Analysis

  • max time kernel
    62s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 18:33

General

  • Target

    file.exe

  • Size

    2.4MB

  • MD5

    1353eeb92749ad19736c9e3d97959c2a

  • SHA1

    0bfd65e336cb0a12b150e7212877cf9b5c466500

  • SHA256

    7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803

  • SHA512

    fb1a3757833a746e811d8ac5a7b3cd486596ba8e1a6ef47efa54f8fd0be71c2719a8d136750a8a551125504072be25ee5b798fa4f1317b5dc53864ba918e8ab7

  • SSDEEP

    49152:y4AaYJnc45rm8DRje7HYCRvNZ5ZC3JDwHKi7AbfC1N4nNW5WflHBHVQeefi1FYr6:y4H811maeZRvNja1wHTBN4QEHt+DfRr

Malware Config

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHJEGIIEGI.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Users\Admin\AppData\Local\Temp\FHJEGIIEGI.exe
        "C:\Users\Admin\AppData\Local\Temp\FHJEGIIEGI.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Users\Admin\AppData\Local\Temp\1000006001\1cb7986d21.exe
            "C:\Users\Admin\AppData\Local\Temp\1000006001\1cb7986d21.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:1328
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\e3353175dd.cmd" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1884
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:752
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7e79758,0x7fef7e79768,0x7fef7e79778
                7⤵
                  PID:1168
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:2
                  7⤵
                    PID:2028
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:8
                    7⤵
                      PID:3032
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:8
                      7⤵
                        PID:1804
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2220 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:1
                        7⤵
                          PID:2040
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:1
                          7⤵
                            PID:1020
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:2
                            7⤵
                              PID:3416
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3192 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:1
                              7⤵
                                PID:3860
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 --field-trial-handle=1200,i,1448929045796183990,5191118730549267584,131072 /prefetch:8
                                7⤵
                                  PID:3836
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                                6⤵
                                • Suspicious use of WriteProcessMemory
                                PID:832
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                  7⤵
                                  • Checks processor information in registry
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of WriteProcessMemory
                                  PID:1520
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.0.533407109\398782521" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1124 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b791e25-2fe6-48b6-b4c4-3349e4bdba83} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1312 11bd9558 gpu
                                    8⤵
                                      PID:2852
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.1.1513895868\1529174423" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c1a21a7-5986-4cf4-acf1-4c3c26f1c02c} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1528 f7ee258 socket
                                      8⤵
                                        PID:2124
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.2.1016076439\287805123" -childID 1 -isForBrowser -prefsHandle 2260 -prefMapHandle 2256 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 688 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1cb2aae-f403-4193-841d-88e633acc39e} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2284 18882458 tab
                                        8⤵
                                          PID:2820
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.3.1199763050\2029374572" -childID 2 -isForBrowser -prefsHandle 2692 -prefMapHandle 2688 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 688 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d92c1dde-e630-4f8f-95c8-ad4af0bbec4c} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2704 d62b58 tab
                                          8⤵
                                            PID:2392
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.4.831457061\795992709" -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 3740 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 688 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da46bda6-db55-41ac-ad0f-e41c478dfc5d} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3760 1f344f58 tab
                                            8⤵
                                              PID:3460
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.5.1346870347\677919117" -childID 4 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 688 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac46eb39-7fe6-48b3-a7a5-f2ff83be0117} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3900 1fa80558 tab
                                              8⤵
                                                PID:3512
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.6.294795763\718521697" -childID 5 -isForBrowser -prefsHandle 4020 -prefMapHandle 4024 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 688 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10af8a5c-41b6-43dc-a65e-f268671d57bb} 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4008 1fa80858 tab
                                                8⤵
                                                  PID:3532
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDHIIJJJKE.exe"
                                      2⤵
                                        PID:2316
                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                      1⤵
                                        PID:1412

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                        Filesize

                                        264KB

                                        MD5

                                        f50f89a0a91564d0b8a211f8921aa7de

                                        SHA1

                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                        SHA256

                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                        SHA512

