Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-07-2024 03:27

General

  • Target

    dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe

  • Size

    2.4MB

  • MD5

    77e2f975608c88144f09c2183217adff

  • SHA1

    d54426b5072ad1b974492836fc2ddee0bc6f2747

  • SHA256

    dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9

  • SHA512

    ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

  • SSDEEP

    49152:2XLqMXAi8oVUaWDYlK3lgsCC7I1ecAX8HCPeLkPHlgz:2XvAi8o1emKVXCC7I1ebX8HCPeqH

Malware Config

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe
    "C:\Users\Admin\AppData\Local\Temp\dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe
        "C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe
            "C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:5072
          • C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe
            "C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4724
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4472
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                7⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1560
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1864 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19ef8c94-78ae-45bb-969f-c8dfda18db6f} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" gpu
                  8⤵
                    PID:576
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ec785e-700b-493b-99dd-f7bfe3b6b364} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" socket
                    8⤵
                      PID:4988
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3112 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f096d5af-1695-459f-9070-b941e3f3594e} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                      8⤵
                        PID:4276
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3584 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b435edd-a7ba-440a-9f4d-9cf9f75fe159} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                        8⤵
                          PID:2460
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {affb4d18-ee10-4b6f-ba5c-b7f2ef2eb20e} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" utility
                          8⤵
                          • Checks processor information in registry
                          PID:820
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5364 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2547d020-ab8d-48a1-9b4c-57010002cb65} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                          8⤵
                            PID:4136
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40559c30-1ec4-43ac-afc0-99fc51d33c73} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                            8⤵
                              PID:1068
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5808 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9b40fc1-957c-46a0-990a-8a365ff7476a} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" tab
                              8⤵
                                PID:3760
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe"
                    2⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:3156
                • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4540
                • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3640

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\mozglue.dll

                  Filesize

                  593KB

                  MD5

                  c8fd9be83bc728cc04beffafc2907fe9

                  SHA1

                  95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                  SHA256

                  ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                  SHA512

                  fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                • C:\ProgramData\nss3.dll

                  Filesize

                  2.0MB

                  MD5

                  1cc453cdf74f31e4d913ff9c10acdde2

                  SHA1

                  6e85eae544d6e965f15fa5c39700fa7202f3aafe

                  SHA256

                  ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                  SHA512

                  dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\activity-stream.discovery_stream.json.tmp

                  Filesize

                  20KB

                  MD5

                  751fc8c8739b847594b90d02611fb2fc

                  SHA1

                  0f14f2c0096ee7548b1a9229be1ac78d3341c009

                  SHA256

                  bf0fac13b99d55aa8656da4997cdd728e82fff0e909b48782bc8c34977a510a0

                  SHA512

                  3033def83c11490067026e37c4e6853d1aa7e69d0a3386d63075b4ecd32841e6f303a9e8a540e5da27a8ca7346260d0000face51e82086d694d3891ca79fa29a

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                  Filesize

                  13KB

                  MD5

                  ab5e5f561629ab64f6bddaf8699cafb2

                  SHA1

                  fde930fe5b3484d8052bed9a7c1191adc9c1731d

                  SHA256

                  082ab1606e5a77f74008842d8e4ec8b6a74436d1ad15a0d5610d11dd95c1515f

                  SHA512

                  8a82c6335c75f6442d51096848cff3a138cb7ce5839e5b6fba7e7451b7c796ab8ce1beee15622258ce4ee930d3efcec17f2e9b365035b7e1ce68ee9e88e6464a

                • C:\Users\Admin\AppData\Local\Temp\1000006001\91089f9834.exe

                  Filesize

                  2.4MB

                  MD5

                  77e2f975608c88144f09c2183217adff

                  SHA1

                  d54426b5072ad1b974492836fc2ddee0bc6f2747

                  SHA256

                  dde5350c96db38ab11703a77e742e252487c4cbc3321f95cc73ff3801442f1b9

                  SHA512

                  ec03999f9fb5c08aa8c0e9baebeae2c6f17622a9ed4804f1368bc7000dfe39db6b12bc13cb1578eafe983c9deb481ec153837ae461e52db24ac146292ac32e64

