Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-07-2024 09:25

General

  • Target

    b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe

  • Size

    1.8MB

  • MD5

    b7720b5120de2b14e91e87ecf1969f5d

  • SHA1

    188d865c8c0284ed6f89906e0bcdcd9e61a41517

  • SHA256

    b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce

  • SHA512

    fe10a7db3341da9f15b44e920b5af4a7a9406c0f3cfcb940f44ca4177550e7758bc180d1d98d2c3e7ab5467d0d0bd05811dd90d3f9b9c55f7044d455dfafb595

  • SSDEEP

    49152:PUInpnxB4FZoGHFl+EpZOfyGSUXxeUIIVCu:PJR4FjHJoq5UXMU1z

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe
    "C:\Users\Admin\AppData\Local\Temp\b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4632
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe"
          4⤵
            PID:2628
            • C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe
              "C:\Users\Admin\AppData\Local\Temp\ECBGIEHDBA.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:4396
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJECBGIJDG.exe"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:3060
        • C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1076
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
              5⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4628
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55757398-c740-40f9-b900-cf52beb3208f} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" gpu
                6⤵
                  PID:4052
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e78c81da-49ef-4aaa-b903-5cab4dd00432} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" socket
                  6⤵
                    PID:628
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3272 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e013341-e3cb-4dec-befb-7751cf82cb5e} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab
                    6⤵
                      PID:3852
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3928 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78b1d5c2-4623-4e53-9bca-8548f62318a1} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab
                      6⤵
                        PID:1824
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4676 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4624 -prefMapHandle 4620 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9386096-f07e-4f3d-b5c7-6a98def23492} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" utility
                        6⤵
                        • Checks processor information in registry
                        PID:1404
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a7a0525-1949-4466-a1f4-3766ada3745b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab
                        6⤵
                          PID:5772
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01741602-5351-4d22-a8d5-717607de394b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab
                          6⤵
                            PID:5796
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5888 -prefMapHandle 5892 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32e3e296-b8bb-4be7-996c-9bde2b1d1c1b} 4628 "\\.\pipe\gecko-crash-server-pipe.4628" tab
                            6⤵
                              PID:5808
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4360
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4920

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\mozglue.dll

                    Filesize

                    593KB

                    MD5

                    c8fd9be83bc728cc04beffafc2907fe9

                    SHA1

                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                    SHA256

                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                    SHA512

                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                  • C:\ProgramData\nss3.dll

                    Filesize

                    2.0MB

                    MD5

                    1cc453cdf74f31e4d913ff9c10acdde2

                    SHA1

                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                    SHA256

                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                    SHA512

                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    18KB

                    MD5

                    bad9024e971975c84862133cb1ab3711

                    SHA1

                    7c92488e814a7af23d0296fa7afcac2df73f8acb

                    SHA256

                    3abb4eea473bbcc82c89211cbdce569cdcda1eec5f7dbb10ed577dbade27260c

                    SHA512

                    4cc633d8fc0cc85f4f1ab71e54389b71e89b708f75d8155426e8af093da560f6317f07ca85d7757f9d66743415d65bc69e681d68f66d34a32a8ee1df4f0ba4ff

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                    Filesize

                    13KB

                    MD5

                    e618187b7684303445527ae6261d643e

                    SHA1

                    88e2f64e521502385db7fa3a03a14e3aca6a4c60

                    SHA256

                    99a0d33acec4e1b00c9917f7458ea51b85dffdac53fa29f87911c62da6fbf6f0

                    SHA512

                    a611ee33fab90dcbd7ea72dbcc528f99046377c91e6fea72f2bb7f2233f1dcee0610a3ea6843490df6ad9f986f3c7ed5d86551b0744863e7b623ac1b2f237ec5