                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                        Filesize

                                        987B

                                        MD5

                                        44c2b325b6f570dfadd0523a97415e4c

                                        SHA1

                                        b5d3270ea88ad86b3ca9ac362698e74e21f7d04d

                                        SHA256

                                        f69d7fdeee8e0467c1c5904d24211fca60f72fc2778bcf0a1ed039a19dfb2e29

                                        SHA512

                                        d8c3ab38593a2a192ce45c776dd56334ffbf7ceac6d9be8a92dc92915b5f182ff69ebab73e17b4bc95b51ac1769635c132ecd00b7cba3c30acb4792a720f79c2

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        738866315816f1de1635e61a42c36f06

                                        SHA1

                                        a6722ea6fcd1cb64beb16fd7b6d60204b0f7d0a8

                                        SHA256

                                        66fd5b6bde51523df6a2d87f9fd88acd4197fdec448d88eef59c38736fa46449

                                        SHA512

                                        f7e6f6d8455c86e449072ea85fd4c3b4ca13bf80500a033719befb26945c504e4a3d0c4d7b0a06d109975680407e736778f37354cd8f266e99c3673c2979889b

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        df7dcdfe6e2b9e417061199bd5cacd28

                                        SHA1

                                        98893bc24fb70b7ccd1356a880a26a366c7f4af5

                                        SHA256

                                        27e15f23dfbbc9cd661c54b1e2db612ba4f37ef6e3721ed14a748b59917645c9

                                        SHA512

                                        67436dde7dc7add55eab1df16e76cc6cbea25e60649c81f5e0867064535ca398d203aa058d9fb72c6207ea2ea945812a79d3b8293653e5aca085b3ae43a3b9f9

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

                                        Filesize

                                        16B

                                        MD5

                                        18e723571b00fb1694a3bad6c78e4054

                                        SHA1

                                        afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                        SHA256

                                        8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                        SHA512

                                        43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\activity-stream.discovery_stream.json.tmp

                                        Filesize

                                        24KB

                                        MD5

                                        4b3b350bef66ca876c4fb4e58e1be058

                                        SHA1

                                        1659851fe576adef7f5fa82bb955da856b84b7e1

                                        SHA256

                                        718eae519c2e479a7a322fe3a8c25c71db7a555a04feeac8ae929f440c9b446c

                                        SHA512

                                        46900bc36d27551e8e4393ec973b0d7636c95d5b099004b63f4ff450b057a70b5b60b0d300cec3fd1672830cafd8d6eca3fae6f0ceed07513bd43724f2d3fda0

                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\activity-stream.discovery_stream.json.tmp

                                        Filesize

                                        23KB

                                        MD5

                                        607c08c93e88b1874836e16e1875cd71

                                        SHA1

                                        b51c7b67676339d58a43c4c04642fc37c63b97ed

                                        SHA256

                                        7e00bc82fb3d75c19397eced847593ff483ad405cc02b71bd7e546bd02d84f7b

                                        SHA512

                                        6cfce5007695386918854ce67d7b4520a4712a6a71498bca300eadeab27e50345f6bd2c356e6ab62aa231308413cb27a1c3a059fee2bf85607adc0ea36381e1c

                                      • C:\Users\Admin\AppData\Local\Temp\1000006001\1cb7986d21.exe

                                        Filesize

                                        2.4MB

                                        MD5

                                        1353eeb92749ad19736c9e3d97959c2a

                                        SHA1

                                        0bfd65e336cb0a12b150e7212877cf9b5c466500

                                        SHA256

                                        7378f4059b53f7da3e135c76ce4d6d6dc3af8106f510f128a77c5688f958a803

                                        SHA512

                                        fb1a3757833a746e811d8ac5a7b3cd486596ba8e1a6ef47efa54f8fd0be71c2719a8d136750a8a551125504072be25ee5b798fa4f1317b5dc53864ba918e8ab7

