Analysis

  • max time kernel
    300s
  • max time network
    297s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 05:04

General

  • Target

    7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe

  • Size

    1.8MB

  • MD5

    d051474ba32beb9890bd6bdfd587d190

  • SHA1

    8a7d008fdedc8efd7ac43b071f0b1d9d4e3b2156

  • SHA256

    7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593

  • SHA512

    ca17f5aa86bd09cddfa2e52967f248d9f7245e66fe6018fd93d83e22f88a66c6da0558416171c3d9857776d60e15839a613ad8c23e2ffd1a904bca63731a669a

  • SSDEEP

    49152:GatcTY1VPvW0gMW813PNMpGhs0PkAoox+jW:GatQ2x+YWQPW+VN4

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe
    "C:\Users\Admin\AppData\Local\Temp\7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:344
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1804
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              6⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1580
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.0.343511002\517186452" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1260 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9809152a-411a-45bf-9201-7330e449dc75} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 1368 fcd3458 gpu
                7⤵
                  PID:2884
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.1.46112219\1070485425" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b160171-86a5-4bbd-bdb7-14e784d4695b} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 1540 31eb558 socket
                  7⤵
                    PID:1440
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.2.1101348571\575138124" -childID 1 -isForBrowser -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {632d1b8a-340d-4347-ad11-7ec7534e30b4} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 2084 19f69858 tab
                    7⤵
                      PID:1328
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.3.1201003511\1267434814" -childID 2 -isForBrowser -prefsHandle 2864 -prefMapHandle 2860 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {598ac147-bf45-48ec-bb13-cc558d84527f} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 2876 1d29ab58 tab
                      7⤵
                        PID:2252
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.4.1585475706\164938619" -childID 3 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e6822a2-bb9a-4a43-a340-5fe716263183} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 3772 20908558 tab
                        7⤵
                          PID:2108
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.5.1946998871\1002135024" -childID 4 -isForBrowser -prefsHandle 3884 -prefMapHandle 3888 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e87dc25-8727-483d-ace5-22551394ae5d} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 3872 2023ea58 tab
                          7⤵
                            PID:2004
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.6.1492481964\688997983" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2ea2365-be52-4a4c-a420-289cc68b2e4c} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 4036 2023f658 tab
                            7⤵
                              PID:2792
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1580.7.722430605\2128789881" -childID 6 -isForBrowser -prefsHandle 4048 -prefMapHandle 4036 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a817428-8966-406f-84b1-25782579ea17} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" 4284 21baa058 tab
                              7⤵
                                PID:792
                      • C:\Users\Admin\1000037002\aacf2799db.exe
                        "C:\Users\Admin\1000037002\aacf2799db.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2172
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1304
                      • C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1636

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\1000037002\aacf2799db.exe

                    Filesize

                    206KB

                    MD5

                    62c81eb8cd78dbcf5767f84caad6972e

                    SHA1

                    9a508e8724c1431394717ebd3c6dee2f9f21d082

                    SHA256

                    166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250

                    SHA512

                    2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    49KB

                    MD5

                    07d099316fedfd918e6b554223b2e160

                    SHA1

                    a842ce8213dab9358a9d4c450e6186a190a1c1dd

                    SHA256

                    6e6f2b794ca92aae926b49182b44670b33c9f3ed97139fd475219900baf68b43

                    SHA512

                    5b4616eba9d2d44f98a0f6781039ea765bf5689f684436c8e01d4209e9c7de9152110c598bcfa18aab2701d563ffc825694f4a67d1fdcec1d0addbe25db81c02

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

                    Filesize

                    9KB

                    MD5

                    3650d53bba4c9b2d6d26e53114b5a5ca

                    SHA1

                    f281be763c44d61e271f99e08e7cbbcf5802bb5f

                    SHA256

                    a92ca29bb18cb18bcf91d1e20757287ceae14e5bb02c86ce94d331940e511b43

                    SHA512

                    06b839a1810d47602153761fc0141515e6d1a2e13b39ac8b18de16eb1dc918182a05079d9778b933a614072bf7b9b0cad443a839a729e1890db2ab59526d85ec

