Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
15-06-2024 17:26
General
-
Target
https://github.com/kuzemisu791/Bandicam
Malware Config
Extracted
stealc
Extracted
vidar
https://steamcommunity.com/profiles/76561199689717899
https://t.me/copterwin
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Signatures
-
Detect Vidar Stealer 4 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/kuzemisu791/Bandicam"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/kuzemisu791/Bandicam2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.0.1278487167\1122489893" -parentBuildID 20230214051806 -prefsHandle 1796 -prefMapHandle 1792 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8871c3d-e428-40ee-97ce-de732a8878fc} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 1876 1bbd0a0b558 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.1.1149402895\746421974" -parentBuildID 20230214051806 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1abcb5f2-1deb-4995-9128-0917a6caeabc} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 2424 1bbbc78a258 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.2.428714543\1602204814" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 23028 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e1a53ce-764b-4753-ad0b-4c9f002801aa} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 3164 1bbd393f858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.3.1552788305\1241386723" -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 4000 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec86f98-e0c5-41f6-9f59-a1258e5ca648} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 4016 1bbd66aaa58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.4.694953146\430839853" -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 5220 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {175dfb30-0a27-413b-bba1-818918cfc059} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 5228 1bbd8be9b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.5.1816290850\36215158" -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b72b4b04-bccf-4b6e-9246-b5026b76a647} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 5360 1bbd8a76d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2984.6.1755948471\1646705223" -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1332 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {717cb3e7-7e78-4d48-8fca-1f3dc9dd0ce5} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" 5552 1bbd8d2d558 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\latest-x86\" -spe -an -ai#7zMap4725:82:7zEvent252961⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\latest-x86\Setup.exe"C:\Users\Admin\Downloads\latest-x86\Setup.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 3895463⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MasBathroomsCompoundInjection" Participants3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Angeles + Ancient + Phenomenon 389546\I3⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif389546\Cycling.pif 389546\I3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pif" & rd /s /q "C:\ProgramData\HJDBAFIECGHC" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 15 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\Cycling.pifFilesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\389546\IFilesize
327KB
MD5babe65ed34141cf5f73a21e84c06349d
