Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 06:57

General

  • Target

    b0abfe65f6de9238e3b03b6d5e115706.exe

  • Size

    1.8MB

  • MD5

    b0abfe65f6de9238e3b03b6d5e115706

  • SHA1

    217ab85c40c8b968fd5193eaba20b841bb09e891

  • SHA256

    64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb

  • SHA512

    87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

  • SSDEEP

    49152:Zy/ZdetC0vIdbKfBe/k00cvmp566B2Bi:A/ZdetCdbKJeBp+p566Ik

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe
    "C:\Users\Admin\AppData\Local\Temp\b0abfe65f6de9238e3b03b6d5e115706.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4920
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCFBKKEBKE.exe"
          4⤵
            PID:2524
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJJJDHDGDA.exe"
            4⤵
            • Checks computer location settings
            • Suspicious use of SetWindowsHookEx
            PID:780
        • C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe
          "C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2348
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4612
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
              5⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1456
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a30d9d-90dd-4313-86e3-12dc431936f2} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" gpu
                6⤵
                  PID:3020
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e2cc0ab-3e4e-438d-8923-f0187707e339} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" socket
                  6⤵
                    PID:1876
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3308 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2f735f-d5a0-4add-ab9a-fca7c62fdc12} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab
                    6⤵
                      PID:1112
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1272 -childID 2 -isForBrowser -prefsHandle 3840 -prefMapHandle 3804 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0160328b-eb88-455c-ab90-7f186ffece5c} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab
                      6⤵
                        PID:4024
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acae76a3-344e-4463-9868-356f9156da4d} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" utility
                        6⤵
                        • Checks processor information in registry
                        PID:3092
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6186735c-d288-4169-894e-87f99fea9624} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab
                        6⤵
                          PID:4600
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f489f45-ecf5-43f6-a7af-7f80bf7f82a0} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab
                          6⤵
                            PID:3832
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5748 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a1469da-7e1e-4536-a265-920cdfd4ffe7} 1456 "\\.\pipe\gecko-crash-server-pipe.1456" tab
                            6⤵
                              PID:956
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4492
                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3172

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\mozglue.dll

                    Filesize

                    593KB

                    MD5

                    c8fd9be83bc728cc04beffafc2907fe9

                    SHA1

                    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                    SHA256

                    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                    SHA512

                    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                  • C:\ProgramData\nss3.dll

                    Filesize

                    2.0MB

                    MD5

                    1cc453cdf74f31e4d913ff9c10acdde2

                    SHA1

                    6e85eae544d6e965f15fa5c39700fa7202f3aafe

                    SHA256

                    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                    SHA512

                    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    21KB

                    MD5

                    fbd17f2379497865d3192df4b37e79de

                    SHA1

                    5388ac93add7d36396c83b3d5ac226ee11d6b8d4

                    SHA256

                    d1bf921a657843c79965b7b62d724c3dc2131b2115b9a5a718a7bd2bc9d758ee

                    SHA512

                    4404ccad01ee27c86dda5a1062333f51a32f3053a0503967d683f4f0adfe23ccfba25d7cc3a58f4c4e35159cf93f79775fc59a864a4d50be29a0698aa3b898b5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4cs2motb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                    Filesize

                    13KB

                    MD5

                    1d70bf93e4083674d855926eb723695e

                    SHA1

                    0e18bb0a47bb34fbd87d935e50e35e85ce747a0d

                    SHA256

                    f0819da6da19816cf54f8f93f95407d028eb7e083285fd21d7d1cf1afbf5c19b

                    SHA512

                    7a85ea3a864da78b05fc0000719f1a22a3f806b453cafa57fd27ee826058914cb0e2064d2f053d0784d4b094d0a6bb83436223ec913dc5602a3cf86d8f9cc9fc

                  • C:\Users\Admin\AppData\Local\Temp\1000006001\fa37829861.exe

                    Filesize

                    2.4MB

                    MD5

                    e0525803e9e18b3e3a73b6e999b40284

                    SHA1

                    f92b719f6e774c35836a582cff902f3f5f54c6a2

                    SHA256

                    59d115c4f1a0035301f09d9697f988c7f667d0131582dfa7a28990fc02baa086

                    SHA512

                    dbf56d01de700a74c757dee971b146661c93d284590813b7eba336235eb32aae076060f45467a84eb2541db9926a0cdb66af1b8885f7a9c07420ebc58da2c81b

                  • C:\Users\Admin\AppData\Local\Temp\1000011001\c5d62d3153.exe

                    Filesize

                    1.2MB

                    MD5

                    ba9b2fddc74af8c0091d45323f0dfab1

                    SHA1

                    df227f6f8ed7f146376c53286dccd7c2f5e70ad4

                    SHA256

                    7b4b96aba97bf47462ed86bb7a3dee58092352428a8aa0afc0453d28490054f8

                    SHA512

                    7f83f5805ac0dc37d71b945732475f239cf56c03ec49a5e0fd759d84d5b545ceff1d9ab845cc33250898246bc14368a7afb5b7b05b9e8ca2c7cab328a5e6b10e