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

                    Filesize

                    15KB

                    MD5

                    a608ce523f0778d2797076ecc569c836

                    SHA1

                    a259b7a40bae19fa60eb4fba7bfdf03e8acc1cb1

                    SHA256

                    6a9510b0940857c7487ba3ff395b3494c2223d352ba437aa8c74bdb922d79ef1

                    SHA512

                    b72d82fe6203a8ccc72b83a09104a2bbaff1208d8c5d30a063cc0048dcbc27182e86e57401b7c64ecb1d0fe9d6a22a73e2436e957d3820d74dea70815df15cbc

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

                    Filesize

                    9KB

                    MD5

                    da31442d0d8ed024ec35398d3ff0e2d0

                    SHA1

                    c3456e43d63dba4ec78ce703722c8dfe94a9ea61

                    SHA256

                    59f66213d7266a09603ed1efd8e47e997813cb32ba5d234ddc850c4c96f79ff1

                    SHA512

                    263b38da33945c126209901fc81b97fe1e3bb22385e50cdedfd2fbb5a1b76d4332e79c7737efed3d0543576861fec1a8727c5a9e09ee367838f492cf90d75c77

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                    Filesize

                    13KB

                    MD5

                    0f6baaffc5a06ab51a5be75bff351c70

                    SHA1

                    1b9eeb25c84fbd17202e58c0c2a0337a82f3a9f5

                    SHA256

                    7c371f95ddb7fd52669aecd2a7c166baf2398fcd2af802468586bf5551f576fd

                    SHA512

                    f4972c72818dfba449d2ecc8ef49c0116abb367f1b2613fc398642218db5ab906418a96f0e6ed3f74b6a2a18fbe7432d3fd456bae379357d7be96053f663c20a

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

                    Filesize

                    15KB

                    MD5

                    3578505ea25326acc56d82327c4ab830

                    SHA1

                    948cc738c039dade884b405c35bc24c4df3cddac

                    SHA256

                    27081fe43a6af20709d4af8de1b5a10e21b29aebea3ef57833e38b5d228a14a0

                    SHA512

                    81dd22dfcd09f27294ed37a2f8fc5bb0796e5772509e7d70182f589f87dc39dca85a752042f536105f3822d053f9b9fbd018d16be5edf2b3a9c1a6b34930e166

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\DAA90C5B2A5B2F5F820274B7565CE8050543B83B

                    Filesize

                    35KB

                    MD5

                    aa29fbf57234ea4d2799445b3632feda

                    SHA1

                    9a09515a89421f8a07fd5d274db58595303ad053

                    SHA256

                    eae12ee94d6958436e0dc2e54ffb462b0b3e07452d1705f69fe7428c01ab1d68

                    SHA512

                    0a821e83e2e5e36db84f1e3f8bacbbd861402130037182359dd1dcee7f4d95eed9cf0fabc33f35c671e4b2b4ded84b0ea767bd6aa09b904a737198e0ca0eaf2f

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

                    Filesize

                    13KB

                    MD5

                    77c2e858d53a1544e957c6de7734d768

                    SHA1

                    dc302b5f75415ed57c735c5fa5a20734b062f5ff

                    SHA256

                    363aa14f77113dfbf771fe1fa1654021d875f88084071d1cbf1c409cc5187324

                    SHA512

                    d85c5aaea620e2546753aa131998b34c3a1726a9698803cf7f98d4fa0140de30d5f0da07bb380e4002b4ae8416472459ee88d8eecfe41f3b98fe3754e326a1f5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

                    Filesize

                    11KB

                    MD5

                    64b28aa0b94978d0ae3e8a917cb4c2da

                    SHA1

                    913d6abdb2027137a6fe6e7e165a8e54fd4b5269

                    SHA256

                    25a96716e6407b83e86607b38931982954522d0e23b9a90afd67fc941275a1fa

                    SHA512

                    87fa9370a08603170983692a86dc2fffc7646e6be65b04aca33c926d119afe452730ccabe2adf3262901abd75f39aa4bfaed03bb51a258aee11916e4cd9c80bc