SHA16571bac8d9e020c2faf44dd312ef66b51d733ced
SHA25665807df1cb1ee39b8d544e4a4481bff18ba6cb803d0de93345c6c2733012ceec
SHA512deac1458d7cc988cc8df9943563f0944a254d1137166ea973fcc499617ac819de7105df2a7701275440bce61870d61f9752ad490e09d54e7d5a031f1f8abd67f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\AlotFilesize
59KB
MD52263067cc70e1dbaa0a4a57b2a8e7fcb
SHA101c8de2133305a974f5308b656e7fc24518f929a
SHA25622904ee52b888bd7eb7ade62c3b3c8718f2f425fe00bd2467f4af68a5138b36b
SHA512288305e0cc15e1ecf54d7154ce9a350646bd5d23134e7ddd9c8802e8a88c191a8c69526d3851d2ca2ea033eea8eb71831f4dbd246e37607ef59cca123160a3e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\AncientFilesize
85KB
MD5379bfbbb562917f48f1c3b88464bea8e
SHA1e7c124ab47a45dedb0edaf6bc4a2dcb126446dd9
SHA25626828bfdf0a00deb494bb5151f72010f4ec0006efff4530336aa7096d0b7ac97
SHA512f4bd4d53a009bf68877406daa1ba278370f38c25827b176088aef55dbb3492ba99a0f81093165211810457cc70fc7d7aca283982f07b0c2b9b8d2dbe585798fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\AngelesFilesize
194KB
MD505d31ddcaff9b3500b871cee4185b495
SHA193d4923c5083ff322524884823aeea410b1e4aa8
SHA2565ea8db4abde48b663420e066e16d2f91c45ae0203a60d4bde5c978137091c30a
SHA512590a70654041cbc3779c5ad9b194a91566c8d72df08567f58cedc06f282af93b38d06f353e90e065cd66e95f70466124fb0fba7b334c483ed8ee9992d1a74948
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\BucksFilesize
18KB
MD5169031d6f24eaba592bf2c6fe549b404
SHA182ee98c7082a38556e54fa4cf979cc611c218ea9
SHA2564dfa1177500499fc4008ff8dc7e8f1b1525efc9baae5574a8d42ed8732f63b54
SHA512f492e29103ccf76c0885e22102d3bb436fea3e82b2f1c624c413447d1017e64b32248329d7a10fee483aa9819aedd00ad9abbd50f38fa8377c33d0726bef8423
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ChadFilesize
35KB
MD51b7c6eb44770326634fddf223e06ae7d
SHA1a7370710bbf5a975c072e8429875b94fb1d4d9d8
SHA256418be1485e5b9461b7f9f2500f1d1c33b2d6453ddcc7c46833bf42fd9038d698
SHA512141fef2985fc468ea16f5e8cd48362c6904ea869960110ceeb456c0994e7e9fde8a759b9845b369b74d68eaa38ffcbebc1b620c50a644a6147fbda17016400bc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ConsecutiveFilesize
39KB
MD52c410a64dd126d7005c8bb1a4fc277ad
SHA1dfcb97b8cea5d3544f21528d3dc4652ab97bfb22
SHA256741d23db94df6edd906f6ed35e582592c47a23bfa92263a37de42851cca0c724
SHA5126e0f4a9453377ce01be8a7a78f48f13bfd83490bb3292d3d9db9f635bd2bdd690a4a019c5a3230b56ccedc4242ab1060801c7dc0981e43843cbb5b4ba606fc4a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CruisesFilesize
38KB
MD5df5dfe5b6a0421e48a25a415c324c11b
SHA1f7acf9305f714e0010857ddf48c9ea3e3e5d5170
SHA256c099fde206d6afa36fe381eb40d80ad056a5d049da2e95ebdb066b96873c9741
SHA5127ff3f9af4205f08e5796d03af6d969527b61ec00bdd31d0afe2627d275788487549a525e10dd041f649a946d175dceb4b3ba2ca9d9a11f88ba116d05467578af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DoubleFilesize
25KB
MD5e88293eb64ab8248601f2ee5d8ad574c
SHA14cb79b530be9e6a3ab4a45a08e8bf081482606c7
SHA2566ef532a05e1ecf4a3c9f898f8d7624d16bcd396fefae9bd828b6f3863e3b54d4
SHA51286786414372dfa2ce88c7e4948ceefc568fb3e785ec3d49fad190238de7c65c5a764b43e56e99c9b43c23ab705aedfeb256c95ac52ef654e712850741c16ecbc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EmotionsFilesize
21KB
MD569188ac3cd99f1c625f0db889bac02ba
SHA168759675ac80a6de2b153d1b901ce8cbca9a97d9
SHA256892a8bc72da3028f7001369f955f1663f336c68807ab70d66eb2ad233dd7cbeb
