb996444626ce7aad27cf5385200b56ca1a9ede928aa8d2

SHA512
1b83181914cc963cabe5c4bb328ed1489391aab55c1cfb88fd6624be3bf76f1ae8dcc022dc0fc71d829462bc32bfa59345f8c4899f1d0f648d33ada933deff4d

Download Submit
C:\ProgramData\softokn3.dll

Filesize
111KB

MD5
0fa868f42ab6545d539339df120df59d

SHA1
4ee31a71f4b4ab7c9146b5d028a0a1c03894897e

SHA256
7990ea7e173795c0e079c9d594c2782711ce1eb4d77babb714c3ef285fd536b8

SHA512
03cfdd5569ecdd67cbb3d0bce16005adbbf5d55a14b59c804ff43926d2ea7a84dabb562edf73cdd91a2334f96cf691eb6f9c0243dbe758219c7664ac0503a6d3

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\1000037002\aa9a0b8129.exe

Filesize
2.5MB

MD5
8414672f68be576e43bf8a493ee04eb8

SHA1
60cfef11398be4e953363690d6b19b109524d2d1

SHA256
20e2b76769ed9c3c69925487568b5eebe5d4d666377c56ab596bcb586be7b047

SHA512
b94d24b10edcdc90211e4287c83815c55bd1bcb4761f257b5a3850f8451cc15f626391f3a0aedf738c8924d5f9554e3c7f9944ee41edbaab926c238c9224ba09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
ee41eca3688ca59bdb4ba28477db043b

SHA1
8683f8ddb8b18b6840c564a18c7efa2232c44848

SHA256
27b99b3b1fdd293f2706758bcd18f86c996fc307804681fee762da80947c00c1

SHA512
aef678f095d479b5416c3e8aad2d533af68e310b7a19ff7156e5f724f91c2ab6d3d8b544cc508a66f25dfd3ef410c2edfc299f79a0b8e6a142f6b6d972f57bbe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
a7db9b23012bdc8b7013f188d4b7221d

SHA1
906ad9b1b39a495246793d7f9dff7ac4f78c5609

SHA256
6cb19d1bf5d555d5fcf847d09af33ed78806bf5d93cf93bc8ae883e38bebd4ad

SHA512
c8974560f70397cb1c4a99fda186b24d74241f8f05e0e28f9dfd83b929721dd8a0cbf3001e36a781fea0bc8bd1c21325d51db3c0ea2885f9887447f6991da912

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
541a410ec2e96f6ce14befd4312b3478

SHA1
69824f49bb7b180904632f865652429a5762c290

SHA256
a5f6a6f025bd01b1718a66406fa4db70d5e69bf275262b0fc8b658e366b0efbd

SHA512
3f2fed505a34b92c40251c2d66838e92ae0d9f8323f9a7ad3edf0103c46dffa086b5574713a92dd4f23088faedd151ed959cd70e2a609f3add39f090f03cd046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\e228930212.exe

Filesize
3.1MB

MD5
4548e4cb03ae58ca488a947836a8bf90

SHA1
6ac511a3fac0c47fd5f89c5e276fdd07f81ad394

SHA256
b8135f407697af645c6c7dde3e9414932d73c4aafdf61ef8b9a6a04251140a51

SHA512
cc1b2fbb0234729dddb796f5fe7097bcb99fd00c9ad11ce0aa0626c5a3e8154f3f06a99884bf8b6dc0eb0cc0bb938825fe2362b3870507f687bcfba07265932d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\e320a0a595.exe

Filesize
187KB

MD5
278ee1426274818874556aa18fd02e3a

SHA1
185a2761330024dec52134df2c8388c461451acb

SHA256
37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

SHA512
07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
10KB

MD5
53d284153ad86a5f4c2a4ad8303a3d3f

SHA1
33b4af3b7903aec46e37a2074cdd10210b3cd673

SHA256
81615d30100ecb2054033a6e595a94088f90157a771d86faa44b84b61dc95706

SHA512
a3508af751d7d3580ade90f73be67bd845bd030881a9b85acd3d1a43e4d828c44a6a43001135cc46d62575d090d2b738d99bd5fe36dca0c2acab439356006d03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
13KB