                  • C:\Users\Admin\AppData\Local\Temp\1000006001\69bab5dd14.exe

                    Filesize

                    2.4MB

                    MD5

                    7eac5517949c3ba823c0d05f296bd953

                    SHA1

                    89d79b84addb51db2bdfeb90c7780dda23fabd2d

                    SHA256

                    4f8c4c304d73e6e2d3d11708c57b158e648bd79132f0a973520dc14f9e3e2e01

                    SHA512

                    d7b189e5b24e7c68d57eb9c42b71233463d80b046a8d6b85e40391f477db5fb09348a1a1c0a78ce93320601a238972220dd04ed41b8fa84de69feec575c9ab89

                  • C:\Users\Admin\AppData\Local\Temp\1000010001\303a375843.exe

                    Filesize

                    1.2MB

                    MD5

                    bea6ed281b600eae06be252f581721c1

                    SHA1

                    25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d

                    SHA256

                    d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf

                    SHA512

                    746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    b7720b5120de2b14e91e87ecf1969f5d

                    SHA1

                    188d865c8c0284ed6f89906e0bcdcd9e61a41517

                    SHA256

                    b76d82d0e413c4b7f21f96dbaca8180bbae0dfcdf4bdeba2aef3cb3413bed8ce

                    SHA512

                    fe10a7db3341da9f15b44e920b5af4a7a9406c0f3cfcb940f44ca4177550e7758bc180d1d98d2c3e7ab5467d0d0bd05811dd90d3f9b9c55f7044d455dfafb595

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

                    Filesize

                    7KB

                    MD5

                    02db1d4db4e7117733f5731fb2bead71

                    SHA1

                    01aeeadf553815a61d064ce0f772b67d6daa791e

                    SHA256

                    9b3f8e386db5d809461f60ba2b150e17e66eed829935ffd4ce5a9db4c6b9deb8

                    SHA512

                    7f85c7eb854759345146e78351fbd6ef719857a837d87e18a60ce8a9985e056c078ec60bb8fae8288b372f9074be9bfe713f95b410f4c64614c8cee5438b57a9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\AlternateServices.bin

                    Filesize

                    13KB

                    MD5

                    66e1bc783df3c9ed1ba3880e453f6c3a

                    SHA1

                    932775792e9c2ee8cf15e4433ffcd634c02663c5

                    SHA256

                    95317b81bf45976ad7a27e4cca7c98aa2e906ccff4d15ed75eb2d628220df4a1

                    SHA512

                    35d914193f85e7d9653357fd09f9a860f390a52e735b0f459937b3761e5d8f3ba56f3be1beea314e1cc66b849f2230fe0d4dac8f6cdcb782a1064c6d72555d50

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    16KB

                    MD5

                    abfc6860ccbc6f4589b0aa9fc7cc5a71

                    SHA1

                    bfbc12cadf3ed7eff04f27f6f0b53e536fb49bef

                    SHA256

                    db0a73bb5c1fea1039726ed882d636e69025181fd3f32c493f71043e41a6e79e

                    SHA512

                    caca7ee015a56983fa22aaf923fd04ae19d7f3ecf7b4de33e8be4b13db630e29350701afcf68d2b68169e9640fe6ae66dbcc706a458503c62d36ca4552fa59ef

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    6KB

                    MD5

                    65bd2607d06c20403a82a5ff1c7da172

                    SHA1

                    5ee53368f5ced2f009a2ed6edcf75e7b37f0d776

                    SHA256

                    a215b3a89dc9b17390ed90f295367f0712889f84f8b82e7f5e9d587757e60f07

                    SHA512

                    11c92df724dd80e1f005d799468f48936038d7213a03e97215a0ee4df6a71d9423caf377f26e86c1d2b9da875d447243eca98b8cb64ad02109110e32423da93c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    fa17de58afe4b928f02f6b3dff49246e

                    SHA1

                    09390deb29650017d19fa5aec4f6895373ada125

                    SHA256

                    ac51327313e12865abf2eddadf9b4136a794bd25fe1cfb2c394b909b1c08ccbe

                    SHA512

                    d6f7e1848907010543cb1754a03876851d07bcff0857c6bd22409b0bd1c4c3223dd3be7b20a573235ebfb5b63f64d4e8197dea5467b28fa9247203781597f239

