Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-07-2024 12:05

General

  • Target

    3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe

  • Size

    1.8MB

  • MD5

    28f7e2ed3725fc403099eac97c08b136

  • SHA1

    5e45a160f6d74cb14bf52809d51495a2f4925445

  • SHA256

    3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17

  • SHA512

    b1216a69c0a995ad953ad8c43f2d728c02518de54dfadd8be9b6f8045de8a37b85abfbe771815c16f97906ac9f0edede39877d2f1b53128a5761044339dfc7c9

  • SSDEEP

    49152:JCjuI8Df/WYdprZRE0bxfkdIdUqmMHuH46jJRolBbMBPw+DvB:JCt8D7BZRE0lfwIeqmMc46jJylpMBo+D

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe
    "C:\Users\Admin\AppData\Local\Temp\3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1612
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"
          4⤵
            PID:1800
            • C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe
              "C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:3600
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBFBFBFIIJ.exe"
            4⤵
            • Suspicious use of SetWindowsHookEx
            PID:2776
        • C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe
          "C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:660
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
              5⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:356
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e65fe856-43a1-4dbe-9f13-4c08fcdcac2b} 356 "\\.\pipe\gecko-crash-server-pipe.356" gpu
                6⤵
                  PID:3024
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2df2cc13-f3b8-4183-b825-000aa57260c8} 356 "\\.\pipe\gecko-crash-server-pipe.356" socket
                  6⤵
                    PID:3560
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 1320 -prefMapHandle 2828 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5568ecb2-2ed2-403c-b5aa-5ad8c4bb8f83} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab
                    6⤵
                      PID:804
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3944 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f11d7ef0-c24c-4728-a423-520c1a5999ec} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab
                      6⤵
                        PID:2216
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4768 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf81e2c3-20c7-4fda-bab8-66742c513ebd} 356 "\\.\pipe\gecko-crash-server-pipe.356" utility
                        6⤵
                        • Checks processor information in registry
                        PID:5072
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5540 -prefMapHandle 5448 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d80846c-7b80-4734-b9f9-b0cb4a394962} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab
                        6⤵
                          PID:3808
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5012 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70879cce-8e77-4d76-bf1c-5baa2d8e324f} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab
                          6⤵
                            PID:3112
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5864 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc4f225-355c-48a9-809d-c207abcabd6a} 356 "\\.\pipe\gecko-crash-server-pipe.356" tab
                            6⤵
                              PID:4768
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3256
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3548

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\BGDAAKJJDAAKFHJKJKFC

                    Filesize

                    8KB

                    MD5

                    11d2b57744586d6365230101ef4b52a2

                    SHA1

                    92e886800c6d642d791fdb5f37cfd6e675aac528

                    SHA256

                    e312b61d4706d15a27d0a803e5df28a3ca9d6ccd0c0363395b5dead56ec627ca

                    SHA512

                    002a4ff12861f0be8761170f9f14cd6bf53e1063be5fb237a640b0b195463f631a4b9b7cd16f7922dd66255219bd4adac4307b7d3ab66a64f342d4a49a5570d8

                  • C:\ProgramData\mozglue.dll

                    Filesize

                    593KB

                    MD5

                    c8fd9be83bc728cc04beffafc2907fe9

                    SHA1

                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                    SHA256

                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                    SHA512

                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                  • C:\ProgramData\nss3.dll

                    Filesize

                    2.0MB

                    MD5

                    1cc453cdf74f31e4d913ff9c10acdde2

                    SHA1

                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                    SHA256

                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                    SHA512

                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    18KB

                    MD5

                    0d1567e37371e8c42a3736155a4b3c95

                    SHA1

                    a277edbc77dd5c3e456dd4c6c62e58e03eddbe1b

                    SHA256

                    3f9c8fe92482ca15372254c37abca7ce023adfaf0fc111c23f1a6f06a7d81d72

                    SHA512

                    9d8e78ad41b886404723cc2b6c81b17bf714f37d1a9b3f53c590a44d319f5fa3aae8cbafdfa0d5de0e80bc3c6799319dae52e114a1b6e23b6c226f352ece0f84

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                    Filesize

