Analysis

  • max time kernel
    299s
  • max time network
    291s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 05:02

General

  • Target

    259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe

  • Size

    1.8MB

  • MD5

    b2f0d9cde6cd1f83091b9f2a6875e6a9

  • SHA1

    a7bb83cc3f9edc38751ba908d3e0bf393dcfdfc6

  • SHA256

    259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd

  • SHA512

    51bae1077f202a997dbb78e3ece8cf14737362aaeb0e263917a0ba44cfb89cee3b2532c2e5db88151e07c2c8f644be5a4fc3cffb4c6a7f202ee58812afae5de6

  • SSDEEP

    49152:38+S7Y13iG6Fl9z0+S92ONgoknqqFwY0OiMl+SkIxsNo:M5zplR0njNZviwYZjl+Yu

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe
    "C:\Users\Admin\AppData\Local\Temp\259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              6⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1480
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.0.376908202\435434635" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3cd3162-6f11-49fa-b1b9-111c34bcf6c5} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 1276 123f4b58 gpu
                7⤵
                  PID:1272
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.1.1189140004\1778891705" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23f48568-0508-4aa7-95ec-78ea172b60d0} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 1496 e73058 socket
                  7⤵
                    PID:1668
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.2.721844314\1961400216" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92fa0411-bcfd-4356-a71a-5706a53b1e6d} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 2080 1a58a858 tab
                    7⤵
                      PID:2532
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.3.2028683650\1882709280" -childID 2 -isForBrowser -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c75441a-2fee-4529-9b5a-9dd2bab92f39} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 2916 e62d58 tab
                      7⤵
                        PID:2364
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.4.1500050912\119562157" -childID 3 -isForBrowser -prefsHandle 3768 -prefMapHandle 3720 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b47eadce-6d0e-4fd8-8bfc-63d5f331d4d7} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 3784 1a789558 tab
                        7⤵
                          PID:2192
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.5.1955781134\735157703" -childID 4 -isForBrowser -prefsHandle 3888 -prefMapHandle 3892 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a09adbf-0d2c-4be6-8915-cec29a7f5e1b} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 3876 1f5df058 tab
                          7⤵
                            PID:2200
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.6.1178332260\763669154" -childID 5 -isForBrowser -prefsHandle 4044 -prefMapHandle 4048 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b53c8b5c-1e6a-412a-b7a1-468d3a7a322c} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 4032 1f5e0258 tab
                            7⤵
                              PID:2000
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1480.7.381959050\1909578793" -childID 6 -isForBrowser -prefsHandle 4324 -prefMapHandle 4328 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6956c7-827a-4db2-b92b-35cf1ea25634} 1480 "\\.\pipe\gecko-crash-server-pipe.1480" 4340 1b892a58 tab
                              7⤵
                                PID:1764
                      • C:\Users\Admin\1000037002\613bb19e7e.exe
                        "C:\Users\Admin\1000037002\613bb19e7e.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1796
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1084
                      • C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2628

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\1000037002\613bb19e7e.exe

                    Filesize

                    206KB

                    MD5

                    62c81eb8cd78dbcf5767f84caad6972e

                    SHA1

                    9a508e8724c1431394717ebd3c6dee2f9f21d082

                    SHA256

                    166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250

                    SHA512

                    2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    49KB

                    MD5

                    a6bc39c0c3ecce8e9a446b69978616ef

                    SHA1

                    91e53afc47f7f63278471a0becfcb6485b0c1d7c

                    SHA256

                    a70742bc199c8953ef451417493651b309c0a4b9eea731eaa4411df8db2bf1c8

                    SHA512

                    430cf4c7e23f7050b1664cfb7caf4f5daab88abf0f20f801dbd4042fbf3aaa4627a8aeb891d58d0e5b70d0f2c0068fb05de721633ecc12a5a55fc995c97646b2

