Analysis

  • max time kernel
    55s
  • max time network
    263s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2024 20:39

General

  • Target

    amadka.exe

  • Size

    1.8MB

  • MD5

    a167734f75b512f5fd225cfba47b3511

  • SHA1

    aa5b54ac5a624e4c15fb848e519efa4fbd9d4e32

  • SHA256

    53083ace2013ee5e0ccfbdc41557a35ba6446d8c999fa5376b16f63197c1bad4

  • SHA512

    47b126308f83f371417965887fbf653f9501d7fd637a0eec380c6250e14947774e899ff77650763bf7cd10aa97837b5779ea4ccd6633dbad0cdff0adbec85a90

  • SSDEEP

    49152:dryQBe+WLSfY0Zg+V1Lxkj54Sx73b0tT9Y:QQ4RSfYqV1LxkFNeF2

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.31

Attributes
  • url_path

    /5499d72b3a3e55be.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\amadka.exe
    "C:\Users\Admin\AppData\Local\Temp\amadka.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Users\Admin\AppData\Local\Temp\1000015001\92d7d68fb7.exe
        "C:\Users\Admin\AppData\Local\Temp\1000015001\92d7d68fb7.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1716
      • C:\Users\Admin\AppData\Local\Temp\1000017001\go.exe
        "C:\Users\Admin\AppData\Local\Temp\1000017001\go.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6539.tmp\653A.tmp\653B.bat C:\Users\Admin\AppData\Local\Temp\1000017001\go.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
            5⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb489758,0x7fefb489768,0x7fefb489778
              6⤵
                PID:3064
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:2
                6⤵
                  PID:1964
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:8
                  6⤵
                    PID:2944
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:8
                    6⤵
                      PID:1244
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:1
                      6⤵
                        PID:3044
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:1
                        6⤵
                          PID:1600
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2960 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:1
                          6⤵
                            PID:2208
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:2
                            6⤵
                              PID:2472
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=832,i,15283451314183612700,13868218841774560210,131072 /prefetch:8
                              6⤵
                                PID:3040
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
                              5⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2956
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                                6⤵
                                • Checks processor information in registry
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of WriteProcessMemory
                                PID:1960
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.0.548381427\1789534007" -parentBuildID 20221007134813 -prefsHandle 1164 -prefMapHandle 1156 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e9967d7-210d-4240-a16c-bd437f3504b7} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1276 109d2458 gpu
                                  7⤵
                                    PID:2296
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.1.641009817\1015183064" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cb8189e-40fd-4aab-9d31-e47c34361322} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1504 10906b58 socket
                                    7⤵
                                      PID:1800
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.2.37385465\1459903816" -childID 1 -isForBrowser -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c25e3d4c-3b11-4610-b429-e12fc2660da5} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 2152 1999f158 tab
                                      7⤵
                                        PID:2712
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.3.729258046\771875619" -childID 2 -isForBrowser -prefsHandle 2252 -prefMapHandle 1824 -prefsLen 21852 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e00404-f2b9-4072-bc29-b5f65efea560} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1852 109d4558 tab
                                        7⤵
                                          PID:2876
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.4.765297234\1792432603" -childID 3 -isForBrowser -prefsHandle 2188 -prefMapHandle 2588 -prefsLen 21852 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23943481-5626-402b-9f64-41ca84540c43} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 1972 1889a258 tab
                                          7⤵
                                            PID:1648
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.5.872390547\1679605054" -childID 4 -isForBrowser -prefsHandle 2800 -prefMapHandle 2804 -prefsLen 21852 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a555029-728b-4e1a-ac41-28913ab44f30} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 2788 19aa0f58 tab
                                            7⤵
                                              PID:1508
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1960.6.1573330651\611182478" -childID 5 -isForBrowser -prefsHandle 3296 -prefMapHandle 3292 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 720 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8adbaa9b-682a-46c8-a14b-e9e7eed7baad} 1960 "\\.\pipe\gecko-crash-server-pipe.1960" 3308 d62858 tab
                                              7⤵
                                                PID:2732
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                    1⤵
                                      PID:2240

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2a4b3ad8-8333-473d-bbd4-52275d51facd.tmp

                                      Filesize

                                      5KB

                                      MD5

                                      239c292f1a909b8c54fcb63db2453950

                                      SHA1

                                      ef0f0457e5dfdde8ecd74b36ff4459e90a317005

                                      SHA256

                                      bb422c407821c764b806e8919f120714d597fc10eb5cd02ceb2a39a4751ab4c7

                                      SHA512

                                      ff8b7d2e2c6b34639b47c7ece317d14e49e0e50dcc9d100ffa22b4bab6d99aad0acba8a3d53c800abda85781ef2755ebcb5d560afd4d2051abac9ba53cd59225

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                      Filesize