                                      • C:\Users\Admin\AppData\Local\Temp\1000008021\e3353175dd.cmd

                                        Filesize

                                        2KB

                                        MD5

                                        c1b73be75c9a5348a3e36e9ec2993f58

                                        SHA1

                                        84b8badeca9fa527ae6b79f3e5920e9fd0fbd906

                                        SHA256

                                        a75e65563e853c9fb8863bcf7c2103ec23893f31a42b9332042ea3f5f2d40ea0

                                        SHA512

                                        fe6d1df55358ba710c25e0e6b189beca8ce991d65a0fcecefdecacd2b96e0802ea549157c1449d2853f0ab37b8e865ec70e51772d2deefe8238d7581c81bc4a3

                                      • C:\Users\Admin\AppData\Local\Temp\FHJEGIIEGI.exe

                                        Filesize

                                        1.8MB

                                        MD5

                                        d5d3a63a0c127480a4f3c3acde73a130

                                        SHA1

                                        6386347bb05c432a70895ba02cfbaec68a9067f0

                                        SHA256

                                        10e426a158bdc950555167f7c4a4d25e46cd2081ea48f7bd27bb0163b50145c7

                                        SHA512

                                        c7bd14f45005b1ff14a5cdf6b80777f97ee901445607e09da25c1bd4123c662f72ecd122578eccaca846b455fc04510cddc9f25fed6405d915cb04ea9a239180

                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                        Filesize

                                        442KB

                                        MD5

                                        85430baed3398695717b0263807cf97c

                                        SHA1

                                        fffbee923cea216f50fce5d54219a188a5100f41

                                        SHA256

                                        a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                        SHA512

                                        06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                        Filesize

                                        8.0MB

                                        MD5

                                        a01c5ecd6108350ae23d2cddf0e77c17

                                        SHA1

                                        c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                        SHA256

                                        345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                        SHA512

                                        b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\db\data.safe.bin

                                        Filesize

                                        2KB

                                        MD5

                                        47d4ef84585337c935fd76440203859d

                                        SHA1

                                        144014cb7689ebc5f68b63a48ff6250fca8359a9

                                        SHA256

                                        3a1c352ee74476933bf4dc0367ee56a9cc9cea6d3c8df354079249ec14ab4258

                                        SHA512

                                        d2b092f3241c16e82b8830b5392f9370989843c96585b13a2bdc4321fe2446d99a2cebde461d9dd74db701f07c677ad6ab8bf0c707fa6ce39fe51ebb131ec2a8

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\6ac727af-1c43-4b19-a93b-c6cf22cead12

                                        Filesize

                                        10KB

                                        MD5

                                        f379767a73cfa251df1d5184c8d195e0

                                        SHA1

                                        f230e432b800ce30845d80028241b19a10e4b747

                                        SHA256

                                        942332faff4ccb8b320a8d21bbed0216a1bc55f499aea9197653ddf34d5f8424

                                        SHA512

                                        fa2ed232fbea509da32fce6b3baad2a729b0bf8695c2687e50d5ec7bb23a51f89e4f9ec6f5b1d67c0e3448adb84e0fbd142a446f2cb025ccbe5eb4125cd07cf0

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\6ea3ac8e-0e94-4d13-82fc-675cd0cac65c

                                        Filesize

                                        745B

                                        MD5

                                        00b44083c90dff6db89097473fde2c54

                                        SHA1

                                        caa553c0f9ff25e1fe976bf45e791a46079a5fdc

                                        SHA256

                                        a7dd3009ded27d3d3599509df602b625e03bfabce78aff9843ae62f60713e0ed

                                        SHA512

                                        81c78de57af4d2736cc20bcfc08901c06609b449367f181882d1ef01a1c3bcbdd009fb3aa53ae9575ec427f6718995da8d6b34ae68371066a6a9c9357d2fe769

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                        Filesize

                                        997KB

                                        MD5

                                        fe3355639648c417e8307c6d051e3e37

                                        SHA1

                                        f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                        SHA256

                                        1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                        SHA512

                                        8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                        Filesize

                                        116B

                                        MD5

                                        3d33cdc0b3d281e67dd52e14435dd04f

                                        SHA1

                                        4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                        SHA256

