Analysis

  • max time kernel
    72s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 16:52

General

  • Target

    c5bd507d607a85292dbd26e9ef87924d525680eb08eaf489f5dabb46a15a8ce1.exe

  • Size

    2.3MB

  • MD5

    6a86015f6861255a686e50eba395b43f

  • SHA1

    59d347d84af863e1184ebd06a967a5bec7b860fd

  • SHA256

    c5bd507d607a85292dbd26e9ef87924d525680eb08eaf489f5dabb46a15a8ce1

  • SHA512

    acef8012797e815cc2cb63063cec2d79a4a14bdb827ba57def6c090fe002f85b5e0d786ca631eb055379564d42c467af4ca8dc110ac4e084bd12749bb077a2a5

  • SSDEEP

    49152:aiYO25YHCsKjTI1Qjh9uX7zs+2X3LoHnVv9q4DWba5sCdHe:VYOmYQKQjuLV2en/vtZBe

Malware Config

Extracted

Family

stealc

Botnet

Nice

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5bd507d607a85292dbd26e9ef87924d525680eb08eaf489f5dabb46a15a8ce1.exe
    "C:\Users\Admin\AppData\Local\Temp\c5bd507d607a85292dbd26e9ef87924d525680eb08eaf489f5dabb46a15a8ce1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCAFCAFHJJ.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Users\Admin\AppData\Local\Temp\GCAFCAFHJJ.exe
        "C:\Users\Admin\AppData\Local\Temp\GCAFCAFHJJ.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Users\Admin\AppData\Local\Temp\1000006001\c30a47d467.exe
            "C:\Users\Admin\AppData\Local\Temp\1000006001\c30a47d467.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2312
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\5e7d50b518.cmd" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1204
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ee9758,0x7fef6ee9768,0x7fef6ee9778
                7⤵
                  PID:2980
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1272,i,12956390814117651761,15072120324672720563,131072 /prefetch:2
                  7⤵
                    PID:3020
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1272,i,12956390814117651761,15072120324672720563,131072 /prefetch:8
                    7⤵
                      PID:2256
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1272,i,12956390814117651761,15072120324672720563,131072 /prefetch:8
                      7⤵
                        PID:2764
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1272,i,12956390814117651761,15072120324672720563,131072 /prefetch:1
                        7⤵
                          PID:1348
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2188 --field-trial-handle=1272,i,12956390814117651761,15072120324672720563,131072 /prefetch:1
                          7⤵
                            PID:2132
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1272,i,12956390814117651761,15072120324672720563,131072 /prefetch:2
                            7⤵
                              PID:2688
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2676 --field-trial-handle=1272,i,12956390814117651761,15072120324672720563,131072 /prefetch:1
                              7⤵
                                PID:1132
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                              6⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2864
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                7⤵
                                • Checks processor information in registry
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:2532
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.0.1897229179\267404794" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1112 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f5ed4c6-5aed-45f8-8ff5-1966abe95dc2} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 1312 186d5f58 gpu
                                  8⤵
                                    PID:1496
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.1.610801601\904957127" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {923c18d7-d0fc-4a7b-98d8-bb1ebdea4ad4} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 1492 18604758 socket
                                    8⤵
                                      PID:2404
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.2.1925268184\2021480865" -childID 1 -isForBrowser -prefsHandle 2032 -prefMapHandle 2028 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c69803d-ac05-472e-a074-60aa48603688} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 2044 20eca758 tab
                                      8⤵
                                        PID:2800
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.3.2065614474\2107249432" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2736 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {524ca52b-8e57-448c-a912-f77309523d9c} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 2752 2153ac58 tab
                                        8⤵
                                          PID:2740
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.4.2064932335\201328571" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77546996-ce3d-4bc1-a49e-f87aecbc9352} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 3796 26599658 tab
                                          8⤵
                                            PID:3968
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.5.210827306\1139841862" -childID 4 -isForBrowser -prefsHandle 3988 -prefMapHandle 4012 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {541a02fb-13f9-473c-b919-6e2da0f0d096} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 4000 2659a258 tab
                                            8⤵
                                              PID:3980
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.6.1645559306\163205711" -childID 5 -isForBrowser -prefsHandle 4196 -prefMapHandle 4200 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c337051-ced0-4610-8e62-442915c2b67c} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 4184 26bbb558 tab
                                              8⤵
                                                PID:4004
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe"
                                    2⤵
                                      PID:2228
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                    1⤵
                                      PID:576

