Malware Analysis Report

2024-08-06 12:51

Sample ID 240629-s9an7szhph
Target Alternate.exe
SHA256 5a03ae732691c3356330a366f05d915913071c0c7e7b3eab9f6c3583a2e292be
Tags
agenttesla stealerium collection keylogger persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a03ae732691c3356330a366f05d915913071c0c7e7b3eab9f6c3583a2e292be

Threat Level: Known bad

The file Alternate.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla stealerium collection keylogger persistence privilege_escalation spyware stealer trojan

Stealerium

AgentTesla

AgentTesla payload

Sets service image path in registry

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Program crash

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Checks processor information in registry

outlook_win_path

outlook_office_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-29 15:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 15:48

Reported

2024-06-29 15:52

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alternate.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Stealerium

stealer stealerium

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XnCvNdsKmtwcIQmlCyxeS\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\XnCvNdsKmtwcIQmlCyxeS" C:\Windows\IME\carttel.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\IME\carttel.exe N/A
N/A N/A C:\Windows\extra.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\extra.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\extra.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\extra.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\carttel.exe C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A
File created C:\Windows\IME\null.sys C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A
File created C:\Windows\extra.exe C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A
File opened for modification C:\Windows\extra.exe C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A
File opened for modification C:\Windows\ C:\Windows\extra.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\extra.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\extra.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\extra.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\extra.exe N/A
N/A N/A C:\Windows\extra.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\IME\carttel.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\IME\carttel.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\extra.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\IME\carttel.exe
PID 1232 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\IME\carttel.exe
PID 1232 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\SysWOW64\cmd.exe
PID 3392 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3392 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3392 wrote to memory of 3544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 396 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 396 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 396 wrote to memory of 3276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2144 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2144 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2144 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1232 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\extra.exe
PID 1232 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\extra.exe
PID 1232 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Alternate.exe C:\Windows\extra.exe
PID 4456 wrote to memory of 2216 N/A C:\Windows\extra.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 2216 N/A C:\Windows\extra.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 2216 N/A C:\Windows\extra.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2216 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2216 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2216 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2216 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2216 wrote to memory of 3712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2216 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2216 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2216 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4456 wrote to memory of 4988 N/A C:\Windows\extra.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 4988 N/A C:\Windows\extra.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 4988 N/A C:\Windows\extra.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4988 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4988 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\extra.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\extra.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Alternate.exe

"C:\Users\Admin\AppData\Local\Temp\Alternate.exe"

C:\Windows\IME\carttel.exe

"C:\Windows\IME\carttel.exe" C:\Windows\IME\null.sys

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /F /IM WmiPrvSE.exe /T

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /F /IM WmiPrvSE.exe /T

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /F /IM WmiPrvSE.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM WmiPrvSE.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM WmiPrvSE.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM WmiPrvSE.exe /T

C:\Windows\extra.exe

"C:\Windows\extra.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4456 -ip 4456

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 2824

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 licenseauth.host udp
GB 109.70.148.32:443 licenseauth.host tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 32.148.70.109.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 109.70.148.32:443 licenseauth.host tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
GB 109.70.148.32:443 licenseauth.host tcp
US 8.8.8.8:53 nameit.cdn.zerocdn.com udp
RU 176.58.48.48:80 nameit.cdn.zerocdn.com tcp
US 8.8.8.8:53 nameit.broadway.zerocdn.com udp
US 8.8.8.8:53 48.48.58.176.in-addr.arpa udp
US 185.190.188.207:80 nameit.broadway.zerocdn.com tcp
US 8.8.8.8:53 207.188.190.185.in-addr.arpa udp
US 8.8.8.8:53 sodaisbetter.cdn.zerocdn.com udp
RU 176.58.48.48:80 sodaisbetter.cdn.zerocdn.com tcp
US 8.8.8.8:53 sodaisbetter.parthenon.zerocdn.com udp
US 185.190.188.199:80 sodaisbetter.parthenon.zerocdn.com tcp
US 8.8.8.8:53 199.188.190.185.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/1232-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

memory/1232-1-0x0000000000720000-0x000000000094A000-memory.dmp

memory/1232-2-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1232-3-0x00000000053F0000-0x00000000054FA000-memory.dmp

memory/1232-5-0x0000000005500000-0x0000000005592000-memory.dmp

memory/1232-4-0x0000000005AB0000-0x0000000006054000-memory.dmp

memory/1232-6-0x0000000005600000-0x000000000560A000-memory.dmp

memory/1232-7-0x0000000005790000-0x00000000059A2000-memory.dmp

memory/1232-8-0x0000000008AA0000-0x0000000008AB2000-memory.dmp

memory/1232-9-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1232-10-0x00000000093D0000-0x000000000940C000-memory.dmp

memory/1232-11-0x00000000744AE000-0x00000000744AF000-memory.dmp

memory/1232-12-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1232-13-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1232-14-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1232-15-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1232-16-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/1232-17-0x00000000744A0000-0x0000000074C50000-memory.dmp

C:\Windows\IME\carttel.exe

MD5 00047e72bb99132267a4bec3158917a2
SHA1 caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e
SHA256 e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4
SHA512 7f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5

C:\Windows\extra.exe

MD5 cec9d093bacf0acb4191e307b7e7d76c
SHA1 0615cbbc3988d8117864194d520f7f9e91e23ca1
SHA256 845c31efe4dc1ab7150f9b7cb4c3e84b93f37e2678d536d418ec606cb61a1ac1
SHA512 7bd3172e01f2bea35314772993a15b8cd6dc6ae0468217ab1cfba5779d05c23f2e4c83d889de7a4d1731a5706f50e0a608f3d330fbec709a8e3a4cdffa3baa7b

memory/4456-41-0x0000000000930000-0x0000000000AC2000-memory.dmp

memory/4456-42-0x00000000052F0000-0x0000000005356000-memory.dmp

memory/4456-45-0x0000000005760000-0x00000000057F2000-memory.dmp

memory/4456-46-0x00000000057F0000-0x0000000005816000-memory.dmp

memory/4456-47-0x00000000054B0000-0x00000000054B8000-memory.dmp

memory/4456-48-0x0000000006780000-0x000000000678A000-memory.dmp

memory/4456-49-0x0000000006790000-0x0000000006798000-memory.dmp

memory/4456-50-0x00000000067B0000-0x00000000067CE000-memory.dmp

C:\Users\Admin\AppData\Local\ed89a864348cc9eb0e5f8d7eb12ae2c3\Admin@RIJTOOVX_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7