                                        f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                        SHA512

                                        a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                        Filesize

                                        479B

                                        MD5

                                        49ddb419d96dceb9069018535fb2e2fc

                                        SHA1

                                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                        SHA256

                                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                        SHA512

                                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                        Filesize

                                        372B

                                        MD5

                                        8be33af717bb1b67fbd61c3f4b807e9e

                                        SHA1

                                        7cf17656d174d951957ff36810e874a134dd49e0

                                        SHA256

                                        e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                        SHA512

                                        6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                        Filesize

                                        11.8MB

                                        MD5

                                        33bf7b0439480effb9fb212efce87b13

                                        SHA1

                                        cee50f2745edc6dc291887b6075ca64d716f495a

                                        SHA256

                                        8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                        SHA512

                                        d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                        Filesize

                                        1KB

                                        MD5

                                        688bed3676d2104e7f17ae1cd2c59404

                                        SHA1

                                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                        SHA256

                                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                        SHA512

                                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                        Filesize

                                        1KB

                                        MD5

                                        937326fead5fd401f6cca9118bd9ade9

                                        SHA1

                                        4526a57d4ae14ed29b37632c72aef3c408189d91

                                        SHA256

                                        68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                        SHA512

                                        b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                                        Filesize

                                        6KB

                                        MD5

                                        582cd42f929b37c814b0b305a347db79

                                        SHA1

                                        ef61b69685a63160b094e0f1665e0928a55d1b8f

                                        SHA256

                                        a9c859e683f943a4f2a7be4356cd6f17a18397cea2a5650afb191e140dbc7560

                                        SHA512

                                        d87ca7399c5e91f0353c82ce6a7c78d2551a14650418e7ec982dbaf772c05dda5ec24b8dc3ef4821f42e74aab4dc1e8551f9be4bd16389340f5c59f909176998

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                                        Filesize

                                        7KB

                                        MD5

                                        bfcba149dcf5ea4bdb29de1723dc64cd

                                        SHA1

                                        99be82dc0b8434a1daff9f212261f83215d9ceae

                                        SHA256

                                        751bcbeb351064119cc58aa669683a49c5e8a70224f3d119ae5d2b4733afc448

                                        SHA512

                                        1db61741988f3c4b4fb44c74fec24fc434704106c6bfcaca509228caa116d436875d2aa47a6c581d5ff2edb001a663672af962b00ee66ace7ee447fa5509a3bf

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                                        Filesize

                                        7KB

                                        MD5

                                        5b19fa146a459cc55463b993b026f5c0

                                        SHA1

                                        4d3d97344b7a24a01d29c9b9e0bd8b201ea27a92

                                        SHA256

                                        a818dc87b4f43c065ca6e8cdd956dab913ac905982a3411759b368930d52b9b9

                                        SHA512

                                        114e03fe1c9221dc49ffe7fca3ac217c81301d1cb50a7b5b4f65e11976c250b3bc979434638e8948810e8946ead3ba98d5cbd6a8673f9f49a6340e2e24efc860

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                                        Filesize

                                        6KB

                                        MD5

                                        5fe8c04b8e82870f56301a1cddaa90c8

                                        SHA1

                                        aad4dc1b2cc58bcfdcfd0470218fc220ffa84b9a

                                        SHA256

                                        64715bdc5282bc80b079388db23e20679542b4f93066bdcd7f4790f99d8105ad

                                        SHA512

                                        8c5d8e6f3da17118d7e03abfbf32b9f36ec2b2d8f976b5e51714311c60a19ccca4e4814809341c25fc23cc20f5265072fbc41a275b7583b59a5cd431300fc0fe

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs.js

                                        Filesize

                                        6KB

                                        MD5

                                        a93420c82d5dfe7042748d3bf371902e

                                        SHA1

                                        2eb0b83ad64f7984f63867832418f4ef31e6ab4e

                                        SHA256

                                        e63d3cdf06214b1160ac64a634e069a1acc26892390adba5b36ca60ec2b8d920

                                        SHA512

                                        0a78906cd9c8f7c2e3c205548a8bd3dbd8e9ee2502cf51c34e6930f5159dcf82b71081ac347802cca622e8ddb639ed8659730f4cb1bc549bcd741185791c979e