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                      Filesize

                                      264KB

                                      MD5

                                      f50f89a0a91564d0b8a211f8921aa7de

                                      SHA1

                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                      SHA256

                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                      SHA512

                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      1a5a1c3f08a261779c16ff0077be3a19

                                      SHA1

                                      069eba516af187cd3a8df99d892e116b4e15f6eb

                                      SHA256

                                      a28d70b46f505e25d8a85242280e3f8ea77d35cac0b36b43a19bc6177e85417f

                                      SHA512

                                      b104641605588f6f8d865b1e1f55b4fa8d167505873593209422a136b7504d907231c976a75880044b89749ff311edf8e99ac4373322af1fe1d9fa5874917ef3

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      060ba72be8e9d2951a982d20ed912eb7

                                      SHA1

                                      7a49db9a97b460c954532c926e5dfb41d914b0e7

                                      SHA256

                                      278029af4c3346bf8dd0d0edbfeb579cc4cca9e08c272a12397e3894944aa698

                                      SHA512

                                      a970c38805d017d16022dfb489b9f0067445db52cf1df26d5b780b4a92a789dd32e218ace480d1980be683e957f245f9b3fb599a74a70f866f5b9f405e936c34

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

                                      Filesize

                                      16B

                                      MD5

                                      18e723571b00fb1694a3bad6c78e4054

                                      SHA1

                                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                      SHA256

                                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                      SHA512

                                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\activity-stream.discovery_stream.json.tmp

                                      Filesize

                                      23KB

                                      MD5

                                      1afc6206c60d652ea5adbf7b90f04a7d

                                      SHA1

                                      8328a18e0c3086726075cc93386aec0eed14916e

                                      SHA256

                                      72bb126be1925a6b51a5f963ff9c16feeafb977d5e0bcabdf8c0ca31a01f60bd

                                      SHA512

                                      02038481c77a938bf3f89377793aafe57dfddcc764b56fe9dc5a95ba2c41646511046351f39a76be062c732dfb28708b6a184040f2ec1bef66545077c3466b26

                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\activity-stream.discovery_stream.json.tmp

                                      Filesize

                                      22KB

                                      MD5

                                      f88b2cdf11c92914e3d103fc7574ee06

                                      SHA1

                                      2154a397a99fcdc30fb398000991a1a8cf81e7ed

                                      SHA256

                                      944a1637b9a3ea87b6ff25b91c4d55c10574916f45df032669da71d738cd3e66

                                      SHA512

                                      b4b4ae9a9f9bdfaad999b21f42084e41a89be29088522ccb948405d5439e2669cf628047156321a1fe50acfd85ca5f10b3c2c80b321f4be8ba72c0625e844ab1

                                    • C:\Users\Admin\AppData\Local\Temp\1000006001\c30a47d467.exe

                                      Filesize

                                      2.4MB

                                      MD5

                                      1353eeb92749ad19736c9e3d97959c2a

                                      SHA1

                                      0bfd65e336cb0a12b150e7212877cf9b5c466500

                                      SHA256

                                      7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803

                                      SHA512

                                      fb1a3757833a746e811d8ac5a7b3cd486596ba8e1a6ef47efa54f8fd0be71c2719a8d136750a8a551125504072be25ee5b798fa4f1317b5dc53864ba918e8ab7

                                    • C:\Users\Admin\AppData\Local\Temp\1000008021\5e7d50b518.cmd

                                      Filesize

                                      2KB

                                      MD5

                                      c1b73be75c9a5348a3e36e9ec2993f58

                                      SHA1

                                      84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                      SHA256

                                      a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                      SHA512

                                      fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                    • C:\Users\Admin\AppData\Local\Temp\GCAFCAFHJJ.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      c0324c4ceaf70023c49e4137e96ee789

                                      SHA1

                                      b5e41b9a96b9234692ada099d25ff69a680098e1

                                      SHA256

                                      aef46d5bceb036b5922f62406d7162b00a0d7c06abf218430f9ee8f19afa0312

                                      SHA512

                                      c5c8c2463326d76d905d23d4c263101a57e0fa571034395777b33edf764e4221d72b47628717ce9fb4b35b0404e25faf1b0102295967150b6e8f96c55c99400a

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                      Filesize

                                      442KB

                                      MD5

                                      85430baed3398695717b0263807cf97c

                                      SHA1

                                      fffbee923cea216f50fce5d54219a188a5100f41

                                      SHA256

                                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                      SHA512