                    13KB

                    MD5

                    4f54b738b67db809ad31228cd77ce8b2

                    SHA1

                    623733080b18fab59c20d668bc6445a66c4bd649

                    SHA256

                    7dee406f42de3dccf5a106deb7c269aa963f8f0a119e13edc80845a8842bc830

                    SHA512

                    32743e8296468c1d90964b09ea9310f8477683160ef873408d412987a2d5d06e321fd87dd5873ce25efbde7a8b1cfda755b26ca732c98a97e9729043bb807082

                  • C:\Users\Admin\AppData\Local\Temp\1000006001\d20367d2aa.exe

                    Filesize

                    2.4MB

                    MD5

                    20fe4b16d13a547a5d7f4dbf543b595a

                    SHA1

                    3c59aca1c693efb9923f04c312fdcd47388d24eb

                    SHA256

                    9be8bf8f01c3b2f8ae295f1fc9be5fe5e05596a80be603d0de23e9a6ddbb5a04

                    SHA512

                    c502ce3049137646c47898640197641696f2421a66aa67fe20df47b51c99e72db64f2c2a4945dafe16c6cb57871d42397b12759b4d779dbdf85225234296b77e

                  • C:\Users\Admin\AppData\Local\Temp\1000010001\3ae5266627.exe

                    Filesize

                    1.2MB

                    MD5

                    bea6ed281b600eae06be252f581721c1

                    SHA1

                    25fae547b4ad0a74bcc0bdf7e819f2c56d8be05d

                    SHA256

                    d18bbfa83202881061743177527c4f1ea0681c658028dd7dd0468f9a8a39e7cf

                    SHA512

                    746a1bcae568caaf399ec8ca393250d6846235296088e22a2c8d80ce290e13d5845d79d7848b4f46adce2dad147b91c3731059b44ce7370f26072c999758bb42

                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    28f7e2ed3725fc403099eac97c08b136

                    SHA1

                    5e45a160f6d74cb14bf52809d51495a2f4925445

                    SHA256

                    3e7263c4d3a28991776ac9bd812e605b4018b2883cf22c383b0a8dcfc2ca9a17

                    SHA512

                    b1216a69c0a995ad953ad8c43f2d728c02518de54dfadd8be9b6f8045de8a37b85abfbe771815c16f97906ac9f0edede39877d2f1b53128a5761044339dfc7c9

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

                    Filesize

                    8KB

                    MD5

                    34c27d68edecdd81da16c5b1c1a468d5

                    SHA1

                    55baa6de1190cfbf6ea4dd16d1a2455b2d34d915

                    SHA256

                    8f81604ce4f24f4de4860144875ef68e97dc26a2c9cda22baf70a67e84deb795

                    SHA512

                    e66c949499360bb7d5f90f71eeb8765e43a746752ee6f8f4edd806c7a7576da2feadfb5bb11a1f2647d66613d955bc29ee5f1d9ebff699cfa62f6794b3b4d3f7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin

                    Filesize

                    12KB

                    MD5

                    514e799fc611385578325c0d7372c2d5

                    SHA1

                    e3289a8fe155d641e421d9e9f6fe6c9664a07eb0

                    SHA256

                    c2023b4321b86f8a6c88a81d68a5579030e9f2fb45c200adb60ac635344ddab4

                    SHA512

                    ad2bb5533da5bca42684694c4f80d0df9b221f1c529f3d5fac5180061e22ddc0f40d98100d684d8de3a341466738d4ca6858546b18ce764b7eed635eea0b9093

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cookies.sqlite-wal

                    Filesize

                    256KB

                    MD5

                    df4d8f6950771432e90641ab30c14a75

                    SHA1

                    94b0442911cd5e97beb99bc9394e8aa42a9560dc

                    SHA256

                    357c5e802c6f3a4e8829fd3e568529905a2f7f2a83a316a71199315d18ebd906

                    SHA512

                    0d59f78790dc2ba18e98246ee64d1655c7633bb4538762ffff15edd3d26a0e4d778f278e7fafa3442e32e3f7d3686a6201dade06fbfa2996c50d582b49a56d00

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    6KB

                    MD5

                    b5f5b803a79b413673345f52df1ececf

                    SHA1

                    fde9310f1fe6849e8ca56515fad752c200c1a04c

                    SHA256

                    5e32cd124917b0703e6e4d41fa9da7787d163394798d95db87a740331c020270

                    SHA512

                    37d545e3929e487f5bb05233d3ef290da0aad2122ea6e0bf6f37e4d7b0ddb8dff757af186e002aec4b1e5f3b70833ad4ab9115dcaf49faac06aad03e724400d9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    16KB

