Analysis

  • max time kernel
    299s
  • max time network
    290s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 05:03

General

  • Target

    539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe

  • Size

    1.9MB

  • MD5

    d6612f5d347fb3a1e9b74b324271a5d3

  • SHA1

    f4cf302408405179d0c865438d38cdf1dec0cf80

  • SHA256

    539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87

  • SHA512

    66d2c5d204236b07902be2ba81114e88b4f0009e3b2733c490f83d5fb119e15c0670759bbb7c08ab44f1aaff2337bcbdb3efc155cc69dc348be2cdcf62cc13c5

  • SSDEEP

    24576:A68w4WvvycyQHGq1hr1TEOx73tJf0r82jfSr+x2KQIr8QgEM/EEugO00V1EThFgT:RyclHGM1TEWTtJi82rSr+xCcNO/Hui

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe
    "C:\Users\Admin\AppData\Local\Temp\539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:2536
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2920
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
                6⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:2272
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.0.656125712\598250611" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6add0101-14ee-45c1-a400-abf831f606d0} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 1280 11dd5b58 gpu
                  7⤵
                    PID:1152
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.1.291480274\1164672918" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7cb9435-499e-4bf1-ab61-6ad09f47b6e4} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 1496 e73c58 socket
                    7⤵
                      PID:1700
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.2.1800076998\784561216" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e0e8cc3-ba30-4153-9011-f10d637d5092} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2104 19d9a858 tab
                      7⤵
                        PID:2100
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.3.1638369663\160610286" -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22aa4d3-c09a-4c7d-b47c-4843b7da7664} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 2896 e64258 tab
                        7⤵
                          PID:2584
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.4.1303826133\1581313732" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3784 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51dc8c79-ab9c-40f1-8cf6-f7ba190847e7} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 3812 1cfb9958 tab
                          7⤵
                            PID:1872
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.5.1820247056\1565151837" -childID 4 -isForBrowser -prefsHandle 2784 -prefMapHandle 3328 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f35a8518-9f5d-43f7-b73e-c802ecd56699} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 3956 1cfb7b58 tab
                            7⤵
                              PID:2536
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.6.448088790\723047656" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61971734-602c-401d-be0a-543a123f90f8} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 4000 1cfba258 tab
                              7⤵
                                PID:1212
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2272.7.1855895466\457827544" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4304 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 872 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fa2fab8-765d-4e98-982a-0b138dfa9b93} 2272 "\\.\pipe\gecko-crash-server-pipe.2272" 4360 1ad9bb58 tab
                                7⤵
                                  PID:1728
                        • C:\Users\Admin\1000037002\76b0bdeda4.exe
                          "C:\Users\Admin\1000037002\76b0bdeda4.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1520
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2308
                        • C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe"
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:3060

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\1000037002\76b0bdeda4.exe

                      Filesize

                      206KB

                      MD5

                      62c81eb8cd78dbcf5767f84caad6972e

                      SHA1

                      9a508e8724c1431394717ebd3c6dee2f9f21d082

                      SHA256

                      166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250

                      SHA512

                      2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

                      Filesize

                      49KB

                      MD5

                      67d69718f3a897829a16e486c7411d53

                      SHA1

                      10a24ef440813948dea463f11b3084af4942667b

                      SHA256

                      8e065c9171abf0f5d6f8ea7279038bb26e97f29bc1a375879489d250904cac6c

                      SHA512

                      4101195a7269f3e675f6e1624742bb294d8fde0c4e49113b740c8b0521936f16356737f1d8826228d55a584ce39ce88294fccf602bea6ab43bd0ba591a2606c9

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

                      Filesize

                      9KB

                      MD5

                      4cd8468f8987fdccc0dcc352f277d771

                      SHA1

                      897279c741789d992362d0fc448bb0205a73daf2

                      SHA256

                      b7e34c9fb8362632d19c22fad541b05901cfa7a21bd0fbf42f58921b335f10d6

                      SHA512

                      327c90a2704b3c7264e64f54c4b25e8872cc037d43f8c87d347c4fe2c326d520e654580ad684e58a80df1c9913255035bba6884445a3b5649e69cd6141a6165f