SHA5124acf21b0d3c9f4b758787ebadc65aac7f1b8bed910e241fc2d1226fdf4f6725e010252fe88cd4a420fe5d5a35acf55ec1addbba8bd3ea950fc4cc420f3d5970c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\FavouritesFilesize
30KB
MD57f0ae6287a123437680291caa6cb27e2
SHA15535de659a740d784b197317f00a3cc33cabbaee
SHA256d1b0a933ba1302745b34c999f5d2b32555d73a195cc313159aef6f111f4af46e
SHA512607e0fc745e289bc156f83bcec8cdcb387892124b1de3f7d8a36afb523b2b8e1132e78f2401c71ffaec9fefa05f23e4c15275748717ceb3ea1d6aa2d5e2264c9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\FighterFilesize
62KB
MD599f6f630ace0d999eccb54edd426d0bf
SHA187359e3c75da0f27efafbf0152b946c446134e18
SHA256a4a8b1486887631a2eb8c670d79638a02711e6ff0e8198c95b1f39ca8a281ccb
SHA5128158bcb0c865e16c2132d4ee786f7faf7906d15291812eb400441378ece24690300a2ae95542c5e48ecfd435211be9fa41850d973161be52bcbd5e46630f5b1c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\GenreFilesize
46KB
MD5e0fe0edd98e8d5dc6206008db5a219dd
SHA1ca09cd966570766274e70bcb609baecfde867983
SHA2561ed2640a2eec933b97b205b03836bf13b4650f67ab23f7cc3c52455b62a6c4cb
SHA51230a5f2242713cd515148039ed70d7f675759baeff977e7c45d9cd2741c3e3102b86506a724b47abcd31f6d47d3717d40617ebaa84ac6c314594a4a984bdcaa9d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\HayesFilesize
55KB
MD571bd261427fbdf72899b417c38c977bf
SHA1b2eff3eb04fb8aa9c92506e998314aed1deae969
SHA2561524cf81ca46d5bcf334ab7fe5a0fc06c8d29de88e28831b57611381bc7b9996
SHA512c1d3459f36d460536ad7bf0301ef8a9c808946926b39e6592a09154baf80f81ddc185dbae6179909e930fe4b27c5b12020914f6bcf71db92bf4573b61aaa5545
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\InstancesFilesize
10KB
MD5c84879bb6f191c6e0661c2a2058cebec
SHA18a8d2b2b8f96360475447d2a7d47a9c339a08d38
SHA256277ca96c002e9975c25d5f21a9813a7dcc4e585e62643cd76d2c787bd9f0154b
SHA512a4b4efb19b2e9701d8eccf512185047c8e6110450d45d9dd30ce6fa7221ce146233ddc1a740decaf895eabcd154fdcb70d3810f4a3acd6b39535efbe57470ced
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\KdeFilesize
42KB
MD54ff55e1b173517e7a3714232c67aba27
SHA1b85a132ce34a7f9c9583a4bbecbc668bbf68ef80
SHA25685e6dcbcf863bd85bc1de8fe888c531bc2432629097876a1c9c56dca05f1b41f
SHA512fec8be986ec5a445d021891222192d362207577e5b67290df3a499838eee4b9b5128cfc5223035a18ca9fdab669d28aca5fbecf3c7a6e7e6cf7493fa9484a389
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\LdFilesize
10KB
MD5196c44643861d00545bdfbd7814dab39
SHA131f2c9e373882787ee917dcc9a2c66afcf516db7
SHA2563b9db2986d5abe357587c91996c61fef6300d86b06ae93185652d11f6d785c34
SHA51203a873eda79f429517a47ce84a30b179cadba102e0b6a49423c851159d978fde0beee9cb31ac68d7ddf4a21b07a74bb57eb78cae661fde385e09f80fab891a3f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\OldFilesize
55KB
MD5d7be099bae3b2243941057b48b091c00
SHA1c3bf3cf0716a87a2bb34aa1d1a498be867be3bae
SHA2568afd0803ab97c78f1e57240725b202493210e6590f1736910621d73a48fd461e
SHA512fd51583cae94ab7f39ea0001faf43c84bc119ddc100794181ff6c0cb222f76cdb5b0bd320ec918aa89ee38f0e3f6d1975fa06bd0a62c5a45d3ce5a110685d56f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ParticipantsFilesize
227B
MD582a38745ff9cefa0859b47b8bd69f535
SHA16f97750b298ed3f3910e5aa4044b91e7409db9d2
SHA25692f1df88e0467d0284f1de3e6d30bcf41b0ed56e055719872754627a2b4bb470
SHA512d22a5ddfacf8c00cde7c3fa27612ca386ae68f79b9c93b52d40be33d584eaf3c18b100da9ad6ba4efacef1cba4fa5d1665e4c3004454f0eb41c3051b98c60569
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\PhenomenonFilesize
48KB
