Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 23:30

General

  • Target

    60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe

  • Size

    1.8MB

  • MD5

    e8dd22ee36d1c52d657cf17d1cb7d3ef

  • SHA1

    173c7859c41f254327d08351f17569b2ee6b9e00

  • SHA256

    60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16

  • SHA512

    37636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9

  • SSDEEP

    49152:HACzJXxS01BWoKVESFSdpbgdPisfJ4jChX:HACJKESFSPbCqa+k

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe
    "C:\Users\Admin\AppData\Local\Temp\60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2432
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe"
          4⤵
            PID:2520
            • C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe
              "C:\Users\Admin\AppData\Local\Temp\CGIJJKEHCA.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:1124
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGIIDHJEB.exe"
            4⤵
            • Checks computer location settings
            • Suspicious use of SetWindowsHookEx
            PID:1064
        • C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
              5⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4184
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af82c4f-dbd3-4b34-b0d8-69db2fb9c062} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" gpu
                6⤵
                  PID:3668
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee9cc94-a1d9-4625-9748-0912c57b16ab} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" socket
                  6⤵
                    PID:4516
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 2920 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {045eb3e2-5cbe-4db7-abea-960fafd8448c} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab
                    6⤵
                      PID:4344
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4040 -childID 2 -isForBrowser -prefsHandle 4036 -prefMapHandle 4028 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06d1ec9a-fca3-4bfe-9269-e1d1d68aef61} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab
                      6⤵
                        PID:2532
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4172 -prefMapHandle 4456 -prefsLen 31274 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73f6fc1e-da7e-4ca9-88b0-faee7a923d59} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" utility
                        6⤵
                        • Checks processor information in registry
                        PID:5364
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5456 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4156f9dd-adea-43af-b51d-72bb40ed3682} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab
                        6⤵
                          PID:5976
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a8961b6-e0f3-4be0-9059-bd4632f911e6} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab
                          6⤵
                            PID:5996
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 5 -isForBrowser -prefsHandle 5792 -prefMapHandle 5796 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7bfa27b-8085-4a22-8d80-32fe4556d8d0} 4184 "\\.\pipe\gecko-crash-server-pipe.4184" tab
                            6⤵
                              PID:6008
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3156
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5860

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\JEHIDHDAKJDHJKEBFIEH

                    Filesize

                    8KB

                    MD5

                    434d87c659473e5e24e851770569ee51

                    SHA1

                    e6b005ddfebacfac7c9d77f031a71120ce19e4af

                    SHA256

                    31baeae197360e57ae8053a1a578b49722e60928c0dba5fbd975ee173cae9b80

                    SHA512

                    f5aa547c3b01829d11d35c571b403f1e713a33b2ee566180709ec2ec8d077a10b1bee89364e7f7564c2f36c086cbd7d29a13a88ccc3b6b2d04cd721ace55bfdf

                  • C:\ProgramData\mozglue.dll

                    Filesize

                    593KB

                    MD5

                    c8fd9be83bc728cc04beffafc2907fe9

                    SHA1

                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                    SHA256

                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                    SHA512

                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                  • C:\ProgramData\nss3.dll

                    Filesize

                    2.0MB

                    MD5

                    1cc453cdf74f31e4d913ff9c10acdde2

                    SHA1

                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                    SHA256

                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                    SHA512

                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    18KB

                    MD5

                    82a1d19edd293611329e5581b088b195

                    SHA1

                    3c630ea73ff5f234a1323ad175037bd280c14a0d

                    SHA256

                    f9850b3b3609b91b5deacca2e886f1320df2b2bd0771aea7aacde7ecfa58687a

                    SHA512

                    d3f06d7ada2139f7437971f674671c7623c2d984209fb83fd361cc0e51c40f9724d3148bafe1eb1070d27ce5bc9323e27c1a0bfec7b89b77f80d5cf6867ad462

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                    Filesize

                    13KB

                    MD5

                    15f2b17506bde73362167f025f1e8150

                    SHA1

                    bb702bb19dc267976a2ecab02baad25d84a0329b

                    SHA256

                    4aa3db5a7abdca3a16d2c608cd4997d50e881da715b4e15e841f24da25a7e502

                    SHA512

                    1e55118eec3afe7354d12c840025e2c5cb45a03b748c35a0e73a8318d6e339a542820a1fbe788a0b452206920087c27a1fb1f0b63babfb2751930969ccaf7ca0