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

                      Filesize

                      15KB

                      MD5

                      f04241785087a81fa354403e9f0c24e2

                      SHA1

                      4cc082b28f1e7615e6125eb284b30f96693170dd

                      SHA256

                      147f44f854f77a899beb4442fe7a350fe4b713bfde97b47509b90d91fbd6c9ba

                      SHA512

                      0003ee6b74091057c5383f36518f87229e810997097a4bff1caef87cf5c083006cb0858bb335b29dd4ab7c300a224e9750337316c63d8229c126415b26d23ee4

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

                      Filesize

                      9KB

                      MD5

                      38736a3e36d43ef00b57727745c66eaf

                      SHA1

                      c50be94bf8740a1e0f5409318a7b9758546a92b6

                      SHA256

                      3045686c7097fce6c6d40f3810d535c58cc6b6be79ce15bff59e9911f8af80ed

                      SHA512

                      1a3df2ce786bb7ac49d6038f6e7b3e5ba0772f12c0f7ebda0c77c7c849c43032fceedd283a291c8634819fdd9f61d008fab9050be2307ea8ac2e5d8dbe399574

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\2AFE87EE06052E1C99E4C0F9FC1832E19231E674

                      Filesize

                      35KB

                      MD5

                      7eaea68abcb240902ccc22e91daafd7c

                      SHA1

                      50114f739f1a55152c7da7767d25c7198159323e

                      SHA256

                      fa8aa7cb834cc68c8780a6ba76ffaccf932baff383434cce2698f988bf4a6cd1

                      SHA512

                      793886d47f96c1c79a39f2ea3ec6bd271b0050b8d1cbcec9487d7c0f488eaeaac67222a66c90964e25b2b0a180e1070e58fb0dc62681f18819106b310ee11b2d

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                      Filesize

                      13KB

                      MD5

                      73af200889d2367a978cd6e42d3b3810

                      SHA1

                      7b37d3e1e2a80eaf1fc71a0805b825fa302a9f3b

                      SHA256

                      42d0895cb9851fbcaedcd2220edb6e554e0d08bc2c62a39174b891432db38021

                      SHA512

                      fcc800635efce012f5f9cd83225903f307292db4278ff2c35370e5cc0a490bf0b88506a97b3a96bb443d7c2006035b32573ccc21324764c4f3a9a5aa23b06856

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

                      Filesize

                      15KB

                      MD5

                      09fc8a7821998b4b159831fd4fea8458

                      SHA1

                      c4e634861c2dd973e6b0bf8c9a9839718d76fe31

                      SHA256

                      06f0e1b7f349ced06254bb43880c61c07024b9d63fe315a637b6d4329eb695c4

                      SHA512

                      e4d2984d1017f664bea0c584a357e93d1e045d86b891e1adb90a88850cf22ce73dce4c25aaecca5fd3e7bfbf9da6d241715012cf4106ce3851cde8420587d7be

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

                      Filesize

                      13KB

                      MD5

                      4e6d52d6d66c43e3c6b70507b7247373

                      SHA1

                      29e291aeefc71d1efd0aeb3adf1a05e3da7c530b

                      SHA256

                      de88ad8891208677429aa216706c1014e1b8d02e5c7c3b4932b9c4b6bd465c80

                      SHA512

                      157477d297ebde9187f1638a2af24cdce791a451332465b4b9e74ddf4ce667c06955c4337a5a8a37b1471c922e14f14e7c6b3b7371ab3165b1096c1f2772b9bf

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

                      Filesize

                      11KB

                      MD5

                      e606975b67224fc62bfb6bd357059dab

                      SHA1

                      f2b57d2bd8bd3a558de95a6f3242a0d2cc9475e7

                      SHA256

                      cc4a93acf74c51e49e9f68e6b48779bcb27e2cc83cefbdc39d95250bacecaf8f

                      SHA512

                      de5925688d12f6b4324e417938d11c43e441658d30c7d4e0d04a911d96223f4c6af2de7a4951ecba5bac3d85049f9cda1a6dbd8ca4236648ec6f652596a23c17

                    • C:\Users\Admin\AppData\Local\Temp\1000036001\0d383a3ff0.exe

                      Filesize

                      1.2MB

                      MD5

                      db946418424011c782182c76ab8c179f

                      SHA1

                      d640d54d341cf6341bd434c9015d23d22156612a

                      SHA256

                      bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e

                      SHA512

                      a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

                    • C:\Users\Admin\AppData\Local\Temp\1000038001\ef9258e7e9.exe

                      Filesize

                      187KB

                      MD5

                      278ee1426274818874556aa18fd02e3a

                      SHA1

                      185a2761330024dec52134df2c8388c461451acb

                      SHA256

                      37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                      SHA512