MD5b32330c50f312bccc185650c3b7c6b69
SHA15a26c0bb1bcc56fefa03f964f96e4d22806e9062
SHA256b58e65919f7e1f7e1bc9389775546473f91162a539f6954caf89beeef6535d51
SHA512d571f3b1690628fde595a128fdf0acda8df9a452cf83cd5586962cf04a89ad0409d5efc5da7946391b28dcd9eb180294195db4e5bf9bed862db07934ede66978
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\PortraitFilesize
40KB
MD5d32f5a642703f9de4203fe03ff99444e
SHA11402f204d957ea840fed0b7a9fe2cde550838efc
SHA256f30741289eec81c0bedd3833e3fddcce7c55ab7bb515aadba853b0f64c92b75f
SHA512673c4a11a7c77f277dc320d09c00d44bfcf0e24e1a8a47f566250bcc6f7cd58a59c8e4ee0dfb101cb6c09f062951d9f6853168df75f9a3ace416e8d619d9fe96
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\QueFilesize
28KB
MD5d9d16c848154f20853faf4599f32865a
SHA1ebe0d941af4e7923b7bdba2a488530459089522b
SHA2567b5a4d134252047a49d9f45b2c94593eb01e9be75a5af8f26db7eac6cc84ba41
SHA51223e205741a8391197fc25083741328af0a274425bff5d1defb5d5d0d41f994edf6e880cffb1b57243ba0fa06f4515a21477f98daa5ddfb9eff870dcda8e5cbc4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\RaceFilesize
20KB
MD5df7307d02f71ebdb3919ac12fc622327
SHA1390ad98fa3a2b897b1a4eb10793e8a209a0132c3
SHA256dab5df5b32f1793ca245121b64b5df054945e8d1db26d144c00259e9393a7ddd
SHA512004deb72899edee10c25370954430007cc8b349294a566563fb6ec39b864a13cf2af5d460e1bfe21cd4def3c1b2309cbf472977d9e35db9830c53c3f5146c297
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ReferringFilesize
55KB
MD56c9db7026814dfc28550b4240ec184ba
SHA1398a75ace24d683836f0ca18a637991f89655ebe
SHA256e78c9ed0b98d8bbf333ce827206fe92ccc83f0a922fc85e3587fa9b212be0b09
SHA5122893fb7ce3e4ee0f3ea9361b2d9e907a265281cbfaa13552c54c88e3a453792e979d4c9907c10ee92a81bedef931474c5cbf3891970549a18e4d074390ef61aa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\RichmondFilesize
28KB
MD5b252ec42745814254c189355ff869ea3
SHA161df27702779e73a410dc952c6ac4dff2de6815d
SHA256be397d303eb61155e30516038e8693e9f73fb5706b5bccd2a7081e84d05e2af9
SHA512786ef34fd0b648f2f5a610a01640604c91b559a49765bd3803aead7aa1db8758364cdc9465fdd7bd022e864c01ea32481b14259fa9d001c32a0e3d91bbf7a9c8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SeekFilesize
30KB
MD54facdde04a7bffe2209d9bd9fb94631f
SHA1b01c2f8c543d49091dd7e33d2e6dba2e802d3f5b
SHA256ff0dc2ee0664e496a8fbc378a5c0c8459fb792af08748d698788ab5f8f536db0
SHA51284eb023feaaa363d37deb5c234ec9fbb47913f11cb607503235233e44a7b3cc2c67911cb34d61ce342d4bf2e06f9ccf191dd65d9a7bdadbdb173a835629ca244
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SmtpFilesize
25KB
MD5ce280a16fef13a2bcf02f5f535ddd8e1
SHA14a5a4127efeaee15f2334989fa44e285e40872ca
SHA256f22cea8cbbc1d159736eb46e0863a1b2ecdc345988280cdd689c1ccfb8c8e3a0
SHA512052d6286d0e7f5d01fb58a3a6e65450980b37172e569c91239f2e0f46b7199838a4f64209f90b9f671be9c574411c50123bbe9350fc49bd18863a5087d7a4e63
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\StudiosFilesize
19KB
MD581f9103329f1d1987bc8acabf4479213
SHA19f6cd4c95d8832cad521141cd9b855b392257e01
SHA256afd8f25d62dbe8d415e349d3eefe69148f45f23380fbf6589112aa9b761f6552
SHA512e7b53e546f4c24d8d7917515a71f02c117a8082aff35954b761caa011c3a71c775dc618b35cbc1b2c6a7d379a9f8ade59aae17a298ecdc3535d758102bee048d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TagsFilesize
67KB
MD58bf1c767ee20182c10c754b4b0cee496
SHA19d2e97d270846e6b8a0b371313928c894cafa0cc
SHA256be3945010b4e40b7684c41739b18fbc638e00b5e0fe7e1ac73a4786e949b60c9