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

                    Filesize

                    9KB

                    MD5

                    3c7567054b3c8aa7a624bc9ccc852f48

                    SHA1

                    b0d3d25de1d04d5fcab8bee269081eda1f90f99b

                    SHA256

                    2542c92499179deb684ed8d3d7b1a8479f62c9322587515952b1468dbf89a5c6

                    SHA512

                    0f4f25c156d07afccc575247ad3ea7bdf731d8964a18222464a9bd9ad59b46db15371305d4c2e3f4f5c1ce18d3e0cacf8fc82648af3a12dc94d656babd2d2b1a

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

                    Filesize

                    15KB

                    MD5

                    856d91c4110fdffa7c458033d0fb2e0a

                    SHA1

                    19823fc36d1032398705a5f6d0a6d04963fa46a5

                    SHA256

                    df8e1a314b0e72e14316fa20239ffeaf10849f6752a863a4a3116b855db9ed67

                    SHA512

                    313df35e30e1a457afa8f9f332424f2e28b52c29ccfff02ec622a638fa3712141ad0a014334acc4b71cb732e010cdd6af748d01cdf9a2fcbba03261f49424ecb

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\1A495955E7161F0B821C21A824220FD399FC7DBC

                    Filesize

                    35KB

                    MD5

                    a535f811409769da84fc08b3dbc4f931

                    SHA1

                    14bda2f40d6fdf537574141792ad3e3d0068f848

                    SHA256

                    ac9c142af1c9585018fb0cdef08d0f87b0a64918f4c636e4ae33d74f968195d4

                    SHA512

                    af688f51a48c2b6a0a72c86245423303de867748c62749e479ce395f741640b9efa0f9a8f3ba1c1c3af9d7587cf043b492c92bdd3e29781ee11b4f36b9651f7a

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

                    Filesize

                    9KB

                    MD5

                    ed2206c31c18c206b287ef8b2e5207da

                    SHA1

                    9878fc226db2caac66b3fcfdad2f1cff7cbd6318

                    SHA256

                    15d1f1d37069811fc3f53467189c8c5cc37fe631469810f83d292f6b83230ab5

                    SHA512

                    797862f00dec0fe10fb907b98ddacbc2ea3477aab2669ada903fdfbb6df1a2dfe7107972e1de486d9d8079b2cb1f1ee14f70205d6e6e1e2fef234f19bf7be18b

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                    Filesize

                    13KB

                    MD5

                    52ff28c03bdb5dfd597e20f409a5e1b6

                    SHA1

                    4addd89cfe0a818bf5777d24ecc0f77610891fc5

                    SHA256

                    60001f451c49b588f7cce20d38d73ffa072b144f5e0cdf8e627395fef1b63257

                    SHA512

                    5a9d46b38f51630e28ff27b9eba34e7d645abac3dd34d88da192ac7629039951534f3cbcdb89590aa213dc1f898cbda7e52cdc7296fe01cfb8bd22bb0a77c21b

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

                    Filesize

                    15KB

                    MD5

                    cd7fb359358df14ef91f86018914e6ad

                    SHA1

                    813bd634c9fca5717bc0840a4e66a5bdb1e761e9

                    SHA256

                    6f75fa324b0a0b961bd41ae29c8b16a3c0fa8e5b2ebf461ab3ae6bc33e7aa09b

                    SHA512

                    ebee7ee3e8babdbd7a5bf85b38ae8b83ca0f8c354ca948bbd9ea3ebbf9c42a74703433f058348e2fea28cb1c583c42a9bdc2ce5919b58a3feba2907d816e06a9

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yrxx2hps.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

                    Filesize

                    11KB

                    MD5

                    941c6bd9c75b038225325589d10972ef

                    SHA1

                    d6c86c6f80ab14dc9fa2e3a416111e222db6075b

                    SHA256

                    d918ddc672f5fbb5ead8980573de87776dc02fedc2d3c277dbc672611ea70b32

                    SHA512

                    160205d0348a456d033f8043b3d09c188410d8864cb86595bbe9c63d07a2798d3cabcf60bca2e71c8aec4ef4864acd44bef46714715f2d84066e7cfe07b94ffd