                    MD5

                    2b95bca39b7a311a71d5c594d85b7bcd

                    SHA1

                    1a36e656c80bdf9594e4922d49b2010e759489b5

                    SHA256

                    c0f9236a1c110bd1b8732b0aa278954d6c0b92ab684d209b61a259f7d9b43472

                    SHA512

                    450ddf05b475a335882147830111d701f8ac3f1d2f533aea3f4b04b861bc2b3e768e2f084fbf283b491d4c67baee22e64124bb6a01930728fe1e3d8ee244c7e2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    16KB

                    MD5

                    174e5497f81c469c231b3d5187312b9f

                    SHA1

                    b86970b48f2875efebccb107c6af2b8c2ae70224

                    SHA256

                    482612ed8e0d37d388750ed90ce082cdb155f038c729a56c8f6f37b685caeac9

                    SHA512

                    4fdd0812f30de1c2f38823599f6d9073be297b6c5df20c28a5e86014fd1b9b91ba4748cc896689b6bcb2c5f8d023050722593b9e1fad5124c372ae5b1455b9fb

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    6KB

                    MD5

                    1da4fa65e29e3ff88337fec0c0559796

                    SHA1

                    447898aa8aa7942ac6b9f2146b34dc86c34222cc

                    SHA256

                    93135e916ea35b419b6b77fa44ce1a3a9dc0b9f9ada28946069fef4787176496

                    SHA512

                    491dffed292695ec7d103ad61253cfd59e43e9d63d91d52fda9001e5e28b803cb5b3c4e623bda3eee670ef66792052980218c56094785423bb7029496395ae7d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    fc6bf2061728c55f9b9cef712a5fe600

                    SHA1

                    947eb79e5d5464a98165ebf24ccdee20f3e8e0be

                    SHA256

                    a553c2f95bb6b8aa2e24b976698209f5824949c4fb3e85f6362409c9dc5e7678

                    SHA512

                    2ab009b86168cabf3f7a1e9e3e9aa99508675cc595879287667d96bb2a11a2adfbca9075133e4f5ccbdf193eee835a7ac7041b7d871e46d1ca2141caa3855157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\5dbaf4a3-571a-46b6-a42c-c3c05193d192

                    Filesize

                    26KB

                    MD5

                    8ace1e3e1691212d1a707a9eec78d592

                    SHA1

                    1947d0a0a7ec8d03a7d8233100239cca2af75dcb

                    SHA256

                    1e2e70141838c96412831b57792983d794e45cf40f7a58f3b6f060288a570600

                    SHA512

                    98f5418a782b06cbdcc25a5676990662f13955ce1f003281c153059ce2ee1a270f0f54633c04951ca972df20e4d4c544d81b2c3f80822b9afd7835ee376f100c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\5fb7ec55-bda7-4445-8c4e-bbc1c72b2df5

                    Filesize

                    982B

                    MD5

                    ffd73352ac6f1bfe58715c3df3c2c093

                    SHA1

                    5502cd3e314e5ae1a1e86d67b24fd7b4e6bd2bb2

                    SHA256

                    297fe6b8edae0fb78734b71a6b8905ae1f3b82b5cc32822cac81d37e202ef2d5

                    SHA512

                    fc8f957b3a859432bf8df5e93f0e7e216dd16c947d9fa1bbc4b32a4960ac60e1312059da69efd961786da0e91b0d7d0473a494d29b0eeb63dde1e0f4792128f6

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\6bc64177-c706-441f-b14e-7800957a2bda

                    Filesize

                    671B

                    MD5

                    c97f2fd96e8a99298a89109139337412

                    SHA1

                    83bce20059ec6d0d0209f91d2b47de7e387a61c6

                    SHA256

                    d667da5944436ee582c779f5507d439f1fbe22b86042e901682cc1e8be4e4258

                    SHA512

                    1cc87c5e85bdb4690ddca16c16051ed470aef4281ea1cec6a2bc71015af3fac993abf0cc77257ac38914b2a318e7cce6e3e5f8046a524dc4d1443f389c8fdce1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\places.sqlite-wal