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionstore-backups\recovery.jsonlz4

                                        Filesize

                                        4KB

                                        MD5

                                        a87fdd5e3ba89a5fa25d3e19e997d4f3

                                        SHA1

                                        dd40c296e3acc849b8c2bf17655a614749260777

                                        SHA256

                                        fc117e407538483c8d9ec8f2a84af454952ceaf48758182c26563ffb2dda09a1

                                        SHA512

                                        3e1577821e6110bba6a024e83da3f7426f590513ff688e0032535a2ba0bd804132b66f8cc877fa080975cd58e1870372daca64e0a2943d1a7c27050e540adfd2

                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionstore-backups\recovery.jsonlz4

                                        Filesize

                                        4KB

                                        MD5

                                        adc264babeffebe7598f11894a7d295f

                                        SHA1

                                        f843287c0305d612654c9cd093d199f46e7555ed

                                        SHA256

                                        48d10cb98a2553ccfa4fffa3768230ff4925097bbea9e5738eadb027c6334baf

                                        SHA512

                                        17c335ef2349714545a63368363cadb0ce7fc670bcb72d2d57ae236394541d85f05d43ca4d4c376be34e5b86b380a3413478129582605470e60bb672eebce904

                                      • \??\pipe\crashpad_752_EPFTYPEBXTUJFYNQ

                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                      • \ProgramData\mozglue.dll

                                        Filesize

                                        593KB

                                        MD5

                                        c8fd9be83bc728cc04beffafc2907fe9

                                        SHA1

                                        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                        SHA256

                                        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                        SHA512

                                        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                      • \ProgramData\nss3.dll

                                        Filesize

                                        2.0MB

                                        MD5

                                        1cc453cdf74f31e4d913ff9c10acdde2

                                        SHA1

                                        6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                        SHA256

                                        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                        SHA512

                                        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                      • memory/1328-606-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-455-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-571-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-577-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-562-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-608-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-419-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-587-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-442-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-543-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-604-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/1328-143-0x0000000000820000-0x0000000001410000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/2116-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                                        Filesize

                                        3.8MB

                                      • memory/2116-69-0x0000000000E60000-0x0000000001A50000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/2116-66-0x0000000000E60000-0x0000000001A50000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/2116-60-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

                                        Filesize

                                        3.8MB

                                      • memory/2116-36-0x0000000000E60000-0x0000000001A50000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/2116-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                        Filesize

                                        972KB

                                      • memory/2116-3-0x0000000000E60000-0x0000000001A50000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/2116-2-0x0000000000E60000-0x0000000001A50000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/2116-0-0x0000000000E60000-0x0000000001A50000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/2316-123-0x0000000000310000-0x0000000000410000-memory.dmp

                                        Filesize

                                        1024KB

                                      • memory/2316-124-0x0000000000310000-0x0000000000410000-memory.dmp

                                        Filesize

                                        1024KB

                                      • memory/2316-122-0x0000000000310000-0x0000000000410000-memory.dmp

                                        Filesize

                                        1024KB

                                      • memory/2980-405-0x0000000006D60000-0x0000000007218000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/2980-104-0x0000000001150000-0x0000000001608000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/2980-120-0x0000000006D60000-0x0000000007218000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/2980-119-0x0000000001150000-0x0000000001608000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-572-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-596-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-180-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-144-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/3064-475-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-142-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/3064-583-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-413-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-552-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-563-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-424-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/3064-441-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-605-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-121-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-607-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB

                                      • memory/3064-443-0x0000000006BB0000-0x00000000077A0000-memory.dmp

                                        Filesize

                                        11.9MB

                                      • memory/3064-609-0x00000000002D0000-0x0000000000788000-memory.dmp

                                        Filesize

                                        4.7MB