                  • C:\Users\Admin\AppData\Local\Temp\1000036001\e136ecfc33.exe

                    Filesize

                    1.2MB

                    MD5

                    db946418424011c782182c76ab8c179f

                    SHA1

                    d640d54d341cf6341bd434c9015d23d22156612a

                    SHA256

                    bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e

                    SHA512

                    a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

                  • C:\Users\Admin\AppData\Local\Temp\1000038001\3ae762d1c2.exe

                    Filesize

                    187KB

                    MD5

                    278ee1426274818874556aa18fd02e3a

                    SHA1

                    185a2761330024dec52134df2c8388c461451acb

                    SHA256

                    37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                    SHA512

                    07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    8.0MB

                    MD5

                    a01c5ecd6108350ae23d2cddf0e77c17

                    SHA1

                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                    SHA256

                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                    SHA512

                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    8ed87f533bd9b87dc96a459268046b88

                    SHA1

                    08e34b085d9c3a1be580908c2f556aacd41ada80

                    SHA256

                    e80d4dc4e6d46c2c136fc2717f5c67b2999e71014bc7679742f9a60fa3d1059f

                    SHA512

                    13f59e36ae7653b5a255dac19e97351043fa0663941c3eb1d1cc9c269342c87fb11e7c9d3b487584c7124511a198e1109534e43debd3ad47037f4b2f0a5b48ca

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\bookmarkbackups\bookmarks-2024-08-12_11_k-PozTETHt6fhzgbtjurZw==.jsonlz4

                    Filesize

                    945B

                    MD5

                    3d51709d111f1dc0e9ff50769d909199

                    SHA1

                    b63660e874277d13f65082aadac3e5129c27b671

                    SHA256

                    2296864a5031604077ad9080a817a493875eeb6ca70c6555c99eacaf404c5ed7

                    SHA512

                    fc4f8bb48e7f4c08226a7f2f2f6b6825d489ce1d2b90fddaa20f77a7d568136f223a7e01f06feef868a836ec77c3cf59a1102c140b5f7b64eea9afbbe0a9011d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\broadcast-listeners.json

                    Filesize

                    204B

                    MD5

                    72c95709e1a3b27919e13d28bbe8e8a2

                    SHA1

                    00892decbee63d627057730bfc0c6a4f13099ee4

                    SHA256

                    9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                    SHA512

                    613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    5c8aa8de50f73f98437c0fd664ac5b7c

                    SHA1

                    38a7c4fc05b3fa0e3aff522e46551094b75bed62

                    SHA256

                    7a3960b7d87b1bfb5dae1c0113cbe27ab616ad01231bf6b7dd88aa6ca3cca8ed

                    SHA512

                    38f5f1b470f6ffafcf8bd9f08ac61b9f8251a0fe552b7fb23a370c7d6d05380c9b429e6369c0008f5ef4193b5fab4647d9289982f3aa4d67b9f8595a08fbcaa7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\9f76e990-2565-489f-89aa-20f2f992db09

                    Filesize

                    11KB

                    MD5

                    ad192e39251ade2a9d500dbb9a6ad2bb

                    SHA1

                    40a1fd46fdb839870fe9256a07dd36ac6e56ccfa

                    SHA256

                    71549eaedd65542a320a3ac2f61acf90428411510852939a4a81fd66afe3ef7f

                    SHA512

                    92126f414a5660ece26b5e5346063233ebe701369751ae9243fae73f88655dc2641c3875e0811f99e3a5d6b855ea04d57e81aeaa6fd37c846c7393551fdc04d7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\b6126714-fca4-4f9d-b5f6-003c915ffeed