MD5
d0773c6bf8528091e1fd440867475e88

SHA1
e8501deadf4f3b73d08e74e15ae250fb5fb904c5

SHA256
396baa48afa909f35df800ef19d4e9feeb828e91662867ec42554996c69347ab

SHA512
44e4a5408272c61bef6fca7fa41f7d97e948c5ae3a38824f9411090bf99ab39120cd7794f352b99f1f3acb9bf7c5e2daa9b851485a2aa447b48504da04353dea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
16KB

MD5
20492fe2d91966ed3555ecf1995bfa7d

SHA1
bfb0f3c568a19bf5193789375b7ad7a327439a40

SHA256
c00d6c7fec934665b0f348aa6c2a7dac73165a0e26155eaf653cd25182ac4165

SHA512
157930f84f6c69b612905ffa30c2e0c38b9c3ae3b24901c0ab7e95a3291d98945961dbff4748a0c82c7dfaddc387eab692ee9f6f18579c4da2422c77a24b7538

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\cookies.sqlite-wal

Filesize
384KB

MD5
64e056de6bb0e9758a62fd696660a521

SHA1
d6d489b7bd6cac54f720cf6f35a62534bf9326ed

SHA256
8627c8fb547905fa881d70d2a4fe386538a5d871aeeeb74f28e8af4ad3418d74

SHA512
85ded9b093795f579971e1e0a27d0a89efa434f4fe14e708b6bcfed14d1550eea1fc6bccb119e0624f43f63ad282e40b3a20587bf28515c14eb29df98c776ed6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\cookies.sqlite-wal

Filesize
448KB

MD5
b7758c81461c9a7afb4507c34c0ae531

SHA1
b41567242d98039e12df17a660b4809ee0d3f12d

SHA256
706f964e709260262abfb57025bede11ce2d6b168f16493fe8fadb05b4819ba6

SHA512
0e902bf75bff9d1be82ea4599941c46c0e874db36d54f8a79a69635690e6ae2f29bb6f3db22086d15ab738c332a5a39eba97898b5f71f591bb1a0fc46fb7bbfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
4ef5d0a50c40e167e84f5e0ce0e86f33

SHA1
5557679b3177e9b1a415d40c01345949a61b2511

SHA256
7b82da87d7629238b3a6a2c635e52e26dcd282184564e9f0ac3cce37a9cb14f0

SHA512
99fc2d8c939c80e4fc7b7042c2b5d90f5ad600d41ee830a3bf201e436085ac693529160c076d98e5c0fd29ca531f0702489f5ad3523761a4613791f770903c80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
a5f329734ccb55fe13c3049ac86c2446

SHA1
bfb35791e3e48a75020058438af16da1e96fa81a

SHA256
3b4e2f933d8d3b4126b2b67e9bdfe53124b9bbea33f1d143269ac3692ddeb932

SHA512
bb0cba42e01d64f03efa404e129b65c2b66702b3f0f4b6257fec66757380b105896edc39b8c1f6f655fc2b560a68a6e19eb5bd3a5cb3d6d3d68c344dbf6fb7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
50fe87ed8c8ed063647401ce4c1bb622

SHA1
c899ebdf17f013cf1b00d9f84702e5b09eefaea4

SHA256
364c9c29c8803534924008171848d75cd989ab1381493ef6c3a27cf355643402

SHA512
7229f76f6b34959452510ee4060f7ebc286434e0811d5c7e7561a7d116dca7032831f1d99147a96504efa9f1323c3010e7731d69074fba6ca6e9f6d4b785f7ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
7df1e4f5bda351157627ab699207956f

SHA1
4027c9318ebbd9fa8c7830a9caa259697e0c9dce

SHA256
dc443b3d7e7f0f8a53e878cb7d99c6ee4f0dc81b172046cab31650ccddb6156f

SHA512
8504b53b614466146cd56259de7748ad2071d15352d7cda9117ed6b5a6bf520324b3684ac25a427d58b3dba6a5b2d3dd7896278a9514fbb690b0171f621282ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
ba5a19bf20f36edce24d9a6c98609068

