Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 06:09

General

  • Target

    d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe

  • Size

    2.4MB

  • MD5

    08c7502b3315ce651b6b57849c1d7308

  • SHA1

    25d8366a04fca7105e7c38eac267ab787456f8c3

  • SHA256

    d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4

  • SHA512

    d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

  • SSDEEP

    49152:JZtQ7s/0xcupfZA9HtWtVvFqFn3rmtJMNo:J0rfZQstaFbSQ

Malware Config

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe
    "C:\Users\Admin\AppData\Local\Temp\d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:976
      • C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe
        "C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
          "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4396
          • C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe
            "C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:1728
          • C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe
            "C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2740
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                7⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1852
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 25755 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a60cd2e5-63f4-43fb-8174-e93242540a1a} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" gpu
                  8⤵
                    PID:1624
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 26675 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b04f0160-2f35-47ba-ad0e-c657ce211931} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" socket
                    8⤵
                      PID:2140
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 3176 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc167505-6587-4656-b990-1080a2971162} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
                      8⤵
                        PID:4764
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3960 -prefsLen 31165 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de49b3a3-e65e-4601-8ce6-91af482fb4e6} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
                        8⤵
                          PID:3592
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4644 -prefMapHandle 4684 -prefsLen 31165 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ed6ba39-868e-4b41-93c3-07b7af8825bf} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" utility
                          8⤵
                          • Checks processor information in registry
                          PID:5072
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d69594ba-4714-400b-8c2a-604009b6aca1} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
                          8⤵
                            PID:5624
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54e1a3a5-6ced-4202-bc76-b218c1fc4403} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
                            8⤵
                              PID:5636
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2db10508-9afe-4fa1-9d9a-9c22818d5e73} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
                              8⤵
                                PID:5668
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIEHIDHJDB.exe"
                    2⤵
                    • Checks computer location settings
                    • Suspicious use of SetWindowsHookEx
                    PID:552
                • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4464
                • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5048

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\mozglue.dll

                  Filesize

                  593KB

                  MD5

                  c8fd9be83bc728cc04beffafc2907fe9

                  SHA1

                  95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                  SHA256

                  ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                  SHA512

                  fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                • C:\ProgramData\nss3.dll

                  Filesize

                  2.0MB

                  MD5

                  1cc453cdf74f31e4d913ff9c10acdde2

                  SHA1

                  6e85eae544d6e965f15fa5c39700fa7202f3aafe

                  SHA256

                  ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                  SHA512

                  dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json.tmp

                  Filesize

                  18KB

                  MD5

                  8b94e4274372c68b6cc95bef2fe606f1

                  SHA1

                  def18ca9b6a23c331fc26299673dbdc112faba3f

                  SHA256

                  d929e7660500da559acb41b799741eff9a666899206f3460b7587ee7f0fbbe6d

                  SHA512

                  89aae345dc35b9b4996c10683b0cbc8c6ee999629be10810d719911f87f825f0d4b44f96e0ea1beb03d93c6c4d840c71d164694129a09d0118fd7dfe699ebd5b

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                  Filesize

                  13KB

                  MD5

                  40dd09d1a6b8ef064441794d340f211f

                  SHA1

                  6e43368c1467117e2d1aae3c5f385957b66dff69

                  SHA256

                  cf39e052a5e5bc14ab9faff1337c89996cb6aab7dcb840aadaeba3ea6366d78d

                  SHA512

                  d24318681c7ec0144fa306b8dd8cefb70e26dc9d18f6a756deb194004105d15b3f8bfe7eaa38a3b929b03c3e5a11746a1bf9bfeaa07fc283c14916d2377ac01e

                • C:\Users\Admin\AppData\Local\Temp\1000006001\b900859885.exe

                  Filesize

                  2.4MB

                  MD5

                  08c7502b3315ce651b6b57849c1d7308

                  SHA1

                  25d8366a04fca7105e7c38eac267ab787456f8c3

                  SHA256

                  d25e817eee335c0f2baaf75f39e40ac410fbbfb2089d20f604718ccf053e27d4

                  SHA512

                  d3b352b9bcd49b4ee412fd43c5bd6be752083f4dfc20c0cf31f48003b28a9ef7171290ffbb47b8d31714afa945db78a2b4911d5963c2e63533e3bb66947bd64d

                • C:\Users\Admin\AppData\Local\Temp\1000011001\73672817a3.exe

                  Filesize

                  1.2MB

                  MD5

                  c9d56cd0a203897f2a7e757c6f56367d

                  SHA1

                  f3ce65c3ddbc08ed507de1486992ed5d4dd67b6e

                  SHA256

                  7f797431b98fc646e12d1c85be00527bd78a991830dc5160188ab77854959f4d

                  SHA512

                  ad06efb0e7c6fd32c4e19929dd63bf4e53562f03ab9a96b8f45a115361cacb984aa2bb0600dffd1d9f68d2a60fb781449097fe1cfe78c10b3d9a2c2f3cb2c63e