                      07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                      Filesize

                      442KB

                      MD5

                      85430baed3398695717b0263807cf97c

                      SHA1

                      fffbee923cea216f50fce5d54219a188a5100f41

                      SHA256

                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                      SHA512

                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                      Filesize

                      8.0MB

                      MD5

                      a01c5ecd6108350ae23d2cddf0e77c17

                      SHA1

                      c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                      SHA256

                      345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                      SHA512

                      b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      e927e39355930933a91017726d2ec446

                      SHA1

                      a9880e239220a4680be696d712429b16afd908fb

                      SHA256

                      ad37a461a1540820708777b753d605e233110473f1e6a4cc7fe1d6fbcaabebf3

                      SHA512

                      bd44faac67b8529372f894514abb6ddf61217f747726f143db3511c71dab6692c4c64c22e01bc66b6af2a06f93a191a0f97e7e18aa20ed68f7d4af7cf8c166ca

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\addonStartup.json.lz4

                      Filesize

                      5KB

                      MD5

                      35860b7440797fdf92b6b343858fae39

                      SHA1

                      62c24f43eedf6e71b226f0159dbbfeecc152f47f

                      SHA256

                      fa8d0fffa1b53a2ef40a65da9e28fe04dd91f053f4784f542714e60b4290f498

                      SHA512

                      5ae3d1a8279ae0fdf7954c3cf2279ea9c525e36547c4ed92049f741be6bd46bfef82b40763c7d01e0620dcf356fc9fc45b12be4dce319d4d9b354f6fa15d1a69

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\bookmarkbackups\bookmarks-2024-08-12_11_kKcgUJaYx4JrsBzZ+MJTpg==.jsonlz4

                      Filesize

                      940B

                      MD5

                      adb0c9d188e29cb167b20a20edfa5227

                      SHA1

                      25a28f4422242beb7bbee504261a0090b94a4d4a

                      SHA256

                      d010c1fc01ede7e4423330f5951a99b6d3255921b1ff18325bf2dbc2d3437324

                      SHA512

                      6570fbee222d92f53f8eaab1fe9d5435a196081f0d4d8a5279c6735cc5c94e754f803b5080f34bee389fcd67a4873392dd80ac86ff9b84a5f0283ba7a4afd67f

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\broadcast-listeners.json

                      Filesize

                      204B

                      MD5

                      72c95709e1a3b27919e13d28bbe8e8a2

                      SHA1

                      00892decbee63d627057730bfc0c6a4f13099ee4

                      SHA256

                      9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                      SHA512

                      613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

                      Filesize

                      2KB

                      MD5

                      22f6765c3b05f569ff1f609ad71dfa58

                      SHA1

                      59fc5c7804457dbbbeb8485151cba6257f21b833

                      SHA256

                      215adfddf022e657ef0bcf5dcd66d4c2740af20afb563d3662ed7c1e88119dc4

                      SHA512

                      7685a21a9ef2489ef6f3e704fd61564ca003b8fe0d38b6fe5af4994920d31cb9fbe1217cb5fd165feba21844e0bfdf3ee997704f73e32f79b6f4f82cdee223c7

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\0bb486a2-1330-4ea1-9f21-c73d26059f6f

                      Filesize

                      745B

                      MD5

                      224e33e810f1987166f1e03fa3b75a0e

                      SHA1

                      c94f911260a560363f1697f2db86e5b7fcfd1d6b

                      SHA256

                      36fdeaa80182de421b527e43228fae00858ba80c9ee3520a01cb7ef24ed6b4ca

                      SHA512

                      e9c326f1e95cf703fcddbeea4c121d1a7210d27359c9cafc276d991354e466244caffb6087ef21858da400b82db533e8f6b0e24da664e5efbedd71597ac19eea

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\d90a86b5-2247-4287-9e5d-35d61fcdb879

                      Filesize

                      11KB

                      MD5

                      b88cb8bf7c9a324e6420ad04034c63ac

                      SHA1

                      e61460a0f61eac0235c1acf854d14ca5b3271483

                      SHA256

                      f98fc28d7932dcf66d6b0d74dd394ab732b7cf3b41bb3cbc6025f9fedb78f33a

                      SHA512

                      02e685fca8a35bfb7ff965e9fd0e9232793e683f408de608cd5de9d9f789283396ae7c6d8fc106a8b3b4cedeeb55c16dd431e50f89aed3aa04d58788724f0e62