SHA1
a0991ed7897fdf22df5fc8ad47210d66feb26044

SHA256
ab3f2bcc178dffbf5efab72cb67e63c3b5a31cb49813564dc4c9ae09b5422cf3

SHA512
71092debfaae929a8cf5fbbcd0b69cfdd33e1dc0734dae4d592c7d81a006c5c9d921b42bd06c3ee6715f7553a1809c61a48677c3a8b785caa666d3ffc71efb06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
7ad71db53d01e8ed901fb66f25ee5eb8

SHA1
06037f4a8dd1b1fef9857f925b8af9553d6dee17

SHA256
8f7216edb4c91681f2457007318dee0eeba0743dc22ce7a99cb8fe2cf5a825f4

SHA512
b65e8dee73af5987409b410a43d8706f642484ce55ec589dee8b016892fad457c82573ac9653dee043da118443c2c7f16d23543de82491224e45527ad85697e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\334d24a4-0e3c-4622-97c4-bc50d79568f1

Filesize
982B

MD5
65409d6cd7cce319b23cc47d4f271f6d

SHA1
bface50d0cfe98483636cdd36bde906b40404b2b

SHA256
2b871f5b0dc8080b7a99abfbfe9044a802ebefe76bcd7a60fddb524fbab301c3

SHA512
ff506c48e51aa5be6874fd6b2fdf31d17a563ffa691a705d52a7121ab7e570819041f675cfbcf363b6af3c2daebb20f47fc0f7fac7e24ac4c579bfe15057921b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\503a7d6c-5928-467b-af3e-d8a81a324a66

Filesize
659B

MD5
e506e0388e841edc72019f69514e34a9

SHA1
9515859c8c67a48d4fbdeb1e8ddaefe99d8d204c

SHA256
34340bc954a91db953f05dd888ebfd6546f8ef29f56ddaeb5a778beb9024df97

SHA512
26ff09358f789c97966f1eac36ee034d93a1561bf33ca81153a0b2b7be143350720535a5177a2dfdfd7851df5fdc6dcbd55904c7ae73a3d9bd7061816caaae24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\formhistory.sqlite

Filesize
256KB

MD5
97c1441748d6cc3e5a7030cda7543975

SHA1
f5598a45b101a5404126cd27fbb7f4b70861ee32

SHA256
2015b584b844b091d6a6280d45e9a589ea0feacf5f4b19bdd4cc21c60dbaaf91

SHA512
29d358ec7725038c6648251d8b9c32f3a40458e9c97926e0000ab42f0369b96d1ba5216eeb7c35800c740633dfd3b1e6e6aa73859644bdb9cdccaf2a3516bcb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\places.sqlite-wal

Filesize
1.3MB

MD5
451e6ca79307dda5b55fe75b67454f3a

SHA1
db8d42220c6a88f3970507a50e8ffd9054bf4b05

SHA256
4aeee277f69791bb26d17eb9099494bf0b85bbb48c03862625d518346214434c

SHA512
86d7ac5db57cbbeb335ceb45638c0b980dd47eddd0328dafc0844fa178da4ea617ac08658706814d14a9eff2381e5c3a043fe4ecf7470b00633fa4980fca4827

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
14KB

MD5
7b5ffbb80532a8cddf602b3d9cc6d090

SHA1
6d2fa21def3018a73f5f0e05c7559107943499e8

SHA256
3cbb7af97ecac806913b70ffabe73d847db6ae88b466a1581089145bb7fa689d

SHA512
f229fde5ba223e20b2a8ae512a7f59e0d3d7c2a941581707bfef7b0cd4abee3ad46fff0bcee36e4e7993727b8d8d7a854c7396839cccb349e65cff19eaa9c5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
eacb16fca49bd65315ec7d51529daf30

SHA1
df241b0055849275e870a89634b45227fdce70e2

SHA256
5c0bd5e0bd0b9bc4c211d46dd5ad087de3ae3b4de2c6530f822ca2cd520031de

SHA512
786aea6ad1c38be8fe17984d8372d9bd67bf74161efa8092640d6f3a4bc3ce007dc6d7bd29468acc45d7a2bb9e4dbb8a608e5c52a5534a16ac1ed0edf0251a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
14KB

