Analysis

  • max time kernel
    40s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 22:39

General

  • Target

    file.exe

  • Size

    2.4MB

  • MD5

    e6a54ac6b35b2def5a7d9b9699388f26

  • SHA1

    5f8a57b2e8902523bbafc50434f3692fe1d92b74

  • SHA256

    25d515f52e58c10727895f1ee1a269998e37d3b4308e6ac6f1419186c30290a9

  • SHA512

    8cdfb2da836614148507585645613432f7dd802ac8c80b89a4b302c9dfbbc9a96decd4a2df6468843ccfebd479968058d7f184e67026cf6b1d8dd474634c87c4

  • SSDEEP

    49152:Ck2E6aD/CORxvfoSmBXE6G7VrBfqFuUvo4NVJaeqeuf+z:CfSCO7NmB3GVBfqFxQYTqeuf+z

Malware Config

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDBGDHDAEC.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Users\Admin\AppData\Local\Temp\HDBGDHDAEC.exe
        "C:\Users\Admin\AppData\Local\Temp\HDBGDHDAEC.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Users\Admin\AppData\Local\Temp\1000006001\6947751fab.exe
            "C:\Users\Admin\AppData\Local\Temp\1000006001\6947751fab.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:892
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\b2b2057fdb.cmd" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:604
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70f9758,0x7fef70f9768,0x7fef70f9778
                7⤵
                  PID:2204
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1236,i,13347045379031310603,12263693337493860332,131072 /prefetch:2
                  7⤵
                    PID:2800
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1236,i,13347045379031310603,12263693337493860332,131072 /prefetch:8
                    7⤵
                      PID:2440
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1236,i,13347045379031310603,12263693337493860332,131072 /prefetch:8
                      7⤵
                        PID:2424
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1236,i,13347045379031310603,12263693337493860332,131072 /prefetch:1
                        7⤵
                          PID:2212
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2128 --field-trial-handle=1236,i,13347045379031310603,12263693337493860332,131072 /prefetch:1
                          7⤵
                            PID:1156
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2964 --field-trial-handle=1236,i,13347045379031310603,12263693337493860332,131072 /prefetch:1
                            7⤵
                              PID:2160
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1336 --field-trial-handle=1236,i,13347045379031310603,12263693337493860332,131072 /prefetch:2
                              7⤵
                                PID:3240
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                              6⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2400
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                7⤵
                                • Checks processor information in registry
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of WriteProcessMemory
                                PID:348
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="348.0.1085503786\1436439043" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1252 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1694924-af77-466c-8a1a-2ef1b020ce66} 348 "\\.\pipe\gecko-crash-server-pipe.348" 1364 10df4758 gpu
                                  8⤵
                                    PID:2724
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="348.1.1824539017\1780373882" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e57a496-db0a-476c-b4d9-021d2e8cf1c9} 348 "\\.\pipe\gecko-crash-server-pipe.348" 1552 d72b58 socket
                                    8⤵
                                      PID:2352
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="348.2.932757619\1968675829" -childID 1 -isForBrowser -prefsHandle 2072 -prefMapHandle 2088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {566e5350-820e-4546-8ec8-8e16977395bd} 348 "\\.\pipe\gecko-crash-server-pipe.348" 1992 19292258 tab
                                      8⤵
                                        PID:980
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="348.3.1509931443\1801195859" -childID 2 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ebd0a42-921a-439c-bf8f-25a89697453e} 348 "\\.\pipe\gecko-crash-server-pipe.348" 2940 1b7d2858 tab
                                        8⤵
                                          PID:1760
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="348.4.1914133553\752150709" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3688 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75fafb6d-f59f-4521-bf97-370d4439717c} 348 "\\.\pipe\gecko-crash-server-pipe.348" 3704 1e9a7558 tab
                                          8⤵
                                            PID:3832
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="348.5.734550478\2065042580" -childID 4 -isForBrowser -prefsHandle 3820 -prefMapHandle 3824 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce1f19d-caae-4f82-b192-2f8d4051dc42} 348 "\\.\pipe\gecko-crash-server-pipe.348" 3812 1e9aa558 tab
                                            8⤵
                                              PID:3844
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="348.6.325275887\207120243" -childID 5 -isForBrowser -prefsHandle 3976 -prefMapHandle 3980 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be65846-3108-461b-a31f-4ec8a294d6f1} 348 "\\.\pipe\gecko-crash-server-pipe.348" 3964 1e9a7b58 tab
                                              8⤵
                                                PID:3852
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe"
                                    2⤵
                                      PID:2568
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                    1⤵
                                      PID:2220

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

                                      Filesize

                                      264KB

                                      MD5

                                      f50f89a0a91564d0b8a211f8921aa7de

                                      SHA1

                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                      SHA256