SHA5127eff4d9150a899d8fc21b41c0e66d2b5d448055a7600cc414a69332c2cafde3973a6aeca91c569eabed2b489f8c26b5560792ed1941284a82a7bfe372a40fdc4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TokyoFilesize
38KB
MD5d6a17dab5e811d782e263a629d69466f
SHA1dc3469f41ce8b71fe4ada357bfaa07dc9c9bd463
SHA256e5d23cd1f82c5a8c3074dfec1595228581288957cd2d33c0087fb70f4376f10c
SHA512094e2cf79fdc3497caa9cadc66b59bf9a0c3ce420e519e79b11f28c2d37ed21db35e138f998ae16ddead8b558aecb9cc1c102a72f2bcde4c111c571fc1c6235b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ViolenceFilesize
41KB
MD55e5fa7a1a85689440ef2feb8b7ce8d71
SHA1b8a7e25ce423171c5abce09d385deea95e4d0206
SHA256d735a47e18a38017f1601ae2f432f177d635211bacbbcab9ed8e9c3632c47bd6
SHA512c5d29400a1e7602f906e59384c63783978688675f4f72cc28d512bdb442d5834edcf7f0c94af5bf63ac76393ca8ba2827f79f1cf8abacb1bcf72a61ecacf56d1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmpFilesize
23KB
MD5dc623c408a99aae8357c163c3f0c4c99
SHA1fadd0294134e88e8d036cfaafcc9f2a417e9dee6
SHA256619ce4f9c8427359a9f578dbd6c312cc80fbe31ac70b762f5d23220f93abb98c
SHA512e9c6de21972917ef6f7b279739044e5d396d0fe1e51b9f1fce3e3c6df39d9f67b2be64f93238967cd033889138dda22f4796b1e78d35959d1f6688e7ca64ced1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\activity-stream.discovery_stream.json.tmpFilesize
24KB
MD5d8bae469fc6d943946e40af1754c4743
SHA1c8169746965cb86ebaa20ebf20fd5dbeaf3aa22e
SHA25604b5beace3a7b77e667a6dd848896b8d1ff9ab7caccfe579d109f5b4bed4d03f
SHA51207386b349a01397e7ab925a91ec5860b850028f16b944ff3ed67091297c25613a024c0a5a4f7edd75f047ceb50d681c519f3b6512f28c287e6611d3687b53345
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263Filesize
13KB
MD5ee083181bc86caeac2755c75ff7c43c9
SHA155061b83637c57a447475c59152ecddc8e30b8d4
SHA2566d69a492a31679b60335c4eed9c98a3e00540d9291a173b17a5a3249c20380fc
SHA5129d9c00fce93ad132ab403298922f7f31886889d44e8fbb3bd02d1e1fba93243b26cb65fd22a8ef5abd9cf5d00591ac7c2e95aa8037713757ca5912239c2dcdc6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bov3gdb6.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308Filesize
9KB
MD55d02838b5c37ccfd6e1280ef0b6eca52
SHA1e36c96804f7d2ab477dfc6c52c51395a5ff77fcc
SHA2567898b97940ca8e7014537e3f560898a5f40a9e0e91defe8643edc9900b04a072
SHA512bac111dbde3be11b56f32ce982f1ce6678f98355a243cb28520b4350736720b037913d404b7683f60d42030ad4077ad7ed38ab3f66dae0a45656f28ae7fc15c7
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs-1.jsFilesize
10KB
MD58f68770e15dffdcbbc9edff0043d5329
SHA19ef061981bfc7a57394e154ef397c0414b4d9e16
SHA2567f8d928917a54f39206cf288d097d3c6953196ac155aae1f5d3934ad3e583362
SHA51207b2b3a6f600fe438a72d316b089a085bfcb3c09c04aaa4218e1513de49ce045a871da2d295eef8e3b53d07851324a5671d8b6e0e2fda5b4a0c06552583dfda5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs-1.jsFilesize
6KB
MD5b591f97641f37721f3c434d66308c27c
SHA15c2ff3efd3c4820848062846c87c4becdb07da4b
SHA256926e5b8b874434516fb868b8dba7dfb6647fb7091f01277d2ec7d5e96b3b9fb6
SHA51299f303aa35b09d86a716d095c29b49a9ccceb668673c54a763374365e05c09ba6f65dccdadee1c23fc1a7f98eabe15bda506cee7884934ef4e61eedf88e511d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs.jsFilesize
6KB
MD5aae835825d561cf8085b44b12dd637a8
SHA13635809741405da8c9e044852154256c736c6324
SHA2564cac7a5a0e7e4ce64cb81c2df22814d7313c8b27c5c98709d68efc0792750032
SHA512b00b0c74a875efe066c1f716ffa8da1b47bf31a2d33452dbaf7701f43f9120d237797b38158bcd14eefbf3b1342c86e0020dba43104444127bff6f07cbd354a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\prefs.jsFilesize