                  • C:\Users\Admin\AppData\Local\Temp\1000006001\178ac1ea6a.exe

                    Filesize

                    2.4MB

                    MD5

                    1552573045f153aa7269a30d3a1dd151

                    SHA1

                    d07f6a1ffcc0bd98a80ba1d5574425a2bd1d3d23

                    SHA256

                    d87490fe72c11df8476414b03d613fff99a59894193c25121bde71c745b91c5d

                    SHA512

                    8301e552f8d1019bfc9e85d6249e329b767b95b7092d537129665d96ba62427b7a806c97b97ce0f314cd34a7675852b3f553519b03304bd12831eafeac446460

                  • C:\Users\Admin\AppData\Local\Temp\1000010001\d52ea67c86.exe

                    Filesize

                    1.2MB

                    MD5

                    bea6ed281b600eae06be252f581721c1

                    SHA1

                    25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d

                    SHA256

                    d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf

                    SHA512

                    746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    e8dd22ee36d1c52d657cf17d1cb7d3ef

                    SHA1

                    173c7859c41f254327d08351f17569b2ee6b9e00

                    SHA256

                    60204402ae1b45560ea0c073244009a3c22ef28d3ee6f1f83842325456327d16

                    SHA512

                    37636a17778b5bf2d531e20f05601541e6ac4a4e0e973149bd2e4fb08324077dfbab5c1c848b81895f2e657113c5290604ffe6c59e783a3c443827a53e837fd9

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin

                    Filesize

                    12KB

                    MD5

                    781c6671e4bc0a5024a474931fbf7697

                    SHA1

                    a80fc7fb084e0ac6cf5f26079fc13dba10ead0d7

                    SHA256

                    f3ddbf732cb112043ef6be490167ceed5f21fd7a90121f9975f6be1eda64c2bf

                    SHA512

                    52b063aed1063597f0df486f95786dd16c99ab6b89f6a81caf1b908d0ecdc062d39b6496659ee33b7439f6fe438f38a3a93756906f7fa8d8a64e0ce029905e0c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    22KB

                    MD5

                    5e2939e96fa32e46c4bb64a5b5efdf48

                    SHA1

                    264ffba6ed02976f73a1c862c57814dec9d74998

                    SHA256

                    9e845be58961afb6b48944161125fe82583a91dbc442da9e8ff337b0fe5e4cf8

                    SHA512

                    3c558f0b0f28695880ea888ae16636fe6e30cf29803fee87b247013be4e83448859174d7f3ddef45219211a1363415f2dde43d03c218e66edabb0e4d83559c19

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    22KB

                    MD5

                    bdad636145d8f010a0b42aafa309585a

                    SHA1

                    5ded8b3b4d78f520a1c9b3f1b06175933e2792e0

                    SHA256

                    cad2686cdfc918cb20670c6f0be979988f18a101b7d17deb1c426c1e8c0d04b9

                    SHA512

                    8a6977f7796f6b8ffb93a5a48ed8a65d767b12962c74b0aa028145b683db3d2cd1178d7688f9d5197f6e9a238093c7ce2124fcb744765be011515040669735b9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    20KB

                    MD5

                    335e8e51ec7d6c6c94f169af6d4a1192

                    SHA1

                    143775501c7e44f5511f68a35632360ae677dcad

                    SHA256

                    14e4ba058eec572e45131d0faf22cacf4d2e3bd103b1c7eeec9e015de03db334

                    SHA512

                    c651b12ba97abf12527d86549f6d8e5d7ab62d2e404665c883aa8a7026fcd4fba307d8d115c718dc2afd0382933be6b5f19ca8eab97baa865c9ce5e6d1f9774d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    35KB

                    MD5

                    a948fc61cc8eafdc13081b50c3937af4

                    SHA1

                    a90a094362ca3e1cf22cb9d8c0c967f32fb77aac

                    SHA256

                    11f98e813795ef083e28a9d6b8b0095e88cf1efe749c91d349ec7f2a66f181a7

                    SHA512

                    15abb054c4ad87294546a2c52e2ac0ee9db30a7f07b823dae7c59e592b41f2a562e1007720bbb32d30dead863b7bbe8b696e55baafaa84301ca3bc76455a8377

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    25KB

                    MD5

                    0c263731b3244689974edd7d40d293a7

                    SHA1

                    836e8f271d1876a71f3cafbe985afc2ea1db2e5e

                    SHA256

                    feb555bf4f1a88be5a8a6a402e4318d85598440a96dc13a78967a1ab0fffa677

                    SHA512

                    d9a2e75c8f79e2e877d382371861800423a2f7f7964bdde9307a1c74d74d9f0215c67f5d27fcf938ed6762b7f9183a39f99c7dad38c8103a2e5a9c25038ed4b1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\4deca54a-ee15-477c-9f8f-a5efb0146ce1