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    c36aaf5d9fb87e2653b000178f27af19

                    SHA1

                    a9a787ecc6b3754548e4b39560c8e2ae0047c421

                    SHA256

                    dcb0bdc18b91afae6cbfc105397d49eeeeecd2084bcfbfa81991854d45f912e9

                    SHA512

                    7a4c5af0996f0477de52aa9ff17fc08b9f051f9e993993dbded6d03d8c6ddecacf77d7627169be283948ae4060926c71499ad7e3f12058b228c09fdc8ae17387

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\35dae4a3-a8c5-4107-b0ac-c3f5bbd6d446

                    Filesize

                    23KB

                    MD5

                    b595f74b5fbfbe95d857ff386148ef01

                    SHA1

                    8643294073dfaf87d2e4e25616d3cad5e2323eca

                    SHA256

                    22a342cc1d4734c99eb355c1c43dba2b236aa8c942522b63d8f6831d71cfc10b

                    SHA512

                    33ebfc401339bb007835cd33ef3e3bd9aaff05aa794dfbef56244b284f7148758adf70f59fdb1fadcd7df9cefd39c9c573a05e4b2f8e5a444b13a24b0d1c5c15

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\8a80c340-9701-4f8f-a5cf-42854e814536

                    Filesize

                    982B

                    MD5

                    00837e7f2c88849aaff7de5a4f094e9e

                    SHA1

                    bd4521c82f2dd5e0ebbfd89c3cb2d744f19cdffb

                    SHA256

                    adbb5e0ef5857d2bc16ae23e33c60465050267587b966b398062f7a41cf8e136

                    SHA512

                    854dcab9955b40c97a8786e3f6d9642f07cb4dbccff669004882fab087ab32fe1c680ab5ca2e5d81ce3e2be3563589ffb67499e16f7f12e88f808c8627851315

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\datareporting\glean\pending_pings\94761e8b-591e-4f04-87b2-999a38e86c00

                    Filesize

                    671B

                    MD5

                    159f7224925078ff25b8b874492149c3

                    SHA1

                    c7dce8833b3ecfeeb72a0c611bfba6c72ecbf38a

                    SHA256

                    e3c97e562c86f74be9e761f0b9529a7d2f50303c866182c7d6a9ce8d5826429a

                    SHA512

                    9c2e06b3bcf5a0ab51e2e8143bfe4b2a64a4f73dc989b68db2016e0374be01c99be8892ae75897fa37f8594962730afd4b023c5d93abf315501880664bcc0d43

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

                    Filesize

                    9KB

                    MD5

                    3b4fcdbe52ec5a92af547cf72750c186

                    SHA1

                    9cb517275cdc3824014648882273c65b3137db90

                    SHA256

                    0faf74cedf9780991fa961ffdefbe882ee7a11eeab11dd3fe366d46ec8517930

                    SHA512

                    643012849a6f08002d37cb4854261b36b0eae42e18aaddf63d626ffb5088a58337b5f9e25e232f4d3d55212589feeadf17d47aaa50b4f4ea3dd2b092ba49f8f9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs-1.js

                    Filesize

                    12KB

                    MD5

                    bfa4b01c008094ef41dda700bd851e50

                    SHA1

                    ef3ab6a1b29de746523a1ae8381eb676a033ea11

                    SHA256

                    0cf6ca62a275acd18d6107a62ae243cceb96ff4ca58499df67579196803efe23

                    SHA512

                    f9ac3d3302819f1d6fdd87c89d366fa2610306b0af9b3f0b0799d8eeffec04397ae8ac6793f63866b79ee320fed89198fe8d046bb48971f973a865be4f0c7299

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

                    Filesize

                    8KB

                    MD5

                    f2b4b945460473d9e02fbb41e26c72df

                    SHA1

                    c85cb7b9fe42e3df3109353f47bf70b997b7ac84

                    SHA256

                    a94cb7345de1c482ba93978ff90811b5859e0db0aa8c866c319bc330d07119ed

                    SHA512

                    ff7c4beb043704a14466a4c4690d62a9890f118686b9b03f9be9755d888d6db28104d9fef65bf7bcbaafc19532cf00f95aa3e5826df0ad29a6d36cad52234318