                • C:\Users\Admin\AppData\Local\Temp\EGDBAFHJJD.exe

                  Filesize

                  1.8MB

                  MD5

                  a7a231ef5b7166696111b8b2151f0b2c

                  SHA1

                  4ae6e23e6a4c23dc421775a7a55f2329aa975d5b

                  SHA256

                  c5f17aa887d0c753fe45bc555688baeeed494d445867cacbad8ba570a2a5249d

                  SHA512

                  27756ffd4b67dc8034ef3d168fae3ba042da75ad7a5a530764bfd9418c8ed79f9b1edf056633e3d0d89c974a57e704a11ea923bed13e81e0beefdc43f1b7fb15

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

                  Filesize

                  17KB

                  MD5

                  8d57fa5aa1cfe9b932aa931c3cc291f0

                  SHA1

                  ecfd102f53b77c47b79ec53a791c7c003b0219e3

                  SHA256

                  2a05cc0df37e0335448413af6508c7ba727f6907d5fb0b255624a89bcef3eb64

                  SHA512

                  5574df51302cbda8d065d2c5f3867ddc71b1f262a65ba7d6d7f4851778c6880249bbe26109158499f9811cd34112d183095452b2af3f69892c56ece351f24f24

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin

                  Filesize

                  12KB

                  MD5

                  ca20f928bd38f4d22f33b035bb292d4d

                  SHA1

                  d99bed3055057177784584ea61313ef069f98497

                  SHA256

                  f3cef16f1ec3b5bce7f3f0048898dcfbe65e6eb90711c91a0b5f190ab44358db

                  SHA512

                  82e111433bcaf5916bf801c3c936acb6fd0252d0bf6a3139d7b482238aca158bca80ba6156a2a45c315fe1599c2275a855d1d360b6f1870be0c7159dc57d81b0

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  5KB

                  MD5

                  09476edcc957f3075a249b020ce4bdcc

                  SHA1

                  e8c67c7c71089da8a3d79b406ca84251d5bb9eff

                  SHA256

                  75b5f3f7062473a2abe306ec12b06e32d9ea9ff70167bb0f8d1200cacaa00dbd

                  SHA512

                  f97875281510e243eb0a918c1d510be4c989c62444bab95c7122701c6cccd475be7ed7bb09009b238cb9408cb88ad783bc9598d294e4ac4eb24a70e8a8e3f9cd

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  15KB

                  MD5

                  d9418dc76083f658667a859718766bd1

                  SHA1

                  0af40ab41621ed28a878123dfef3cdf1cf17d295

                  SHA256

                  4ed980668b16aa81adc4216d2f65edb0b250d25771ccf639c47b4b7bc3ad2977

                  SHA512

                  8fa5d185a9f74a6d09cc431eec85f1fe2e6ccac9ce9d975a6a26924c49e5f44356af382392e4d0d9d5574f5403084cacefa05225efcd997d764b350a47ba8de0

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp

                  Filesize

                  6KB

                  MD5

                  a4f2a5ec5c1135e0a7c184930f5ff68a

                  SHA1

                  20e15c9d66a6b1a50d25cb5999c8b6e48ffda20e

                  SHA256

                  fc70d9af1ae5f1a5ff93ebfa81879d278914c7c150068db4b3c17380494e02e7

                  SHA512

                  b714ad22d756a6f15d8148b56fe0fcfc15befc8e5159693b87fab3faf807a53e7a4ef193826dcd3be7a0d4266d7a3899ccbe1272c7afdb481ac73c47857b9272

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\2a93af1d-b134-4ae0-83e3-3039160c0107

                  Filesize

                  982B

                  MD5

                  aab0dd196b1739e8043abd6ece4072e9

                  SHA1

                  2d7b98000fccbe6cc269583d567e3e17e3e8cad6

                  SHA256

                  e13930b6d7b7445132dcaae5cfc70cb9d0473a2b219f925aa39f73edae90a0d3

                  SHA512

                  892c34ba2b596e7ec9a3cddfcb7179e2399663e1433010741f95166a64999e80dd4b054bbc1009b8b3fe446613efb8acebd1b6fda4d590fb5e80951377cea012

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\4adfc75c-4da9-446c-9f9a-cdf9b4e5cea8

                  Filesize

                  671B

                  MD5

                  8540ef4b765c977aca154e66d760d2ed

                  SHA1

                  be4cc426518a61eccc49f3b4bc2a38b7378dcba1

                  SHA256

                  76fd29a832ecb7be3b9c7a546205cac3f2522b25794007b193cedb3eeef7310f

                  SHA512

                  39bb1b0d669772e43934f34fcd63ffe2ab43f9dc7ea8823d4edf355c1205415c5f17b2e46ec6af39b8f399cb71b77c264d6c143363c0241395271a059bc9945a