                                      264KB

                                      MD5

                                      f50f89a0a91564d0b8a211f8921aa7de

                                      SHA1

                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                      SHA256

                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                      SHA512

                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                      Filesize

                                      2KB

                                      MD5

                                      3c679320fb8fad3850938b55731dafbc

                                      SHA1

                                      080677e6cd9ebcec72a83ce3fa282cec0c2b8740

                                      SHA256

                                      b747a0d7ca52f4745b9f6b22ec9058acc7615f6f251b3e69f0bd5ea3aeee8869

                                      SHA512

                                      69012662219d8ab0491e5d258f9ccc7a0b0519779c47f88327dd9787d704d533fe42898dc41b67bfa08a7867671e9dfbfe353bea9635bd054acbdb65d73e8c32

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                      Filesize

                                      2KB

                                      MD5

                                      c6642950f906bf41b86ab646126c5a9b

                                      SHA1

                                      3675cec8c1d08740d9e26bb927b6f457244e50a6

                                      SHA256

                                      e06ada209a5a1a97de6c0fb1e80d10cf3b91d02b0cd764963fd7cbe5e9b0ef8d

                                      SHA512

                                      a1790e50b86ff741d2408f0848ac3a6ea1b672b5df68dab83c0fa5add4447ba17c0a91e692e75aa17ff4dfa2a76c939c3b7229a81607de9c352708345bd4a0ff

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      3af51e0db94da69a1bb9ac3e06b77de3

                                      SHA1

                                      f4a28a30ddafcd4dfadf08140c7f2c5a5a580ad8

                                      SHA256

                                      1196b577bd05b89212c230a2d7ddded224dc0070f00baa6db180214f2de8ec89

                                      SHA512

                                      86e7a1884c0978fee24333a28bd0ceb45d7210c3a846023b61d7d543612aac32ad20427f9a5f98a2104c74f8d110c36c24e223954243369a5a9a4aec2703ed79

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      aea8249ad86f839970b5fd792b2aef31

                                      SHA1

                                      ea32213e992f3a1d45f53b88ffa4b1d5fe19be27

                                      SHA256

                                      fd1fe17026463872009e5730123a51c482b99eded67b4dc1441abc11f2ee225f

                                      SHA512

                                      2c807a1af8226df1b53caefa5a99d6922b387f881ad9c5c7cb6d3945805cd77d7e205e2ac72892355f410104eb36a59246d377d96cc283c3dcf200db0c46cb4c

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

                                      Filesize

                                      16B

                                      MD5

                                      18e723571b00fb1694a3bad6c78e4054

                                      SHA1

                                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                      SHA256

                                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                      SHA512

                                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp

                                      Filesize

                                      25KB

                                      MD5

                                      8fabf302550f3ddb35a814920a4bccdd

                                      SHA1

                                      a3bd85729e0ea62c1ebeb59347a3841fa580aa34

                                      SHA256

                                      a2ce83a903f1c6212b1e1381e27727c8ba530175692fb97aa7df1fc634783305

                                      SHA512

                                      dda05c31b00840cc841ac4569da840026cd66e6da0c1f86d904970fa83e2413cff52b118ad3baa35d7856275003e83c4cb9328db44335e0778357e82513f2a1f

                                    • C:\Users\Admin\AppData\Local\Temp\1000015001\92d7d68fb7.exe

                                      Filesize

                                      678KB

                                      MD5

                                      d4d2df98497ca423a6d783052fd3f555

                                      SHA1

                                      1b2f231e54457b70ec4db0dc828e9f65e35271eb

                                      SHA256

                                      764371ece8ac91f60d259804944c191eab2462d3468e73a35454d96da518bf02

                                      SHA512

                                      cbffc93253cf8cea7af21c2f8a831a5dc6c899192ac0d8981e3c9bd1380b4899c8302f33d55784dd89feb11347ad4eb32c74fc8716258f91c76890e39d35650c

                                    • C:\Users\Admin\AppData\Local\Temp\1000017001\go.exe

                                      Filesize

                                      89KB

                                      MD5

                                      955cd70d3448d43ad703bed723a98765

                                      SHA1

                                      1eeedcadaeffd31059647d7732bca344bad85824

                                      SHA256

                                      be764de7facd5475b94742d25f340883d8e69f90226aa3826f683c6a40df7b3a

                                      SHA512

                                      70d68fb0f44cb55fdb1b476bfd2388180335b09bcba87541822fafc8dea8fc898c3055d20e0be3b1db98035a54ac1b54cc26c28f45368789417cd9ce59ec68cf

                                    • C:\Users\Admin\AppData\Local\Temp\6539.tmp\653A.tmp\653B.bat

                                      Filesize

                                      2KB

                                      MD5

                                      de9423d9c334ba3dba7dc874aa7dbc28

                                      SHA1

                                      bf38b137b8d780b3d6d62aee03c9d3f73770d638

                                      SHA256

                                      a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

                                      SHA512

                                      63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

                                    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      a167734f75b512f5fd225cfba47b3511