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

                    Filesize

                    8KB

                    MD5

                    532afa64567ffc858870d6bcd4f84641

                    SHA1

                    2c81cbfc5a5fbf0030b455792fe9de7bb20aae40

                    SHA256

                    c5220af59568a6c035c077641c80e71e9edeb921b0617deca8de4a49777d3636

                    SHA512

                    05c40964a78453e71138c12c9c62811946236d00fab9a63b1c2a43a5ae66d31282ba0d2fa4f4c495b5d815e2da7dc6d7bfce337fcd08ba264cbaa8fc10fe26e0

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\prefs.js

                    Filesize

                    8KB

                    MD5

                    bc554303197ae840313b6142f1e7fb70

                    SHA1

                    d587cb8959e3115cc6ff24ca20781067fe169262

                    SHA256

                    6d71a43dc617cf89f5ff7bc04cb28a6a90b9351bb6f43830fe14ae80ebeb25c2

                    SHA512

                    1a9705f5af368bdd1bbb2bf699b254a4dc08e92f0e3780e5c75080e6e140578a4d6eccaaaf986b9b177a7a7c0c48ebe140aa9380e8e02a719f259d17817d3d68

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    2.4MB

                    MD5

                    d8f2ef10bca0416d3af765d99c1ba771

                    SHA1

                    975360dfa374f19052f0b6497fd09e8dd6a31f73

                    SHA256

                    ce153c6213e0a08997044af27711caf7cb7dd437593a1f8fdbd069948cba16c6

                    SHA512

                    da1c805dc3349c977a53b3fd24e7c2fb1c0080c823974cd3ff0c695a505f245ede02efe211a6e72e338a071310d4774ed4c493208bc620283a114f2c998e8ff0

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m7qr6qvv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    2.7MB

                    MD5

                    0baaf90dbb12e268600825d4ded15ccd

                    SHA1

                    0022d746673d2e824ca1c9e0a0e5d27e637419b8

                    SHA256

                    d1880373d51e01e7366904c2809b7700a183738e75abc24e0c65d829cdf87efc

                    SHA512

                    5b4a9448c72b9a0fd1a87d4a02e9c287b29fdbb23d8f19eebda64f7cb87b74108c28c3bba352c24383dd8a75a26653370ec64ef619d35141e4d430483838590b

                  • memory/1356-18-0x0000000000A50000-0x0000000000EFB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1356-1-0x0000000077A56000-0x0000000077A58000-memory.dmp

                    Filesize

                    8KB

                  • memory/1356-0-0x0000000000A50000-0x0000000000EFB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1356-2-0x0000000000A51000-0x0000000000A7F000-memory.dmp

                    Filesize

                    184KB

                  • memory/1356-3-0x0000000000A50000-0x0000000000EFB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1356-5-0x0000000000A50000-0x0000000000EFB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4360-1050-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4360-937-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4396-485-0x0000000000FC0000-0x000000000146B000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4396-490-0x0000000000FC0000-0x000000000146B000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2670-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-1440-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-20-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-16-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-667-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-21-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2689-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-512-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-507-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-500-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-497-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2679-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2678-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-19-0x0000000000551000-0x000000000057F000-memory.dmp

                    Filesize

                    184KB

                  • memory/4552-2509-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2661-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-98-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2671-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2672-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4552-2677-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4632-481-0x0000000000090000-0x0000000000C7F000-memory.dmp

                    Filesize

                    11.9MB

                  • memory/4632-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                    Filesize

                    972KB

                  • memory/4632-37-0x0000000000090000-0x0000000000C7F000-memory.dmp

                    Filesize

                    11.9MB

                  • memory/4920-2676-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4920-2674-0x0000000000550000-0x00000000009FB000-memory.dmp

                    Filesize

                    4.7MB