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\d56b0b07-2bbf-49f8-a9e3-6429cf3593fe

                  Filesize

                  27KB

                  MD5

                  044228c23afb3b6f560c03e4e6fada36

                  SHA1

                  9e4b9b86eee605fe2f2867e6948537c13db2b9d3

                  SHA256

                  4870e400002cc7227174b2e7cb3a979dfeb2512e7937f7c006cb0157bc5adefb

                  SHA512

                  8bbcd2fb27cffd7b31740c9d14de8a0460f8e9370b684f492b7954168ae1d4dd5377c361804fc465687a012eee0e47d6e5960398cd42638626d6175f0baa427e

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

                  Filesize

                  13KB

                  MD5

                  a3fb8dc2bbcd20226447f11f434d6e55

                  SHA1

                  5484a7ee5661b4ed5f316a1c3f69395078434096

                  SHA256

                  1ac39e7968433a7a2c9dd0b0ef937d3e5c250f7a3f80e922a91a2d8357e0c562

                  SHA512

                  3f54e6d625da1d7846af31f05cd01141c28cc85073a870a43ee08a5058bfcadc0ef7bf7d43706ffdd1841d6c312d91a45cc122bcdadcc658979760580f0d24ed

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs-1.js

                  Filesize

                  16KB

                  MD5

                  1dcca2ecdbed77490dbc5eb4db62481f

                  SHA1

                  f1032fff5ce2aa415a0b715434a4c6a2e233107c

                  SHA256

                  9d38cfd7dfb5fb6657a26d98f67d91bd528fb186fdc940da8ee88b43418ae82f

                  SHA512

                  c12c2a821304d7c06a1052572861e66f25ebd0bc6e7d79f9c808ace58e7784b833fa44657d035252eeb2dc6a1bc9a90af634a6bce3f146a1c912a96c55ebdddf

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\prefs.js

                  Filesize

                  8KB

                  MD5

                  43f44d4e5d7197d093ccfc56713464c1

                  SHA1

                  15dc6eb40ac53644d491018e0f7f42d04a7f9fc4

                  SHA256

                  8e4c316cabe75ef73115b4f22ca6bd59fdaf5604643643efd85a3ccb8fedddd1

                  SHA512

                  03cdc90c347a31ff4423a7b570efad4ddb5aef18872157bc0a03e5c78c898d4140814f77b1764a039f17689cf8e5f34a10a15d4eef9980d52e29b39ba7dd5b8c

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                  Filesize

                  1.5MB

                  MD5

                  db5e2366b7caabee207286d5d3790a1b

                  SHA1

                  8829687e15d8a2327bf1bb3f6ce73369f305d98e

                  SHA256

                  9245c50e2df5757a5e2cca79889f7c0e6327cde770a905cb1de103264ac9d7e5

                  SHA512

                  505bceaa6bc111a274d4c337ba2506cea7c5259088ea47a1a8a7f71f87591a030856051b8677afe945b93adcd173ff09b28848baa2634770d58d7b88ec7ca908

                • memory/1516-76-0x0000000000C20000-0x0000000001802000-memory.dmp

                  Filesize

                  11.9MB

                • memory/1516-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                  Filesize

                  972KB

                • memory/1516-0-0x0000000000C20000-0x0000000001802000-memory.dmp

                  Filesize

                  11.9MB

                • memory/1516-77-0x000000007F6F0000-0x000000007FAC1000-memory.dmp

                  Filesize

                  3.8MB

                • memory/1516-1-0x000000007F6F0000-0x000000007FAC1000-memory.dmp

                  Filesize

                  3.8MB

                • memory/1728-111-0x0000000000790000-0x0000000001372000-memory.dmp

                  Filesize

                  11.9MB

                • memory/1728-113-0x0000000000790000-0x0000000001372000-memory.dmp

                  Filesize

                  11.9MB

                • memory/2264-81-0x00000000005D0000-0x0000000000A92000-memory.dmp

                  Filesize

                  4.8MB

                • memory/2264-82-0x00000000774C4000-0x00000000774C6000-memory.dmp

                  Filesize

                  8KB

                • memory/2264-93-0x00000000005D0000-0x0000000000A92000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-132-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2607-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-468-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-95-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2622-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-724-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-478-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2308-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2604-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-485-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2621-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2614-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2620-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2619-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4396-2618-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4464-480-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/4464-479-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/5048-2617-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB

                • memory/5048-2616-0x0000000000890000-0x0000000000D52000-memory.dmp

                  Filesize

                  4.8MB