                                      SHA1

                                      aa5b54ac5a624e4c15fb848e519efa4fbd9d4e32

                                      SHA256

                                      53083ace2013ee5e0ccfbdc41557a35ba6446d8c999fa5376b16f63197c1bad4

                                      SHA512

                                      47b126308f83f371417965887fbf653f9501d7fd637a0eec380c6250e14947774e899ff77650763bf7cd10aa97837b5779ea4ccd6633dbad0cdff0adbec85a90

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                                      Filesize

                                      442KB

                                      MD5

                                      85430baed3398695717b0263807cf97c

                                      SHA1

                                      fffbee923cea216f50fce5d54219a188a5100f41

                                      SHA256

                                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                      SHA512

                                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                                      Filesize

                                      8.0MB

                                      MD5

                                      a01c5ecd6108350ae23d2cddf0e77c17

                                      SHA1

                                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                      SHA256

                                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                      SHA512

                                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                                      Filesize

                                      7KB

                                      MD5

                                      b25353bdc6a04d8c5d43af6e5575e10f

                                      SHA1

                                      228d3393e5655f0be4fe1065f9cc225c7e3b038b

                                      SHA256

                                      5903258b80cbd54e23f7f63e1b7cd9f7589182f9a33128cc2f5f5e565b165646

                                      SHA512

                                      11ee13aa78ed43a46ed0cef9c7da53875e2370005cc4b62f133fd9fc739df5850811cce4af638d742aa36914f98f6137447c6c390240f7afe3800350b603ec68

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\db\data.safe.bin

                                      Filesize

                                      2KB

                                      MD5

                                      3174009ff185a3b2703863e1924ad8d1

                                      SHA1

                                      eecc307337aab73d054be6b94fdb8eeb33b793d3

                                      SHA256

                                      9a0340c1f4ce17c8fe61fd76087632a3830ec07d910b1b4f9b90e8b4b0782867

                                      SHA512

                                      a6f75f2b16f6805019940120c8f39c90c1df0dc434b0a42f6f097f0c0670764d8ef8171f049e0ef376415b579ca0c02c6dfe5c352107e854ebaba1b8d3616d8b

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\7d27008d-b086-43ff-9a2f-720e69cdd524

                                      Filesize

                                      745B

                                      MD5

                                      865531e6cd7a37df68194463b2096de8

                                      SHA1

                                      1180ac0bd71fd8c173f7e7da4ff049125e95eee2

                                      SHA256

                                      9b6f8e6cf0370394d911ab74ebe5c0e51a6ca43887c23375e8296fa465c82640

                                      SHA512

                                      877048a58cb5a9bd579c7e5b2f18aae921f8726396870cae29bd898f5d20200f74fc2ab7fb7c6147ad203eb6b2465dbcb4f73c726ef628758a29f597cd3a8e5f

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\e716d7a2-b5bb-40f0-a223-f5c614c886f7

                                      Filesize

                                      11KB

                                      MD5

                                      c06e895e9055a9b668827529c0d48578

                                      SHA1

                                      fb6d4b7231bc5c79cf68d476ff08f1bd3b6f928a

                                      SHA256

                                      73974b24ab7ce3d103241e5e69feed4280248cbfb547c92161b78353023c59ec

                                      SHA512

                                      dcff17c71c206f45367bbbc0bb0bfc61e0eef88d993199a6c4383e9c8cd0f20086d793c875b4f5a9e5c3de7586070ca0ad7c5edd13541efcc2d4bace7cf59f5c

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                                      Filesize

                                      997KB

                                      MD5

                                      fe3355639648c417e8307c6d051e3e37

                                      SHA1

                                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                      SHA256

                                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                      SHA512

                                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                                      Filesize

                                      116B

                                      MD5

                                      3d33cdc0b3d281e67dd52e14435dd04f

                                      SHA1

                                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                      SHA256

                                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                      SHA512

                                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                                      Filesize

                                      479B

                                      MD5

                                      49ddb419d96dceb9069018535fb2e2fc

                                      SHA1

                                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                      SHA256

                                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                      SHA512

                                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                                      Filesize

                                      372B

                                      MD5

                                      8be33af717bb1b67fbd61c3f4b807e9e

                                      SHA1

                                      7cf17656d174d951957ff36810e874a134dd49e0

                                      SHA256

                                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                      SHA512

                                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                                      Filesize

                                      11.8MB

                                      MD5

                                      33bf7b0439480effb9fb212efce87b13

                                      SHA1

                                      cee50f2745edc6dc291887b6075ca64d716f495a

                                      SHA256

                                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                      SHA512