                • C:\Users\Admin\AppData\Local\Temp\1000010001\2501ec70f1.exe

                  Filesize

                  1.2MB

                  MD5

                  bea6ed281b600eae06be252f581721c1

                  SHA1

                  25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d

                  SHA256

                  d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf

                  SHA512

                  746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

                • C:\Users\Admin\AppData\Local\Temp\KFIJEGCBGI.exe

                  Filesize

                  1.8MB

                  MD5

                  fb26e404f23d62125f6a4c9a0a62c9e6

                  SHA1

                  43d1f2fbb5f8fb0fbd8461741c93446cb08d51e3

                  SHA256

                  e0cf6000d021226014df4f63ccdb44917dc90eedb4b4e62f6c320067c446ef7c

                  SHA512

                  82c79a30623096e0044a58da9628e59c2a98cadb09c50f60302e04d47a7dabfc64b57efeca2e4c9213568da324d29f15fc38b268ff4b330101d93d0de2ec3bf1

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\AlternateServices.bin

                  Filesize

                  12KB

                  MD5

                  2a016e819c666314d39be6ededf0b857

                  SHA1

                  7f6456eb08bebd217e2be2e96b689452cda69afa

                  SHA256

                  99afa1966876f9ead41fa952e6bbe62900ddaf790400202081efc7ded94170d5

                  SHA512

                  cd3a2b698dd753cb981b24982b5a590fe39d237d6d167822173a7b74d2916630d6099c2fcc46a9bb31046e7e95a7520cb89d4d9224b18bf8545443eb2cd61b1d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  23KB

                  MD5

                  0a440a38ccc4f72ab6a92c688a46c25c

                  SHA1

                  9719678c7ceffc0c68ecac57a831f9e2a3b6c35b

                  SHA256

                  d32f44724e51f9aeb4193d0992ee139b253ec1687ca4964c1ac9099f89f07b8e

                  SHA512

                  e9690f1d37443529fc1fab310590bd815cdc908fca83e7a32d1e6173c9166327fb408df61bfa456f5f4a0ded44fbf360dedb38a9206d3ce5fd886b36ba202daf

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  25KB

                  MD5

                  d032ee9c78cfdbc6dbbd74089eda9ab6

                  SHA1

                  6d7501ca99a8794192dba3d01b2e448714bf10d6

                  SHA256

                  5329841859e7be83073e803c39d52f83549270fef9d227f37700105156f657dc

                  SHA512

                  0c3ab3fd4d400ee49493ace385cb2117e2109785b5e23d65a74e6b05bfd87a3253dcb3dbb159d0a7b12c893708b49c9930980171bf4db2f77787a51f773b2747

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  25KB

                  MD5

                  2709984be9594e1ac6fe672bcd0c70b8

                  SHA1

                  6d9825cc627bd895bc52027b8eceb27a51c7c3de

                  SHA256

                  349bea1cc4aceccae2d889e99bdfc20f2bfc531da8f6e7ff9161e6e06a6a0a41

                  SHA512

                  80e705593f6b3a20ff29a1cec09f61dd99d66134f11cdc93cac09d82ac7610b490bfa6cc6e36e81a5bfc9f0f4f80e3cd69bdd45be6374c1f7c2efc45a9d54121

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  22KB

                  MD5

                  950eb95688692c4bd780fca40a1b2a62

                  SHA1

                  1fb0318b9653165de3b847460070525cc6773748

                  SHA256

                  7152e66f823107c5f709489a03b4c18d2e8327e6dcab6ffae609d4ffd82d7466

                  SHA512

                  8916a54a499973f30c944ce819b5da15e306d38a8785bc0af765ffba6bd9fb7e5f5feef74bb9217e517080441ef7283d69a48a825f0edcb56bb51ad0dca963e5

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\7afcd1f7-c67b-486b-aa81-a52e2ed85751

                  Filesize

                  659B

                  MD5

                  ab65c2f9f9732c0bea755d187869d4be

                  SHA1

                  66827e7ddc98b225852e42b797db17f3921b3e08

                  SHA256

                  67afc95690c446ef71856ab276de69a411072413eb58203c70ce712da1faeebe

                  SHA512

                  91ad8fe9fbea969ddec75ffeb3a4d9084938ffd67300b34d758d406f91c30fc9306c3f80ba0e23c5268ca4c49522621f68688a162ae6a2517c312ff5c6e4bad1

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\datareporting\glean\pending_pings\8393e8ee-d98c-466b-88c5-3fad8f84961b

                  Filesize

                  982B

                  MD5

                  ff294a66f3610ad10d487ba9b01c7ba7

                  SHA1

                  aed6cbabccb90270cec253894fd1f4800868cd38

                  SHA256

                  8edf13f7cd463ff9875cd6abd3330013393a3ee86e7cb15064317260bf202ad4

                  SHA512

                  68d1311f14a9347b3c1e878d79fba0238ee265cbc6e840f84f7f7486a10ce0326a6be3eb3122ae08964d879ac7ae9f73fcb33d6c119ad9ff996c8e767c8c517a