                  • C:\Users\Admin\AppData\Local\Temp\HCFBKKEBKE.exe

                    Filesize

                    162B

                    MD5

                    1b7c22a214949975556626d7217e9a39

                    SHA1

                    d01c97e2944166ed23e47e4a62ff471ab8fa031f

                    SHA256

                    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                    SHA512

                    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

                  • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    b0abfe65f6de9238e3b03b6d5e115706

                    SHA1

                    217ab85c40c8b968fd5193eaba20b841bb09e891

                    SHA256

                    64d60ef089b79cb8815f8d802b23f5ac7179e02b85bde8f71afb7658221aedeb

                    SHA512

                    87b8ca733d9ca2909b022a6b891c84833b240d9d3ab0c5e4af5b8aa099084e462faa7db7f784d89ceb525edde1497fa40b98ee1127429453cf95d2285703718c

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\AlternateServices.bin

                    Filesize

                    11KB

                    MD5

                    ea17b1aff1cbe6734592db4331a6f1dd

                    SHA1

                    6f8ce03053b18bd18801099f467ddf4282e67fb7

                    SHA256

                    bdafbf821ee36beee2bad91da5a0e177da20c05a3687ea266561a61558079491

                    SHA512

                    3e93af89b116a8d86eaa5297003fd9b731c1ec4c32a21e3d1f61415e0aebb8cc0259430a31b89afd34c3d7653e08cb535dc57a2577214e70b36e073298963399

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\cookies.sqlite-wal

                    Filesize

                    256KB

                    MD5

                    d7fc50cf1f2f048c172a4e9af9310d7a

                    SHA1

                    a997d894331831fbf7c47deddf96e2790f23e6a9

                    SHA256

                    011c38b836293164508af64cd753372bb8ea496e5b7c2afcb6a1a644c4708716

                    SHA512

                    ee23cdb65b80871f9059c2e88c6f6be925023b88a37e9db67ea3307230426247e2554a5e5d2f1adc5ef46eb4697c4bec24a844d0c429fb4028035ded561e7b51

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    ab2764dd8f892b627cf2870116426d98

                    SHA1

                    5fe4af6c09710db95ff5314c8f57f06062eae1e3

                    SHA256

                    3b25fbc1f54ee590bb614d3eacd57fe8ef9c6f325621c511206f6be792e9b40b

                    SHA512

                    d74d2b7fbe774f516ec5cfd6ab3bfcba7a18105c1c111ba20a51540dfcd0d9699cb80b677e156424112d188bfdae7c511312a2489692b0e250606086a69a7935

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    6KB

                    MD5

                    411d6e48e3d15d717529d0937b3a8ff8

                    SHA1

                    cdbc02caaac929061489216588b1312057f74f8f

                    SHA256

                    70a837a1b0d4f3283b35409df3170c53481293b5ec3721ba0823f57f91d8bad4

                    SHA512

                    40b44be8f382e593ec03aa3b305867371d75eed3e5e1c7ba378fa9b26e61ae056132d779279b62996c47aa28c848486cf1c389862b8e6c1bfedefbf9c0fa53fe

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    16KB

                    MD5

                    10daa2fdd91dcb164716f987de96df19

                    SHA1

                    1691dc514679fe05a2f98cdf20d4abec87492697

                    SHA256

                    109632a20fae73f92f1ada54e4987914fd9145dab46aa9a95e73e569000414bd

                    SHA512

                    fb86e8f31d1a618dbafe5b5fad6beab809bf94f671baf47c3dec1452d551017a86907a6deaec87446a062d585b5cff061368ba5d320a2e2ecd4fe5fa01fe02bd

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    16KB

                    MD5

                    52f91584edd12db724e711836beb9292

                    SHA1

                    5444ffd12931d96d536f13d5a57a22439dbfd45e

                    SHA256

                    43c1501e05bcc992cbb8fcd75242d29804240da7678f93952807002fb0ffffa3

                    SHA512

                    90a7767bf1a900efec06c5dad533dd3cf81b6c986de3925bbe392e14c356a864d8b4cb0b3a7f7e16725d0a8f603ac79d6698cd8d6ca5aa018ffe10722d44c472

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\0aef2533-a02a-4f11-9766-105e23402302

                    Filesize

                    982B

                    MD5

                    a196a80fd6638d8ad2080873654ef498

                    SHA1

                    514ee9e9715b814a1a4a3353fc660d86ea9b3db8

                    SHA256

                    9a87968f5b692e720928dd7db900d4dc4e1592b7672c6b7aaa4f1fb9a5ed4e7f

                    SHA512

                    4950c88c454404e9c6820d7f321350bfb0f06a1eeea9208858d359671a8b2acda6292c8496c12c3bf4507392e8688588dc9cf7be19b32df141360a2bdbfda728

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\5ce19d1b-1ffa-489c-85f1-57904f47ae45

                    Filesize

                    671B

                    MD5

                    c7ed9019b11161c35d203894eea2745e

                    SHA1

                    337aa27bd4addca774f19c8c36db3b900cb99421

                    SHA256

                    ea43479cab64731e017dd130e596c922f35a1be7017d2be4419ac1c1b2a5b3c6

                    SHA512

                    f2c39f6c188203c604e0e1d0bebab79e3ee10365f48f2ec0f88b4709c0be8c82e8f4d5f0111bea8d0b3b36e2284d6abeb427ef9c5c1dc3827638425a3bfd1710