                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                      SHA512

                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      3ce8ec1644c480ed45c87ee1398118a4

                                      SHA1

                                      73f880b976b3ffe753f0d7ba0dd13015d09c2e89

                                      SHA256

                                      c9d32483a88a6a5f4b2baeb34b417ceb8df7f4759fd94bc4d89788dbdfdf158a

                                      SHA512

                                      09b2860362d7134dca89ca4a4c0166b973880957ed2be496f6f3a0092c23cd2121bd76b6a252e6a9c5b849d54e5a10a2d4eec4ceef7cba4e2276be1989382077

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFf78496f.TMP

                                      Filesize

                                      6KB

                                      MD5

                                      3441420a77bd95ee3baea518bc826647

                                      SHA1

                                      2d1aefb3e3038db32d4788af4ecb6b8b6916dd33

                                      SHA256

                                      556372d9a1c2cbf4224813b780af6d951fb43edbe73fcdb89f52bc2023b32e4f

                                      SHA512

                                      0290b407cd04441e3c3daa8740ca349b5e52ec89ef433740d291f8242de1669ad841e67f14b0ea60002c33972685170aa4aa43b21a933d7502495032497d44c8

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

                                      Filesize

                                      16B

                                      MD5

                                      18e723571b00fb1694a3bad6c78e4054

                                      SHA1

                                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                      SHA256

                                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                      SHA512

                                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\activity-stream.discovery_stream.json.tmp

                                      Filesize

                                      27KB

                                      MD5

                                      9ad04d571922a7801225bf50d7c2d8cb

                                      SHA1

                                      3dbdb7d0a6849b9e277107174425ebc5794badab

                                      SHA256

                                      f767073be6c8d883ee697855863440e04db2d2aa731f1f225bf4a9f3f4f909b9

                                      SHA512

                                      157a3437466d4459bf14e6a94e07d0dbffa324080b31f5237d442c09e64e970f04841b95d9b1bc5001a30938ca5b609b3cdb96d0fc822a11a23e36ecbc68f2da

                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\activity-stream.discovery_stream.json.tmp

                                      Filesize

                                      26KB

                                      MD5

                                      0f68448df575f8a0e51e7f0bf96ba3a7

                                      SHA1

                                      6b81faab6f6118dbffc372e0ed43e401c5f83fc1

                                      SHA256

                                      3b8865c6927319f3da1889948fea017c85290b2c2ba982206f1ea24305d1b2f6

                                      SHA512

                                      9db1f260e2d1ae8e952da44113713a363f89dbb16350d1bc57323ad86ae8cc426f2288eeab03bad665adced08e431a68ffdf5b005983f785a0d64666ecb58455

                                    • C:\Users\Admin\AppData\Local\Temp\1000006001\6947751fab.exe

                                      Filesize

                                      2.4MB

                                      MD5

                                      e6a54ac6b35b2def5a7d9b9699388f26

                                      SHA1

                                      5f8a57b2e8902523bbafc50434f3692fe1d92b74

                                      SHA256

                                      25d515f52e58c10727895f1ee1a269998e37d3b4308e6ac6f1419186c30290a9

                                      SHA512

                                      8cdfb2da836614148507585645613432f7dd802ac8c80b89a4b302c9dfbbc9a96decd4a2df6468843ccfebd479968058d7f184e67026cf6b1d8dd474634c87c4

                                    • C:\Users\Admin\AppData\Local\Temp\1000008021\b2b2057fdb.cmd

                                      Filesize

                                      2KB

                                      MD5

                                      c1b73be75c9a5348a3e36e9ec2993f58

                                      SHA1

                                      84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                      SHA256

                                      a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                      SHA512

                                      fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                      Filesize

                                      442KB

                                      MD5

                                      85430baed3398695717b0263807cf97c

                                      SHA1

                                      fffbee923cea216f50fce5d54219a188a5100f41

                                      SHA256

                                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                      SHA512

                                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                      Filesize

                                      8.0MB

                                      MD5

                                      a01c5ecd6108350ae23d2cddf0e77c17

                                      SHA1

                                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                      SHA256

                                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                      SHA512

                                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\db\data.safe.bin

                                      Filesize

                                      3KB

                                      MD5

                                      a64abe9eb02d981323fa74da331b4aa2

                                      SHA1

                                      7e7ec08a08fa64acbadb37372e0df6cdbabfbb63

                                      SHA256

                                      2c0b953721485178e289ea2c28f496284c2c3ccb95d5266fb2b6958ed0ef8939

                                      SHA512

                                      0f1ac6bc7eaa68dc727092850983f7d064dfce969763ca197feb920f41512f6641bca4c725905c4ba8155785b5fd7d462548589766a105b8d0a5e05c05b8e37a