                  • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    b2f0d9cde6cd1f83091b9f2a6875e6a9

                    SHA1

                    a7bb83cc3f9edc38751ba908d3e0bf393dcfdfc6

                    SHA256

                    259930c22bc3c592893b6604fdde6233a1650ce131737a70ab6c66c69a8305cd

                    SHA512

                    51bae1077f202a997dbb78e3ece8cf14737362aaeb0e263917a0ba44cfb89cee3b2532c2e5db88151e07c2c8f644be5a4fc3cffb4c6a7f202ee58812afae5de6

                  • C:\Users\Admin\AppData\Local\Temp\1000036001\9267c7b48e.exe

                    Filesize

                    1.2MB

                    MD5

                    db946418424011c782182c76ab8c179f

                    SHA1

                    d640d54d341cf6341bd434c9015d23d22156612a

                    SHA256

                    bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e

                    SHA512

                    a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

                  • C:\Users\Admin\AppData\Local\Temp\1000038001\c284c30766.exe

                    Filesize

                    187KB

                    MD5

                    278ee1426274818874556aa18fd02e3a

                    SHA1

                    185a2761330024dec52134df2c8388c461451acb

                    SHA256

                    37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                    SHA512

                    07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    8.0MB

                    MD5

                    a01c5ecd6108350ae23d2cddf0e77c17

                    SHA1

                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                    SHA256

                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                    SHA512

                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    5073a8a704f96a96e9a30a5d441cbb90

                    SHA1

                    ad685b7311e529890a30e4d63d21d57ad01540b1

                    SHA256

                    9844a81a4d837b34724fbcc7fd46d59968b205481d62fc9141ef344d8f0f7c58

                    SHA512

                    ca46c7222ea6fb2ed8a044c14c5acede2b4d60274b8ed5ebfef5000afde0e0a08569ca7e2dc1cfa4fe52ed88f96339a0e4c3c147ea663b9c9a74be049eca66bd

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\bookmarkbackups\bookmarks-2024-08-12_11_CbmwIF9owvsCs8vtVFuz+g==.jsonlz4

                    Filesize

                    940B

                    MD5

                    e4eda0553a9a2b8ddd9d4a1d368365a2

                    SHA1

                    78c066fc1716b0cc7882ebfb1b3eec6373aa7246

                    SHA256

                    c325c54478a203494578b723200002225ed06b3905bb9596cb8d657372ff250e

                    SHA512

                    65a16309c4bf12f503ac8a88180f269ffd949743f7c1ab6139c89d6d11d6313bdc05967c74dffb759acc8e550604531e0334314c526f6355adda4f290ea1603e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\broadcast-listeners.json

                    Filesize

                    204B

                    MD5

                    72c95709e1a3b27919e13d28bbe8e8a2

                    SHA1

                    00892decbee63d627057730bfc0c6a4f13099ee4

                    SHA256

                    9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                    SHA512

                    613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    266240a5c838b08e9427a8bef25d9bdf

                    SHA1

                    3e8f650c2518f5e77972e469023bbbcbb9d78238

                    SHA256

                    7dd24bbd2a61d86c86079e986a3321d755e08b582ea9296fcf78972140512547

                    SHA512

                    c5572e091193dcfa6371a63056e0bd83c46fb1fef656fce07803e1e2c46f8a5aa399bb459817220658bb9381848fb00b4d5c1a07fb6c0cbd54883d616f59d010

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\datareporting\glean\pending_pings\37a6ccc4-79c8-42da-8448-5c7eb7c7d575

                    Filesize

                    745B

                    MD5

                    62e2ea56f66187ae7b0af72a56ad5d4a

                    SHA1

                    e2e9e383108ac54c7618a8874bc1d09a7428e7cd

                    SHA256

                    a506c57db5d04b7c0eee5f130c1e303dc650af3eb211a86529f9bba502040875

                    SHA512

                    21a3f625f4aded3b9dc077eef0be0ab6a96a2592977ac0edaaa3e204740cc8f3d77df5390de705ecc99cacee56b176e8aae741206fd6576e4c8cf9bf6deecfc8