8KB
MD56821333db87431e7f61f46d4606552c6
SHA1c79bdc9511c2a03299e9e6db438a2a038a4a5aae
SHA2564101563c3827cd64cbe6f100ec3eeda2f993be4b92c9acb9db9bddc774a4d935
SHA512ccf58c28503aa429df37ec061a29450f064e317257c6bd9219babeb27d1b596b7b54b8d6f1f7829855ad8791cbf886b30e5868796b39a4224ccb7f1b66d35f35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD53ac9ed0728ca76f3ca5e74c7a869ac38
SHA1aeb0a34da438e47b939ebd4a76a87d73cd4dfc03
SHA2560e296484b1aceb532c53d2055f267c1d6c495c4b751f9c0072ad9bae71ad7a96
SHA5126a4d505bc67ffe43ae25d4f79cd6c0542c092c56e5d6fc52cd9a500ebd79b2fe7fa85d76ee127246d3ad503da9b40a4dd58ab5e04d5bbd45bb2de2ca78c022ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD59f502eb464b01397adfc44b56ad981ca
SHA13729abcb54f8455f0f17c30135e410d992744071
SHA2568783a68765a1501f0ad7b64be42fb05d9d184cf574bcf736faf37ca16474bca2
SHA512966022ffb4092b37aa0e713885ca2334a632e94b2a9813e70e7606514c7d0115eccf88819e87ff33cd26e683fcd550783b944a5536c4d8a9038a27b58116300a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD534c7216b6fbc34b575adf902217e4063
SHA1a33c8ec5f25d00728ce05cd22c82506585664f74
SHA256ee548527e8a69292c5f88105f9e26c6311ed215e3a3045b21163b26bd3d2faa3
SHA5124ef68bf6dcb6bfc60671dd9e62494ac9bd63672baf7c4f625992534d1c846c7671f0f445d53f1c4b59fdf6ca5725fc4e89734b693cb38c0f7ea1145556753e6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bov3gdb6.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD5096c9a2ecb5b91e54e1bdda806a8db06
SHA198a76dba4c7b31c3fbb496dff2741258b0e8da65
SHA256bd82544549a0ab8c56c355e4af1bccee02b2e64610867ea65cd9ccc5de65bb01
SHA5125dfd4d24b0ec87e51ae9b63a7446313111e1b59c1cddbc4305a4674fc6163256aa242bc0cd219e5150db9f855a46e68a9c8b60607f1ee63d176cb2ad0a48bd44
-
C:\Users\Admin\Downloads\latest-x86.DGRND2Gd.zip.partFilesize
44KB
MD53c6bc8a4b0297c745ce59b32b3d9b713
SHA102c0f23bf1c45be209e635d3b99eb8da148841cf
SHA2568ecfd9b331700af0dd858625393a39549519124461431da1673eb4bdaf0ab698
SHA51263ba703b5fe3ae0e6fed3524c570b3e4c59372097d538b9fa8ce18adc40152972f8303298e3b1c72e8643a71b9f83834cead6ead4aecf1985b6b470b2201fcde
-
C:\Users\Admin\Downloads\latest-x86.zipFilesize
812KB
MD5830d7ff79ed80bc302a1fa5f71ecfc39
SHA19052818e24b63c242ddcfad6915fd59ac3807736
SHA256fe712bfa657a3d9d6928612053fc6073dad2caa0ec80efe71036aa421ad2d472
SHA51274cda0961b375ee6734813440b06bb96c29dc503d880f58b866bc5fb5719b0207e907e5e1dd401c1dbcee9f18d93941d89c674639b6e3e94b48b1a164e5eb1ed
-
C:\Users\Admin\Downloads\latest-x86\Setup.exeFilesize
831KB
MD5adabbcf799bdc6a5cd8b5fa95d3ddd66
SHA11000c59009164735c7528c015ddb5f4f27eec798
SHA2560ca333d46ad10eb06eafb84b422b48f3426a0feb360699819742eb74a391f110
SHA5126bfae8dfc14cedc6b8616e4fbe2efb979e7525a5ad0414f5f16fd375376711426377b464a84e5751d924546b553aca345c52266a6113a50d18c5e5cf246da35b
-
memory/2076-2808-0x0000000004A50000-0x0000000004C96000-memory.dmpFilesize
2.3MB
-
memory/2076-2809-0x0000000004A50000-0x0000000004C96000-memory.dmpFilesize
2.3MB
-
memory/2076-2810-0x0000000004A50000-0x0000000004C96000-memory.dmpFilesize
2.3MB
-
memory/2076-2811-0x0000000004A50000-0x0000000004C96000-memory.dmpFilesize
2.3MB
-
memory/2076-2812-0x0000000004A50000-0x0000000004C96000-memory.dmpFilesize
2.3MB
-
memory/2076-2815-0x0000000004A50000-0x0000000004C96000-memory.dmpFilesize
2.3MB
-
memory/2076-2814-0x0000000004A50000-0x0000000004C96000-memory.dmpFilesize
2.3MB