                    Filesize

                    992KB

                    MD5

                    7d4ddae8a78b11965733815d9f3b1362

                    SHA1

                    a774393615c07ea6e95033e823573898cbc76075

                    SHA256

                    106ed87e750d8f7e93fcfeaba3843121b238cfb65c5d5afd9560a7e46064c794

                    SHA512

                    b4b389bab808d8979cf29c73f37d130b75550a35b73836fc2282092f9233236644296bbe4c4ef42189e033f587f0c89abdbfa23fbd3c4761626fd2188b12a4f1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

                    Filesize

                    10KB

                    MD5

                    6e5193da1742716f8daddbb9e272688a

                    SHA1

                    b35a59cf2329111b15138ac207f937ec9c62f02d

                    SHA256

                    93f6f93b9df77bfde4163a6f8a8e3c1d223b9719ea9979d9030bf6fda89182a7

                    SHA512

                    3ffe8f4ae1e9930caa455291c2edbfbd620d86b0b70114e1eba69c7d61acd027c380297d91dab5279609e3ae8944bdbca805ad2615669c09962ed92bd7aa1a5e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs-1.js

                    Filesize

                    13KB

                    MD5

                    89a944291d444e92722623fd7e0a1e85

                    SHA1

                    c1cd11c43464d2dd1e34787378ef533fddeb1158

                    SHA256

                    89656fd07e375493789959600ab63b9da2750243de8032e2169d5a2cc308f42e

                    SHA512

                    7e247c4d635bafd6709a9545456f787729f76e3a73fce67f533f2d12e9d2f319b5fa18439a4fb2cffad77bbb0fe4d5a474e9a96458c5207a9a150427c01011ba

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js

                    Filesize

                    8KB

                    MD5

                    4c8a36cae464b1c78a9ffd50c7aa26b0

                    SHA1

                    f3fd78ce865b765b4c0f2a35a8a857dcbe3e2a7f

                    SHA256

                    37fa81799fce1173d28740ad794b8eb81657d7312d26651b1be4f7983c23f60e

                    SHA512

                    8f3b23be80fcba5414a8d2ef3710a3ec262660863e11d5d921e8563ff4fd6edc8e2f6b49550740d7c4487a7b93e94679ab4cb1eb76162d9a65d8e9dca85756fe

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    1.1MB

                    MD5

                    4e1ab1c808322a4d705686d1ceabefb4

                    SHA1

                    3cc4ad25d86350c6bb973b9db66688392ef5b022

                    SHA256

                    116d5aac43b4f7c02585708a1ba13147fb81ace230a003e58c069b8e4390b105

                    SHA512

                    87e0809af939cdf1223dbd0398eabff8d19dce89d66063a56b25c0f247ed6ae7511a66e6847ee62893ae012474a850e76ccce6813adb3dd0667936b4408d6c7e

                  • memory/1612-482-0x0000000000390000-0x0000000000F7A000-memory.dmp

                    Filesize

                    11.9MB

                  • memory/1612-37-0x0000000000390000-0x0000000000F7A000-memory.dmp

                    Filesize

                    11.9MB

                  • memory/1612-467-0x0000000000390000-0x0000000000F7A000-memory.dmp

                    Filesize

                    11.9MB

                  • memory/1612-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                    Filesize

                    972KB

                  • memory/3256-2494-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/3256-2323-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/3548-2698-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/3548-2697-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/3600-487-0x0000000000AE0000-0x0000000000F86000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/3600-491-0x0000000000AE0000-0x0000000000F86000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2627-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2694-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2706-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2700-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-21-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-18-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2699-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-486-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-498-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-19-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-440-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-1046-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-1734-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-504-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-499-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-20-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2688-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2692-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2693-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5068-2695-0x00000000006D0000-0x0000000000B76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5116-17-0x00000000008D0000-0x0000000000D76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5116-0-0x00000000008D0000-0x0000000000D76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5116-1-0x00000000777D6000-0x00000000777D8000-memory.dmp

                    Filesize

                    8KB

                  • memory/5116-2-0x00000000008D1000-0x00000000008FF000-memory.dmp

                    Filesize

                    184KB

                  • memory/5116-3-0x00000000008D0000-0x0000000000D76000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/5116-5-0x00000000008D0000-0x0000000000D76000-memory.dmp

                    Filesize

                    4.6MB