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                      Filesize

                      997KB

                      MD5

                      fe3355639648c417e8307c6d051e3e37

                      SHA1

                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                      SHA256

                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                      SHA512

                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                      Filesize

                      116B

                      MD5

                      3d33cdc0b3d281e67dd52e14435dd04f

                      SHA1

                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                      SHA256

                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                      SHA512

                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                      Filesize

                      479B

                      MD5

                      49ddb419d96dceb9069018535fb2e2fc

                      SHA1

                      62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                      SHA256

                      2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                      SHA512

                      48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                      Filesize

                      372B

                      MD5

                      8be33af717bb1b67fbd61c3f4b807e9e

                      SHA1

                      7cf17656d174d951957ff36810e874a134dd49e0

                      SHA256

                      e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                      SHA512

                      6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                      Filesize

                      11.8MB

                      MD5

                      33bf7b0439480effb9fb212efce87b13

                      SHA1

                      cee50f2745edc6dc291887b6075ca64d716f495a

                      SHA256

                      8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                      SHA512

                      d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                      Filesize

                      1KB

                      MD5

                      688bed3676d2104e7f17ae1cd2c59404

                      SHA1

                      952b2cdf783ac72fcb98338723e9afd38d47ad8e

                      SHA256

                      33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                      SHA512

                      7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                      Filesize

                      1KB

                      MD5

                      937326fead5fd401f6cca9118bd9ade9

                      SHA1

                      4526a57d4ae14ed29b37632c72aef3c408189d91

                      SHA256

                      68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                      SHA512

                      b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

                      Filesize

                      7KB

                      MD5

                      08bdc6d15d5a8f8401675d3c66263a36

                      SHA1

                      b68950a9d31fa666525a4b6b34af39a3285157b7

                      SHA256

                      aa8909b42bb0ab89e3e04ba6c447304996560446e0b5df3893b2f2beb32f2f7b

                      SHA512

                      2507a3324c19bf911dfcc3a93c0a3fe3a2f6c8bae3017ab30f35aabad39de4298ac78a9dc2964be8981805f5ed9222dbd3a2cad5e6f1da30433d6eaf2bfe8040

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

                      Filesize

                      7KB

                      MD5

                      9ea8f2dd9f91b0105beb1ce8f066474e

                      SHA1

                      627bd4a6f594a3ae33647dca0b825b26a9c92da7

                      SHA256

                      59e5a110d6520a402b2636e0fbc536e94556bb6a576929c858ecf862a1bc0ce9

                      SHA512

                      a095db0570d3d907b4ad4ee48d995138dc27adb788952a3c5248a4a61c00212f125d85eb333b182c730d7e05a1db6504e49c72404fc39cda4ebac8b4375fb6eb

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

                      Filesize

                      7KB

                      MD5

                      f653faf279801755e177d50f9c9fd90e

                      SHA1

                      310427a16367429cfd0e94f55b4dc9fac0e7c1e9

                      SHA256

                      3f8c10833cdb9352d9fdc45cce7002977ddd6944b4d242393fdffb8022f990a6

                      SHA512

                      737d19bb38af7d0b89249842e3a04873511f98874ef5631e6afb7c744965fd0e42d9163a72a1b4363b1293e5a50f797753d965698e4775aca3b5829b4df5d5c0

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

                      Filesize

                      6KB

                      MD5

                      3ad1b17cbdae3524b0e088db88756621

                      SHA1

                      ab6d3e77b92e7908653f3a5422dd2a819a911fcd

                      SHA256

                      347ca0f68857c78ddbfec418bc19ae2547a9b1d1ec812e882a6f7081c5ac360f

                      SHA512

                      a32765ef4c944548173fb94db0e2b4b76cd23ace64f13286edcdbf4649c89777dde204bad445b8dbf46d85923d5d0cbef9704551a0aaa9f5904d2d40379f3c2d

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js

                      Filesize

                      6KB

                      MD5

                      2d893594787dcad4867171b408e78252

                      SHA1

                      606431a1794f9be55333c6004e01764f26b8db2b

                      SHA256

                      86bc409d00be778727165f919d52d850f9bf14dd49c020a3fbf5f3cddcc9384a

                      SHA512

                      6e38255a90eb3c5dc43fda11576584354190e328a7c65ce58bf55546743831f2c159d547a601de3f9306cdd01d256cbde5143dca09cbb440d25f4b10152f05c0