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

                  Filesize

                  10KB

                  MD5

                  a4d720c8184cb31500d5eaf37771558c

                  SHA1

                  df22b1a5472d62925ed836c56286ddb3c8f9ed61

                  SHA256

                  93129f6a6d33d802914969c9f7c9d3736516e5269cd989205c6408d8a616be48

                  SHA512

                  2d63c0efbb69f4ed7341bba5e07a869438ff1f681d0fcf50f8afa4b0761bffcef4b76ae84024c90f1531d0e11dcff2c8d419825c826bcc466014db23a20444e7

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs-1.js

                  Filesize

                  13KB

                  MD5

                  fa8afaff242248b3d884ff90ad990e50

                  SHA1

                  e34dd4ec777293607a997619a4e2d65050168c0c

                  SHA256

                  ad8600ccf626c83ebebab00ed86a944b0b61579fb4ff3cde331b3aadd7867348

                  SHA512

                  ae25e0edeb5add52ff0188e8e3e74b8ed10d0babe9162c5c9958d3b1a26e716a408cf6625bb697befd9cc99ea384534479b160ac61580e9605e04eca5e8727c0

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\prefs.js

                  Filesize

                  8KB

                  MD5

                  1db940cde6c36e5eb5b1bfab1e143b2b

                  SHA1

                  fbbf87653e97b09eb724a2ca9a36ecb78c2d59ff

                  SHA256

                  1e153b1d1ef1ef81478f35c506a03efa22e59d38e5dec7a42d3f986c6ad0417c

                  SHA512

                  e13f9bd4717c2410158ac4c5a7851b3f73e6e98c92bfa58f8a0c6795754d6d42b5017146d28481622daacffc2ddd508455eff3dd1f4dcf57ba8629553b4e667b

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                  Filesize

                  864KB

                  MD5

                  83ae8d3c1a2a0d693a7091b2a725c629

                  SHA1

                  1ae3f8f0844673223c042614424d1641ada9f7c6

                  SHA256

                  47ec6107245f9f59a5724770aaff4f437e0393aa889458e0b8165470e90906dc

                  SHA512

                  06407fd92473da2801cada9bab7a1f39a0c51d005f0f276d024236e21c061c154e602e11797903908591315c1b74b433eadcdd0abc3eb3c1ceee5cc9e497225d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ywkpx7r6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                  Filesize

                  1.1MB

                  MD5

                  cc7cda12ccfc5015404466898145f1c4

                  SHA1

                  6023572655dab656ed907d53b694e9f992aeb132

                  SHA256

                  0a55759d366944e6ea1c39778a7706dc5778145b0361b5d7b9f2afd4cb06ce4c

                  SHA512

                  f3b6767886b8be9d37fb54f037548f34d79ab15ba86726269f7d49cb5b0b11c58db637e492f2a54f9dc522aba47a9df1c75448ca5f906399d4f9ae707403f18f

                • memory/1340-85-0x0000000000A10000-0x0000000000EBA000-memory.dmp

                  Filesize

                  4.7MB

                • memory/1340-97-0x0000000000A10000-0x0000000000EBA000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-853-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-471-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-480-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-2684-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-2683-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-2682-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-2681-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-98-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-2401-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-2670-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-135-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3588-2673-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3640-2678-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/3640-2679-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/4304-36-0x0000000000560000-0x0000000001144000-memory.dmp

                  Filesize

                  11.9MB

                • memory/4304-81-0x0000000000560000-0x0000000001144000-memory.dmp

                  Filesize

                  11.9MB

                • memory/4304-1-0x000000007F0A0000-0x000000007F471000-memory.dmp

                  Filesize

                  3.8MB

                • memory/4304-0-0x0000000000560000-0x0000000001144000-memory.dmp

                  Filesize

                  11.9MB

                • memory/4304-47-0x000000007F0A0000-0x000000007F471000-memory.dmp

                  Filesize

                  3.8MB

                • memory/4304-37-0x0000000000560000-0x0000000001144000-memory.dmp

                  Filesize

                  11.9MB

                • memory/4304-2-0x0000000000560000-0x0000000001144000-memory.dmp

                  Filesize

                  11.9MB

                • memory/4304-3-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                  Filesize

                  972KB

                • memory/4540-396-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/4540-462-0x0000000000F90000-0x000000000143A000-memory.dmp

                  Filesize

                  4.7MB

                • memory/5072-115-0x0000000000910000-0x00000000014F4000-memory.dmp

                  Filesize

                  11.9MB

                • memory/5072-114-0x0000000000910000-0x00000000014F4000-memory.dmp

                  Filesize

                  11.9MB