                                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                      Filesize

                                      8.0MB

                                      MD5

                                      a01c5ecd6108350ae23d2cddf0e77c17

                                      SHA1

                                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                      SHA256

                                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                      SHA512

                                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin

                                      Filesize

                                      2KB

                                      MD5

                                      8ce7c40a7e91d508bc993a26280e36a5

                                      SHA1

                                      76428ac1ed389f4af37a0cfbb11fabd8f12db752

                                      SHA256

                                      67e5e60a007c7f04a6db12e47110e314b9b62588285b1a265749ce99fc80d62a

                                      SHA512

                                      6bdd123da8597502c47a0fbf3cdf49e4f9ec52ea971d75a9f3edcacebf800c2075a4298f5f724931f733e428cec13061c487e1bac128dda555159e5b1dba0d51

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\b8e4a467-f9ac-4e41-9f00-183be55341c8

                                      Filesize

                                      11KB

                                      MD5

                                      81f92148ebe872d2423f951d717c7e4a

                                      SHA1

                                      0a457785690aad27dd14694eacd47700b9273728

                                      SHA256

                                      01018f5f9a72ab843dfa9c7ce6976507d4aa63fba8bc36cabd19cb499f9c6b02

                                      SHA512

                                      ce74540a4bba255f7c4058f24ccd16b6fc1a931342eb2a22eada82acc778e685ded0f87824f01aaed37678eba3635574487d45e832266a6b2213dc9f67fea5b4

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\e96085ef-ffa3-47f2-907c-c90ebb9d7c07

                                      Filesize

                                      745B

                                      MD5

                                      5007c24b72ee7f949f309147f71637d1

                                      SHA1

                                      a565bded5d199bec8ca97d05372bf21318edca6a

                                      SHA256

                                      95260b7684ede120b320764ada2e04f1fc6969d92535c4f3dd7167611d99439e

                                      SHA512

                                      d33fc74a3f9be041cba5263612ea9fd2c4e8b0b44c74646884d32c25aea4f0931dc5dfc66b624c81782987ce3a0ef1718bfbe99c894d5fb37fe33b7c5cb8a8db

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                      Filesize

                                      997KB

                                      MD5

                                      fe3355639648c417e8307c6d051e3e37

                                      SHA1

                                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                      SHA256

                                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                      SHA512

                                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                      Filesize

                                      116B

                                      MD5

                                      3d33cdc0b3d281e67dd52e14435dd04f

                                      SHA1

                                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                      SHA256

                                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                      SHA512

                                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                      Filesize

                                      479B

                                      MD5

                                      49ddb419d96dceb9069018535fb2e2fc

                                      SHA1

                                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                      SHA256

                                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                      SHA512

                                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                      Filesize

                                      372B

                                      MD5

                                      8be33af717bb1b67fbd61c3f4b807e9e

                                      SHA1

                                      7cf17656d174d951957ff36810e874a134dd49e0

                                      SHA256

                                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                      SHA512

                                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                      Filesize

                                      11.8MB

                                      MD5

                                      33bf7b0439480effb9fb212efce87b13

                                      SHA1

                                      cee50f2745edc6dc291887b6075ca64d716f495a

                                      SHA256

                                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                      SHA512

                                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                      Filesize

                                      1KB

                                      MD5

                                      688bed3676d2104e7f17ae1cd2c59404

                                      SHA1

                                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                      SHA256

                                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                      SHA512

                                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                      Filesize

                                      1KB

                                      MD5

                                      937326fead5fd401f6cca9118bd9ade9

                                      SHA1

                                      4526a57d4ae14ed29b37632c72aef3c408189d91

                                      SHA256

                                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                      SHA512

                                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

                                      Filesize

                                      6KB

                                      MD5

                                      3faf4d0f900417306108ad6d83665b7d

                                      SHA1

                                      fb3852105c3319558dc294b87e056cd983694b2b

                                      SHA256

                                      03f53730fe8697d71718c02c3132ce8a63dcf0fdcf60970e21d74b41ca9c9c94

                                      SHA512

                                      fe6da939367338479ea7ddf7a8f045e40db66f2dd74f5e2da50147ecfea90d98a2a0a1c00ca806bf35bad6a77907bee22a15f1322e3bb8696052daa9a3fe20e6