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\datareporting\glean\pending_pings\f4eb84c9-5dfe-4261-9dcc-51dc65804b52

                    Filesize

                    24KB

                    MD5

                    77380e908036ddb99aacc1d66fae49be

                    SHA1

                    b6735c270793cb65af2be838120569d1eb7f6aa3

                    SHA256

                    38421f3376301cc718e091c8d783884e92eecc056f086dc12631cb2bd36c626d

                    SHA512

                    1cab780f25a3419de2dbe083855f348004dbe9d1e19e461153982dc51baac8b69ee8370c13d165f697664114e002c9be675b5ec48a0f4e08d9773e1cbb82cf46

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\places.sqlite-wal

                    Filesize

                    992KB

                    MD5

                    f501101059501e1e347a03278417dff6

                    SHA1

                    99d5e6b28da6b4f142483dd4f74d3fed64c32c36

                    SHA256

                    5bd4241b67ff24cec77352e64f158ce744032f0d35ae899d1fb8564dc7153834

                    SHA512

                    fca10eb528fc5acebf288dbb5448b5fb58102b012bcf3342ec0ced75d1a497a9d9e0dcadb29eedd7fe3e4f4d86fe4ee258c0965f2606b76c068baf396cafcd9a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

                    Filesize

                    13KB

                    MD5

                    4b959cf331ebfb4f099c8c666c2d96fd

                    SHA1

                    f5478583c41cd7747f1d58167dba3dc08d1c331a

                    SHA256

                    2da15fa7cd6b499263473d420001e519b124b4c7f6f87c7db15aa099ec348bb9

                    SHA512

                    2d7a01f533e3d961b8853815380a732903511366cc0723a4442a4cdadbced441e3a2fb017e6c1d5efd07979d833cdcc64da21ee1e61fca244d2a7aab5cf48e3c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs-1.js

                    Filesize

                    16KB

                    MD5

                    9f2e9942fb0d2e1a9a7b715763791f9a

                    SHA1

                    a6bdb52306f98946a52341f19a280ffee1ddb9bd

                    SHA256

                    b6921e8015a58e94fe96122d6fa2f553dd92044981a69bf892084ce24d43987f

                    SHA512

                    700ff60d6ea1da090f03212dc5a162a3a43332a5111dae0292a83cad44c185610053d8647a16acc48f5b69638518e58e8f30d92c6fd1e915b877dd03ac2a3e33

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

                    Filesize

                    8KB

                    MD5

                    b9dc5b2790fa9be73ec939d99e0c7132

                    SHA1

                    aa1a66a6b1b7516598687fe2b5ca00b84d3d7305

                    SHA256

                    b32bbaaeb227f7bd5224e139df406165fec96c3d87b2f05488f3593961388e1a

                    SHA512

                    f1431c9822ab8f4ea9ee8b5fd766ab85806a23b49326105020d8ed5fa1e7a317a3a0d2ca76fe9b491e07285df0271cbe6c16f6e926b6217e51c87518a9fb2759

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4cs2motb.default-release\prefs.js

                    Filesize

                    11KB

                    MD5

                    2687f09dcaca1f9d820acb21eb60091d

                    SHA1

                    3bc9246c724eba8d1f9c950a32b04eb0c73f76c0

                    SHA256

                    18ee7d29efa5fed2da9648fc493409e993e0a61eefc9beea5b761e15d4f395f6

                    SHA512

                    3a3d89c5c924048d79e26939ef19227f91d6e6aa4c25bd444b47386b44003ffb83c229f0bb864a0b20785451cbc34381595a77cd87c2ef574b698b7e8a8c7ef0

                  • memory/212-83-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2695-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2704-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-472-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-473-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-482-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-483-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-488-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2698-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2697-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2696-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2132-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-21-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-20-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-19-0x0000000000DB1000-0x0000000000DDF000-memory.dmp

                    Filesize

                    184KB

                  • memory/212-16-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2691-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2690-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2688-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-2682-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/212-737-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2376-4-0x00000000006F0000-0x0000000000BB0000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2376-1-0x0000000077B44000-0x0000000077B46000-memory.dmp

                    Filesize

                    8KB

                  • memory/2376-2-0x00000000006F1000-0x000000000071F000-memory.dmp

                    Filesize

                    184KB

                  • memory/2376-3-0x00000000006F0000-0x0000000000BB0000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2376-18-0x00000000006F0000-0x0000000000BB0000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2376-0-0x00000000006F0000-0x0000000000BB0000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/3172-2693-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/3172-2694-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4492-491-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4492-490-0x0000000000DB0000-0x0000000001270000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4920-462-0x0000000000140000-0x0000000000D3B000-memory.dmp

                    Filesize

                    12.0MB

                  • memory/4920-37-0x0000000000140000-0x0000000000D3B000-memory.dmp

                    Filesize

                    12.0MB

                  • memory/4920-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                    Filesize

                    972KB