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\db\data.safe.bin

                                      Filesize

                                      2KB

                                      MD5

                                      187b3d931a079307afb3ee2e9dd563c0

                                      SHA1

                                      fe7efa121f531da715b5d76564fd449607e4b9cf

                                      SHA256

                                      e023a489761afabeef4a722f98c1ae0589019dae8e888bb87c02cfe539ca078f

                                      SHA512

                                      934659a5cf234c2d3240e2f97e45c0483030d78cc52e52b5f0e2b7bc1b1c30a2c1623b5648db592e792172fb57aa842cf412b87d2220dd73f74b6a57505ed1c3

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\873c7db1-ecb9-415e-9fe6-b79471192a3a

                                      Filesize

                                      11KB

                                      MD5

                                      fcda1f31689636a6f1c836e92ef7929d

                                      SHA1

                                      808c3f5f4b7dd603ef24222f4bbfdc42f8cb56b1

                                      SHA256

                                      1a187082af283ed714997635080572161c920a291d181460d94e227c86659c32

                                      SHA512

                                      87cfa37c5290c4b851561b9fe64111722c967bad71906fd0ce3fc58f51d6bdab5a25416dde8e3b3b685b88468b8b6eba95fa360c5f6fba6e43c7bdd4703f25a2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\ec080f0d-1702-41ef-a9ac-262af94ee650

                                      Filesize

                                      745B

                                      MD5

                                      255b31857e8a6bea521bce469d7e9286

                                      SHA1

                                      123e643b670038696505841f22cb019bc5e48175

                                      SHA256

                                      de1e7249599ea0607f5d578bcab3825d482eca2cd7ede7043f7c0e9cb84fcb5c

                                      SHA512

                                      09607de0ab682fd335092aa6c6ca1d5c182f02c4e26f76b2e3c2d21ff7e77807b84a731cb2ff651e12230c784abc9ea17daf691583755a3e929be9af8f54630e

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                      Filesize

                                      997KB

                                      MD5

                                      fe3355639648c417e8307c6d051e3e37

                                      SHA1

                                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                      SHA256

                                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                      SHA512

                                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                      Filesize

                                      116B

                                      MD5

                                      3d33cdc0b3d281e67dd52e14435dd04f

                                      SHA1

                                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                      SHA256

                                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                      SHA512

                                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                      Filesize

                                      479B

                                      MD5

                                      49ddb419d96dceb9069018535fb2e2fc

                                      SHA1

                                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                      SHA256

                                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                      SHA512

                                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                      Filesize

                                      372B

                                      MD5

                                      8be33af717bb1b67fbd61c3f4b807e9e

                                      SHA1

                                      7cf17656d174d951957ff36810e874a134dd49e0

                                      SHA256

                                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                      SHA512

                                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                      Filesize

                                      11.8MB

                                      MD5

                                      33bf7b0439480effb9fb212efce87b13

                                      SHA1

                                      cee50f2745edc6dc291887b6075ca64d716f495a

                                      SHA256

                                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                      SHA512

                                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                      Filesize

                                      1KB

                                      MD5

                                      688bed3676d2104e7f17ae1cd2c59404

                                      SHA1

                                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                      SHA256

                                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                      SHA512

                                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                      Filesize

                                      1KB

                                      MD5

                                      937326fead5fd401f6cca9118bd9ade9

                                      SHA1

                                      4526a57d4ae14ed29b37632c72aef3c408189d91

                                      SHA256

                                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                      SHA512

                                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

                                      Filesize

                                      6KB

                                      MD5

                                      4d8b27a8717cc5b9298c1c5728114e4f

                                      SHA1

                                      3b0bda90a132961cb4c09991ff7d6d4de2ecdd73

                                      SHA256

                                      d7d7f91743bc4b4fe888358f929095b1bd786379639132aab4e68ab9f9bbd043

                                      SHA512

                                      4a5dd6f75b80367e1fbf32485352acdb90272d981b4f553660f5e3eb7bbc53c019b9a239138ed470933daa5946ac4a03e2fb8dcee0539abf9d5d6b5c7b013e0a

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

                                      Filesize

                                      7KB

                                      MD5

                                      01006a4234bba955f605eb790a63714b

                                      SHA1

                                      ff258325acc6e3b027225b0389566ff612bbb42e

                                      SHA256

                                      084c01d6752521dbfb32848a52d302a837d22d3b5696d30487376d0f339d1a36

                                      SHA512

                                      e121cdfb23fd306a5e52de62b3b5b41b0e0bd9164b6a12ab862d845dc41d7cd947daec0f0414d0eee39e97cec9637c4e665a90bd33e2f0c070c26131bfb7ba00