                                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                                      Filesize

                                      1KB

                                      MD5

                                      688bed3676d2104e7f17ae1cd2c59404

                                      SHA1

                                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                      SHA256

                                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                      SHA512

                                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                                      Filesize

                                      1KB

                                      MD5

                                      937326fead5fd401f6cca9118bd9ade9

                                      SHA1

                                      4526a57d4ae14ed29b37632c72aef3c408189d91

                                      SHA256

                                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                      SHA512

                                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

                                      Filesize

                                      7KB

                                      MD5

                                      0fec24e86086efb668490300e9bf5ff0

                                      SHA1

                                      fe3d0061b86dba4bb4489bc0c8033243160f01da

                                      SHA256

                                      ec598db0922e1188be9f2cfb0e515eb4e3c93eb89f914b947bbaa81ebebdfcd8

                                      SHA512

                                      a75de1adca06724afb7f63c4e7f261025c82a59800fac92b18f98dc57d7acd67536c73970401159375db6a7424090ebf66382ee8182bcd2e7db816b9b8fee604

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

                                      Filesize

                                      6KB

                                      MD5

                                      63a8dc060e264b29a576bc902223f2dd

                                      SHA1

                                      f752fd0f1c8a4e4192261166dd11184136b43888

                                      SHA256

                                      9fd72c5182010bfb9310789eca2ba0c692e3ee207cadc43e312f3ec76188dbee

                                      SHA512

                                      092a7f99f88b16b6ddce9dac13aad8f55ab29f79935f766f20372b17126360f7e4ef7dc31de7c68143c15a8fcd37b5eadbc180482b0973c6a3f6507338bdb9b7

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs.js

                                      Filesize

                                      6KB

                                      MD5

                                      409be3a11a20a68a35267bf6cba6b24b

                                      SHA1

                                      e647aae8035131291582d773ec3beebff748fbb0

                                      SHA256

                                      a14ab695ca3f1e64dc2150f50092e908207034c5359b1aa5c3c4505de6c4dcab

                                      SHA512

                                      546950c505a099d8668e374cca70d6b83e0f697f0c3099feaa2031a470abf1856e1b2d28f8c059823f158b0477e9d56a2bd4f14ef4ac892cff52c5db9b6c524d

                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4

                                      Filesize

                                      4KB

                                      MD5

                                      e59b67bd5462071ae2db4aa857dd6dd0

                                      SHA1

                                      268f7274ef0762f01f090b848449fe5039279ba3

                                      SHA256

                                      ff8e6237ed8d83aa35a31271267f4db4708795910c77e4ed531c59520d9d9832

                                      SHA512

                                      be21274a9f67c9c95418d10dd2931aa95d7f9648043e74bb3cfcce49bad04bf84985484279fbff337cbc9a4c27afa82b3436c4b8b019be0433373eb122f031e3

                                    • \??\pipe\crashpad_2984_ISEGQIYHOVPOEVZM

                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • memory/1716-64-0x00000000011A0000-0x0000000001778000-memory.dmp

                                      Filesize

                                      5.8MB

                                    • memory/1716-42-0x00000000011A0000-0x0000000001778000-memory.dmp

                                      Filesize

                                      5.8MB

                                    • memory/2172-18-0x0000000006740000-0x0000000006C05000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2172-1-0x00000000778D0000-0x00000000778D2000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/2172-2-0x00000000008E1000-0x000000000090F000-memory.dmp

                                      Filesize

                                      184KB

                                    • memory/2172-3-0x00000000008E0000-0x0000000000DA5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2172-4-0x00000000008E0000-0x0000000000DA5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2172-6-0x00000000008E0000-0x0000000000DA5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2172-9-0x00000000008E0000-0x0000000000DA5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2172-0-0x00000000008E0000-0x0000000000DA5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2172-17-0x00000000008E0000-0x0000000000DA5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-438-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-456-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-374-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-23-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-21-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-20-0x0000000001231000-0x000000000125F000-memory.dmp

                                      Filesize

                                      184KB

                                    • memory/2776-19-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-41-0x0000000006120000-0x00000000066F8000-memory.dmp

                                      Filesize

                                      5.8MB

                                    • memory/2776-333-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-316-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-425-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-426-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-206-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-315-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-451-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-452-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-453-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-454-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-455-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-39-0x0000000006120000-0x00000000066F8000-memory.dmp

                                      Filesize

                                      5.8MB

                                    • memory/2776-462-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-314-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-470-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-475-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-476-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-477-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-487-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-304-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-497-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-502-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-504-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-505-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-289-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-513-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-514-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-213-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-523-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-524-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-529-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB

                                    • memory/2776-530-0x0000000001230000-0x00000000016F5000-memory.dmp

                                      Filesize

                                      4.8MB