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\datareporting\glean\pending_pings\fa5f9d06-db10-47ae-9f96-8365f5f47e01

                    Filesize

                    13KB

                    MD5

                    45c95b9affe0c7dafd25079b6b58fe01

                    SHA1

                    598441fd16b5a05ceaca0281b84f5f6ff186a70d

                    SHA256

                    a8daae2e7dd62e7f87a48fed3a2b8da22deb5ce471dec79ac1e60ee7a0476f31

                    SHA512

                    318e04aff44173826bf715b5961922312263dc681693613b447ecdf0afdb1ca201de52074789c356498f1e2920f0e15ca257989467bbac0040f513bb0b3cc44c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                    Filesize

                    372B

                    MD5

                    8be33af717bb1b67fbd61c3f4b807e9e

                    SHA1

                    7cf17656d174d951957ff36810e874a134dd49e0

                    SHA256

                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                    SHA512

                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                    Filesize

                    11.8MB

                    MD5

                    33bf7b0439480effb9fb212efce87b13

                    SHA1

                    cee50f2745edc6dc291887b6075ca64d716f495a

                    SHA256

                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                    SHA512

                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                    Filesize

                    1KB

                    MD5

                    688bed3676d2104e7f17ae1cd2c59404

                    SHA1

                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                    SHA256

                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                    SHA512

                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                    Filesize

                    1KB

                    MD5

                    937326fead5fd401f6cca9118bd9ade9

                    SHA1

                    4526a57d4ae14ed29b37632c72aef3c408189d91

                    SHA256

                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                    SHA512

                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    7332e2c4c075067c221735f83e46c851

                    SHA1

                    e4fba4d0baac24b679a1c5079ceaa49238661ff4

                    SHA256

                    2c23c998db5595f123a208fd69ba7e6cadd7b483c624dd23f271f65e6277e05b

                    SHA512

                    32d4f0d75e3fc7950a4ea9a3aee6fad64ca62915f2ae75d0da9b8e6c873e0e8989a0c06028896439b04f0adb712fe283a4e9002db0da3f2d34124660b6fff02d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    57c45527e982f9fb75ee539771e7e621

                    SHA1

                    cd3a711c552aa24af2e7fd624a235436c848cad4

                    SHA256

                    d74407ab55b4ab53a8fb90673a44583c4add2e1f318288db8f52ba38f6b6d37f

                    SHA512

                    ba55f7bfee7417d657a0abfc104b21d9225c6232b84445cac839bf36fcf66c2fe15b10b2b03651a210ef0b5d984a48bd7d49c7500975a9f9003a96a0e0f34cc4

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    e7703e0cc863fa9624b187a51c595fcb

                    SHA1

                    a06b73dd7940551e77796af55a45e09ceb61c1e4

                    SHA256

                    15c07dbe5d5caf4c53a4e7bcf081bd445b3a8e1a98468d4fd8386ac9f5c1e5f8

                    SHA512

                    128ff1c729ba9e18fd39e4831ee4a2a0faf9e4119ed6cbc4feba859dfebf9d21066874fde1c668489bf8d1be38ca0714551d753bd1fce1cd49f4547c4b2981cb

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js

                    Filesize

                    6KB

                    MD5

                    dafec63a4fdbc587c569316f5060667e

                    SHA1

                    b233fcfe6b9a20d15d17628dc3ca3d93d7120095

                    SHA256

                    48778b34b81a4118903b040227e4f8a8efbe598446b739c63fadb4093432e7e3

                    SHA512

                    a88f76a8eae3fd88f806628a1e592e775d8c071822d1ccd4b1f97bf913340fd56d802278c7cccb120ec300d89adf892ff4e00ef8f979f2e9cad4aebb2209f803