MD5
043bf6e46f9ddd357bec9fa9e5f8a57a

SHA1
aafdb889f6e60d174254efb56e3786249ca66cec

SHA256
3052e08027837d516b61f2f590186761a13032e738de1cb1bc499b83b9e82c61

SHA512
6b23c5706da902b45d649435b1a43590eb31395c9d7ff5d21dd81c5089084846fd9e50211d7a0118a7e7a80f3ca25c339af33a9b92be927b991fcb48e8090bb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
10KB

MD5
fcdd8e8a331fb2fb0897c4cfdcc43e85

SHA1
0a049975da7db4b9795b7c25eae0bc10cf86480a

SHA256
95499ae3e58f42aff4bdafd07af6e75fd1fc0566d74694b92e159527509f97c9

SHA512
4174abd504e15b43012ffb78aa0bdf1540400a2ac4583848b8b72974759513411fab9b7a6ba2528187ba5e7204e03f17f9dbe62e38e8e305846b73332d8d6ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.9MB

MD5
b4497d0678940218f21cf261233b7a14

SHA1
9654ec75d578848978c99227ee67461f7f75fca1

SHA256
272b23d11565746b8ca891e18a7101016a5ad39470c40412350ba30e91b06ef6

SHA512
dd6d066e32717c6e1f86fd16bfa15fe85ba382d3fca1673526f1e68498593f6b5a3644879a7b4e64a3a522588b9560f6d13748b3e3dfd9f8a140b018161ea105

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.8MB

MD5
d232ce8da0fb62a232c70b57b6e44859

SHA1
42e62cef6eb23a9feff5148f270a147f593584bb

SHA256
13037c6cadabdfb890f17733f96107eee32f33113aa3c71c98d8f20256cccb1c

SHA512
789558bf7078b631f0bf86f3debe6e93e09df61f5ad0caf232db015364344eba81a51ba429b5508021142ca8c45a7ca5ed2c27da5e396d195a9f3f5e9b2c8222

Download Submit
memory/1688-2724-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/1688-2725-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2320-804-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2320-805-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-2711-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-1719-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-753-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-22-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-20-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-498-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-2716-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-19-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-802-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-17-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-798-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-583-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-2718-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-2720-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-2722-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-451-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-450-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-2732-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-2734-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-400-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2628-399-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/2912-608-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-547-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2735-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2733-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-408-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-46-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-797-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2717-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-799-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2726-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-548-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2719-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2713-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2721-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-906-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/2912-2669-0x0000000000790000-0x0000000001275000-memory.dmp

Filesize
10.9MB

Download
memory/4028-414-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4028-491-0x0000000000F90000-0x00000000011D3000-memory.dmp

Filesize
2.3MB

Download
memory/4028-296-0x0000000000F90000-0x00000000011D3000-memory.dmp

Filesize
2.3MB

Download
memory/4184-63-0x0000000000400000-0x0000000000FF9000-memory.dmp

Filesize
12.0MB

Download
memory/4184-464-0x0000000000400000-0x0000000000FF9000-memory.dmp

Filesize
12.0MB

Download
memory/4184-582-0x0000000000400000-0x0000000000FF9000-memory.dmp

Filesize
12.0MB

Download
memory/4216-18-0x00000000009A0000-0x0000000000E65000-memory.dmp

Filesize
4.8MB

Download
memory/4216-2-0x00000000009A1000-0x00000000009CF000-memory.dmp

Filesize
184KB

Download
memory/4216-4-0x00000000009A0000-0x0000000000E65000-memory.dmp

Filesize
4.8MB

Download
memory/4216-1-0x0000000077776000-0x0000000077778000-memory.dmp

Filesize
8KB

Download
memory/4216-0-0x00000000009A0000-0x0000000000E65000-memory.dmp

Filesize
4.8MB

Download
memory/4216-3-0x00000000009A0000-0x0000000000E65000-memory.dmp

Filesize
4.8MB

Download
memory/4740-27-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/4740-28-0x0000000000871000-0x000000000089F000-memory.dmp

Filesize
184KB

Download
memory/4740-25-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/4740-24-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download
memory/4740-23-0x0000000000870000-0x0000000000D35000-memory.dmp

Filesize
4.8MB

Download