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

                                      Filesize

                                      7KB

                                      MD5

                                      b9daf07530154da270d48168a4bfe519

                                      SHA1

                                      25cd8b5183ece66d1622c7e900f2a000bc1470fb

                                      SHA256

                                      93f67366f29872d5f692098f0234342e7f16fbb21d7407b21f3cfc95f267fede

                                      SHA512

                                      07835d0afe9c7363d3058766d04aaba7370d8fec5d34f292b82f19ba634395f7254e598ed64525d82b45ffd0b53195c335d46cc1d9eec8a9ed992794c974a3ba

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

                                      Filesize

                                      7KB

                                      MD5

                                      1485d775163f5df60523bb60bae3bcf5

                                      SHA1

                                      926fc47a3eed1de426f4879282102509574ecb02

                                      SHA256

                                      366850f93d4b94a16fe2a696cc5094f7f8c06983aa78e625b612377d5169783a

                                      SHA512

                                      fc9045c9b36834cf47b81c359aa33b1003639117f136b4f871c2f3cd5a2f277e8243f46886455bea7b94b3ec758f4a8d3a251bc2e76ba68b7e95c09656167ca0

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs.js

                                      Filesize

                                      6KB

                                      MD5

                                      9d1c211c36d621580826e7af316c1b67

                                      SHA1

                                      592f06e766e430ee3dbe60ac4e80a84754545f64

                                      SHA256

                                      7caeb8cb0f19c8a2d85e0db9ac1d938e679eddf1f2065a501b723b4e5b3456d6

                                      SHA512

                                      c7a09195f71fbd3ac3408970289a5e301288a4d0ba2d61f3f50d3cec530abf7ebfacc5c6567a8d76868431f403adedd6b0f41b291f94e5066b2e55ca598c4d53

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4

                                      Filesize

                                      4KB

                                      MD5

                                      eb67bb479e8c07361f2bf1de5a257d95

                                      SHA1

                                      6a792213b43e0148e2a3636920c55ee463624627

                                      SHA256

                                      6f3e8382e094a4fe98302c30baa7fdcd175e88c38b9ad5cad991d2f982776f0e

                                      SHA512

                                      99c6c2421474a70245749b09914351d4a1a3436ae3a236d61674443c2eb7cd899b880f5f9022e8aa73c10e0e2bdd31ee77756b09da19fbf121b1cf1c96130030

                                    • \??\pipe\crashpad_1204_VNRRQTYEDNGBRZFF

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • \ProgramData\mozglue.dll

                                      Filesize

                                      593KB

                                      MD5

                                      c8fd9be83bc728cc04beffafc2907fe9

                                      SHA1

                                      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                      SHA256

                                      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                      SHA512

                                      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                    • \ProgramData\nss3.dll

                                      Filesize

                                      2.0MB

                                      MD5

                                      1cc453cdf74f31e4d913ff9c10acdde2

                                      SHA1

                                      6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                      SHA256

                                      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                      SHA512

                                      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                    • memory/2312-160-0x00000000009B0000-0x00000000015A0000-memory.dmp

                                      Filesize

                                      11.9MB

                                    • memory/2312-140-0x00000000009B0000-0x00000000015A0000-memory.dmp

                                      Filesize

                                      11.9MB

                                    • memory/2320-0-0x0000000000E90000-0x0000000001A67000-memory.dmp

                                      Filesize

                                      11.8MB

                                    • memory/2320-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                      Filesize

                                      972KB

                                    • memory/2320-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                                      Filesize

                                      3.8MB

                                    • memory/2320-64-0x0000000000E90000-0x0000000001A67000-memory.dmp

                                      Filesize

                                      11.8MB

                                    • memory/2320-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                                      Filesize

                                      3.8MB

                                    • memory/2332-506-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-356-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-537-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-536-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-535-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-139-0x0000000006A40000-0x0000000007630000-memory.dmp

                                      Filesize

                                      11.9MB

                                    • memory/2332-410-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-489-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-391-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-117-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-137-0x0000000006A40000-0x0000000007630000-memory.dmp

                                      Filesize

                                      11.9MB

                                    • memory/2332-507-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-515-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-199-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-532-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-533-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2332-534-0x0000000000810000-0x0000000000CC1000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2892-115-0x0000000000980000-0x0000000000E31000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2892-116-0x0000000007060000-0x0000000007511000-memory.dmp

                                      Filesize

                                      4.7MB

                                    • memory/2892-69-0x0000000000980000-0x0000000000E31000-memory.dmp

                                      Filesize

                                      4.7MB