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

                                      Filesize

                                      7KB

                                      MD5

                                      1fe8099808fb7339ce96534787243a68

                                      SHA1

                                      a6e50a15d97782954c64f5d50c1c95835a3d71e6

                                      SHA256

                                      d60e4ff8d91a2e8487ac21fdf3afc240f9df728ee0744c154541e66dd1399dfa

                                      SHA512

                                      d306555f75614caea9420b0f919554d0b8154ef008bc9235e361c368c363c3d610ee12bbe7dc41f645a832ca62085871f3725b3041129dd0cf16c4dcf6e15785

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs.js

                                      Filesize

                                      6KB

                                      MD5

                                      b0ab85b84bc95b89f34bdf15cb4e767e

                                      SHA1

                                      37547e74f9b47d13ca549c90cce54413a01b0189

                                      SHA256

                                      ae104c28499aba223a145cc00683e3be3279e81334f7584d4aa35aa6ceebe671

                                      SHA512

                                      ed76e4110be7c41112979a3893c6f6cb6d0186ce8b08dba8eae35cb35569b48eb09afebc42ac0a82d290f311c3cbb69d35f8c7d31f13f470db344023f6f708ba

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

                                      Filesize

                                      4KB

                                      MD5

                                      2a88554f9c6c67489ff51b41b46274a7

                                      SHA1

                                      6859bce907b4609bdf25957d23f24a5d22128b14

                                      SHA256

                                      10f4df853ec521184f3104088ff622c4c5b45544b74b8bf27dbe4ed35115b10e

                                      SHA512

                                      64f430ff42e2f3d8299d667c494dfdd22eddcaabc122d5bf2684a29fc1c6b3fb309949f6ff58d386746c8e58dbff3e81a347e4756b2218cfb4b52b5a015beaa4

                                    • \??\pipe\crashpad_604_KJKZVOIIYYSPZZII

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • \ProgramData\mozglue.dll

                                      Filesize

                                      593KB

                                      MD5

                                      c8fd9be83bc728cc04beffafc2907fe9

                                      SHA1

                                      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                      SHA256

                                      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                      SHA512

                                      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                    • \ProgramData\nss3.dll

                                      Filesize

                                      2.0MB

                                      MD5

                                      1cc453cdf74f31e4d913ff9c10acdde2

                                      SHA1

                                      6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                      SHA256

                                      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                      SHA512

                                      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                    • \Users\Admin\AppData\Local\Temp\HDBGDHDAEC.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      2dc22b0c18ac39c07ae034b7edc70559

                                      SHA1

                                      1748ecc0beddd786ea21d9574dbe4ea55cc9f6e4

                                      SHA256

                                      4cf76d26e79d0443447b12ee0630674bb5087af7b2f277463119b9224c95b794

                                      SHA512

                                      5d9669788f0e2c95c810ffa71815a17b211326d501f8aa79c60f267e75087915f20ffaf1981c378b6e6d5c46cf5fad731ae4e42d764620badab3126af8866f04

                                    • memory/892-141-0x0000000001240000-0x0000000001E3D000-memory.dmp

                                      Filesize

                                      12.0MB

                                    • memory/892-162-0x0000000001240000-0x0000000001E3D000-memory.dmp

                                      Filesize

                                      12.0MB

                                    • memory/2304-101-0x00000000001B0000-0x000000000066B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2304-120-0x00000000001B0000-0x000000000066B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2304-118-0x00000000071D0000-0x000000000768B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2324-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                                      Filesize

                                      3.8MB

                                    • memory/2324-0-0x0000000000CF0000-0x00000000018ED000-memory.dmp

                                      Filesize

                                      12.0MB

                                    • memory/2324-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                                      Filesize

                                      3.8MB

                                    • memory/2324-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                      Filesize

                                      972KB

                                    • memory/2324-64-0x0000000000CF0000-0x00000000018ED000-memory.dmp

                                      Filesize

                                      12.0MB

                                    • memory/2452-551-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-516-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-121-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-506-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-450-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-369-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-138-0x0000000007100000-0x0000000007CFD000-memory.dmp

                                      Filesize

                                      12.0MB

                                    • memory/2452-140-0x0000000007100000-0x0000000007CFD000-memory.dmp

                                      Filesize

                                      12.0MB

                                    • memory/2452-515-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-392-0x0000000007100000-0x0000000007CFD000-memory.dmp

                                      Filesize

                                      12.0MB

                                    • memory/2452-526-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-411-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-541-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-542-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-543-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-544-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2452-545-0x0000000000260000-0x000000000071B000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2876-99-0x00000000020A0000-0x000000000255B000-memory.dmp

                                      Filesize

                                      4.7MB