                    Filesize

                    659B

                    MD5

                    2cc4d3b0efbc7773e2562e7d53ba2e2d

                    SHA1

                    63a5849757f410dee6f3f4d00e6cafc723d58238

                    SHA256

                    877c95d8633196f3d98bb600da327300a51706126783814399b989f25a97d1a0

                    SHA512

                    1879a98e720ed7fdf165eb282751a9fd7d737f0fe33965596799287c3e04a773949c0254cc31e2fd08d4a78b8c5ea2baf769096bc7f8731f7860f3a32637972d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\ca97463f-d196-4e61-a32f-c536bdd7a471

                    Filesize

                    982B

                    MD5

                    037029813691f331c8c4fc1a7c7a1111

                    SHA1

                    89d540b0a690a88c5d041a3efefafc5d56c2af29

                    SHA256

                    7f9ef744a36d027f6474aef1255bc3084462eaf92361657180e01dd35e35b123

                    SHA512

                    d4c1018b357c50d877f92c5e9839c39843bd1727b632d7f8d7ff9e864e46adc206deae0c70a03c1852846240f957d5aac811c11e24ad4ef87f6cbfffb202c3da

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

                    Filesize

                    10KB

                    MD5

                    edb8b9c4851e10459faf897112bf4a57

                    SHA1

                    7593db7bb48fd49ad79384819732d22744b8d220

                    SHA256

                    597591720b049c716cd1e3a6213ecdfbcf9faee4304de1abf490a6c2139feaad

                    SHA512

                    530817920a5df22878131585670f6fcda2086cd71728cfab49aecc852afcafd7a0cad23c3de40f4c032b2600e45f8f5854d29314cffeb193e38a4b7107d18e54

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js

                    Filesize

                    13KB

                    MD5

                    adf0c8b6192ed27a57d6356a86169f56

                    SHA1

                    eae0ad7a968babe081449d75f2376efac640cf6b

                    SHA256

                    d3f40ae1554c1a7ee3e9fc8b0cf8f7d3b9685cc9bcae9d4331b35cd9511143a4

                    SHA512

                    535f2c8b642ffe4530711af39ebed3603e2f81531a62cbee25999144ccb86379bd64e1c5d3be828cf961b9e297a55d3a3f53e52927fc2fe80e077dbe090c6230

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    1.7MB

                    MD5

                    0185b20ed1cc6ded132a0aacdff6e86d

                    SHA1

                    df519aa070aaf20ac7c5f9146e47451e4a26a874

                    SHA256

                    9f4b39086adcd77f1d4b59ae07a510c23080c495fcebf19e9157be7aba1d6ac5

                    SHA512

                    9bfe9698a47914aea081a2126672b6fdd0f95dfbbd33316592417baf90e160f5d1bc2947501a603ac6a4c429fde48d424300e2d9de9ae182e68fb1cc8b99826d

                  • memory/1124-438-0x0000000000840000-0x0000000000CF9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1124-442-0x0000000000840000-0x0000000000CF9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2432-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                    Filesize

                    972KB

                  • memory/2432-434-0x0000000000440000-0x000000000102D000-memory.dmp

                    Filesize

                    11.9MB

                  • memory/2432-36-0x0000000000440000-0x000000000102D000-memory.dmp

                    Filesize

                    11.9MB

                  • memory/3156-723-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3156-843-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3444-15-0x0000000000E40000-0x00000000012F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3444-1-0x0000000077774000-0x0000000077776000-memory.dmp

                    Filesize

                    8KB

                  • memory/3444-2-0x0000000000E41000-0x0000000000E6F000-memory.dmp

                    Filesize

                    184KB

                  • memory/3444-0-0x0000000000E40000-0x00000000012F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3444-3-0x0000000000E40000-0x00000000012F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3444-5-0x0000000000E40000-0x00000000012F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-19-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-453-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-452-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-16-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-20-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-102-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-722-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-443-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-449-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-464-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2136-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-18-0x0000000000241000-0x000000000026F000-memory.dmp

                    Filesize

                    184KB

                  • memory/3552-2618-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2624-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2626-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2627-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2644-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2629-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2634-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2632-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3552-2633-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/5860-2631-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/5860-2630-0x0000000000240000-0x00000000006F9000-memory.dmp

                    Filesize

                    4.7MB