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionCheckpoints.json

                      Filesize

                      90B

                      MD5

                      c4ab2ee59ca41b6d6a6ea911f35bdc00

                      SHA1

                      5942cd6505fc8a9daba403b082067e1cdefdfbc4

                      SHA256

                      00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                      SHA512

                      71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

                      Filesize

                      4KB

                      MD5

                      ebe73c432e112ff0e7752637dfe9e6f4

                      SHA1

                      061f90805281ae5993eb40537df7358f84d98a6b

                      SHA256

                      a651fce736c6eabea5bf06c24c028963c7ade21d839fa925ca73637ddd9537e7

                      SHA512

                      039fb878245f3789a0a6de34902901d8790669fbd3547243c8e7f664876f81790d6fac03146ea9919dccc6242028f93ca03d3075c667556641692053ad1725f5

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                      Filesize

                      184KB

                      MD5

                      3dc733f51b6c47c0e57ae7035b9abacf

                      SHA1

                      d4c28a6f9d4bae9e297440a46726a2cb3e2504ba

                      SHA256

                      aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1

                      SHA512

                      e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\targeting.snapshot.json

                      Filesize

                      4KB

                      MD5

                      e0706492dc88c246ede4f60eaee14ce5

                      SHA1

                      d569516ba6b89688858f39231b77721cdf06df89

                      SHA256

                      b699e7c2dc62bed9049cacd5cbd62e5fdc504e5f168b1ec1b064e60d18a7e76b

                      SHA512

                      7b96b24693e37b3b133677b2fdd34c65df4f9ae2b6a2e8b860f10ffeb9b873129aff6aeb7552443745e1e9bb3599edb2c0639cba9d5615a81c79333857fbb6a2

                    • \Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                      Filesize

                      1.9MB

                      MD5

                      d6612f5d347fb3a1e9b74b324271a5d3

                      SHA1

                      f4cf302408405179d0c865438d38cdf1dec0cf80

                      SHA256

                      539d2a7cd76ee04976ed5ae04ff9bebd67a383a50dba626da4594be64e1b5b87

                      SHA512

                      66d2c5d204236b07902be2ba81114e88b4f0009e3b2733c490f83d5fb119e15c0670759bbb7c08ab44f1aaff2337bcbdb3efc155cc69dc348be2cdcf62cc13c5

                    • memory/1520-69-0x00000000003D0000-0x0000000000408000-memory.dmp

                      Filesize

                      224KB

                    • memory/2308-79-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2308-75-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2308-83-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2308-85-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2308-72-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2308-73-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2308-82-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2308-77-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2452-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                      Filesize

                      4KB

                    • memory/2452-52-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-43-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-46-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-38-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-54-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-51-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-40-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-48-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2452-45-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/2644-0-0x0000000000390000-0x000000000086D000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2644-1-0x00000000771B0000-0x00000000771B2000-memory.dmp

                      Filesize

                      8KB

                    • memory/2644-2-0x0000000000391000-0x00000000003BF000-memory.dmp

                      Filesize

                      184KB

                    • memory/2644-16-0x0000000000390000-0x000000000086D000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2644-3-0x0000000000390000-0x000000000086D000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2644-4-0x0000000000390000-0x000000000086D000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2644-14-0x00000000070F0000-0x00000000075CD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-395-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-369-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-384-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-385-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-386-0x00000000065B0000-0x00000000067F3000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2728-387-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-388-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-389-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-505-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-396-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-397-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-402-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-403-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-404-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-406-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-407-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-408-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-409-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-371-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-383-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-366-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-284-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-103-0x00000000065B0000-0x00000000067F3000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/2728-21-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-19-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-18-0x00000000012E1000-0x000000000130F000-memory.dmp

                      Filesize

                      184KB

                    • memory/2728-17-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-278-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-268-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-267-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-260-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-477-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-481-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-497-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-490-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-491-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2728-492-0x00000000012E0000-0x00000000017BD000-memory.dmp

                      Filesize

                      4.9MB

                    • memory/2972-36-0x0000000000080000-0x00000000001B0000-memory.dmp

                      Filesize

                      1.2MB

                    • memory/3060-102-0x00000000012F0000-0x0000000001533000-memory.dmp

                      Filesize

                      2.3MB

                    • memory/3060-104-0x00000000012F0000-0x0000000001533000-memory.dmp

                      Filesize

                      2.3MB