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js

                    Filesize

                    6KB

                    MD5

                    42961517d5a0348d6b1d84c45d3d8a1a

                    SHA1

                    fb3c72637fca303134181fabb0ab4e009610c6ff

                    SHA256

                    d36326ad3e0aeb8d6e23aceb743e5929c2ad03a003cdfe666a4e23e4085666ed

                    SHA512

                    00136d233c0f65bfb091417458550adf059615afb333fb84896118215269a1e6ed10f2a6cf15f1aaac4758d3d7569ede31b6249d694050c686a8602588344734

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\sessionCheckpoints.json

                    Filesize

                    90B

                    MD5

                    c4ab2ee59ca41b6d6a6ea911f35bdc00

                    SHA1

                    5942cd6505fc8a9daba403b082067e1cdefdfbc4

                    SHA256

                    00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                    SHA512

                    71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    62d45518d7c2934fa81c447655a61959

                    SHA1

                    02c65e3d191dec5345883d71db2cb1ccc5eda7af

                    SHA256

                    3c2b0a4f1257d0ffda09cf6b1052da90f304b0b270caf821ae214b78a6bbfc6d

                    SHA512

                    ee372768f82622b850b2e35dfee0662a6d56eceb828cfb3ace11ff27af999bc6533a7d3bc425f5eda327bbcfba527460751e62d19207caa267da7fd09db3fbf0

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    200KB

                    MD5

                    9d94688c4d7b1c97564802430b389174

                    SHA1

                    36965259e53fb3f753e57bfb968dc2b8a6a642f7

                    SHA256

                    d7614d843ef0a8f02f506ad4d829b65322deb08c23a14ce07b13c3c7ad7808c8

                    SHA512

                    14f93edbf9aea1a7422a97414c2a3776e5c3aa4ddd0cbb19ad77f85d593508fd76def100597b6b1ca3ea4b0e817857bc6aa8cc431c752b25f9b63e01b57ed4a1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\targeting.snapshot.json

                    Filesize

                    4KB

                    MD5

                    667557fa7af954f455c83b70c135ff99

                    SHA1

                    458d8b40e80ecfc4aab08deceaf68f4812ed8a39

                    SHA256

                    d02f017638fe963c688c265b410dc3c319c1e84cdb43b0f339b18f64e3b5d749

                    SHA512

                    b24da66038c81464707b193ea6cdcfb76feb794e3bb93adcb7cff4b728a17c361257831237c7b1f14daa1b37e39763e5eb825274779f40da0d28a603e39abd63

                  • memory/1084-73-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1084-71-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1084-82-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1084-77-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1084-79-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1084-83-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1084-85-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1084-75-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1796-69-0x00000000011C0000-0x00000000011F8000-memory.dmp

                    Filesize

                    224KB

                  • memory/1864-40-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-52-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-44-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-46-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-38-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-48-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/1864-51-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-54-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1864-42-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2304-0-0x00000000013B0000-0x000000000187A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2304-14-0x00000000013B0000-0x000000000187A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2304-5-0x00000000013B0000-0x000000000187A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2304-3-0x00000000013B0000-0x000000000187A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2304-2-0x00000000013B1000-0x00000000013DF000-memory.dmp

                    Filesize

                    184KB

                  • memory/2304-1-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

                    Filesize

                    8KB

                  • memory/2604-36-0x00000000003A0000-0x00000000004D0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2628-104-0x00000000011E0000-0x0000000001423000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2628-103-0x00000000011E0000-0x0000000001423000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2692-266-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-360-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-371-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-374-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-375-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-376-0x0000000006500000-0x0000000006743000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2692-377-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-378-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-379-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-385-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-386-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-387-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-392-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-394-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-395-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-396-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-397-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-398-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-399-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-400-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-358-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-354-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-274-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-257-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-251-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-250-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-213-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-102-0x0000000006500000-0x0000000006743000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2692-21-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-20-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-18-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-465-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-17-0x0000000000DB1000-0x0000000000DDF000-memory.dmp

                    Filesize

                    184KB

                  • memory/2692-477-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-478-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-479-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-484-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-485-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2692-16-0x0000000000DB0000-0x000000000127A000-memory.dmp

                    Filesize

                    4.8MB