                    Filesize

                    745B

                    MD5

                    48babfdbb7b3827f8680bf0dbc41308e

                    SHA1

                    e926867e62d1e48112f04f83a721cbad65f23a67

                    SHA256

                    a0ba3106f02d47d732f818c00f4c555e5a7ef1d7d9d6dc6fca1ef0cb414b52b2

                    SHA512

                    d2649d7bc535d7c2af4096d8b2a716d636afa2dceda49eed45804bb3e617c896f193909b930310ca3365583e3ec9a50e70b8d3752a2fce703a22ebf9e6c23e99

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                    Filesize

                    372B

                    MD5

                    8be33af717bb1b67fbd61c3f4b807e9e

                    SHA1

                    7cf17656d174d951957ff36810e874a134dd49e0

                    SHA256

                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                    SHA512

                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                    Filesize

                    11.8MB

                    MD5

                    33bf7b0439480effb9fb212efce87b13

                    SHA1

                    cee50f2745edc6dc291887b6075ca64d716f495a

                    SHA256

                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                    SHA512

                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                    Filesize

                    1KB

                    MD5

                    688bed3676d2104e7f17ae1cd2c59404

                    SHA1

                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                    SHA256

                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                    SHA512

                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                    Filesize

                    1KB

                    MD5

                    937326fead5fd401f6cca9118bd9ade9

                    SHA1

                    4526a57d4ae14ed29b37632c72aef3c408189d91

                    SHA256

                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                    SHA512

                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    4e964db606b99bb70de9e6122e41748c

                    SHA1

                    c2c68e3903eb88fd032c4f3552a72cfc1bc2fea9

                    SHA256

                    3e2027578cf323794a0853146a41b5f82e7ef847f700092d295259445e11ae95

                    SHA512

                    0e2a4566a7b74a982c41d64d9b0e33f8384e1ddd789b526c828a2663924750795d1a61e620213d7a82f6f697677fa2e4ddd48ce59167cb4671cebb368cf359de

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    f5f780f76fec9015539c65029f4a4673

                    SHA1

                    0110fcea4a1bd4cfe6283652883494dc977357b5

                    SHA256

                    d05880b505ead253e47be27bb88cd7d728f5e9451b0334539e9803a1150849b1

                    SHA512

                    2c4043712112abff6a183ea2d4f7d8324ce36b2a7b9b83c66f53bdfe92a72776f9b3d7e4abe0ef23f9aab538d50215fd426ba9dfa1bd15711c0e8290fc9a3e7e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    cff7c9c5953718035240fdca982c6de1

                    SHA1

                    790dd0481cfdf9b4cf90b3b6c3c882122fb3ae17

                    SHA256

                    c5912f9e660e8c3fb13543d82e7929fdde501949a3a5046f91e407d309b2a0e4

                    SHA512

                    18618907169582b7428b165dd4c2ff1562b59f94d525128472a1e4433fa6e7255a9b5b36cb4a1d1b7fa64b1b13baad394b621652c2abaca85df1fec2508fa397

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    345546901a071082b030582a0d952e17

                    SHA1

                    8d1f721a459e0fc598ed2ad7a60419dbb4ddabb8

                    SHA256

                    93c4d3ba9fc20ee16d0ed64b17f9091005b2cab5e3faa0607440cdee4dd98046

                    SHA512

                    873a3e91f6300c4b2ad9652d30c7963e84429acea3076b6c561509b7a0d4cde778f11ee9fc0ccc23d522af0e00c56af62f500b62a202b54f5085f57ce6d4b01c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    2e7963de38e781c2048ba0f83d3b0186

                    SHA1

                    97bbc410d04fe0200e23626ce095094a2adbb042

                    SHA256

                    ff6bfbb8070e05e58d5a49392abbef477926e5e090c4b9b9f0a15655a824ec18

                    SHA512

                    ee63d6ba9c1edeb4c567f66ddff9fa0b4be5a15c572927b894269630c1d4ea82d4e7fb5cc26185bc9b1f84193e612f5275f72eeddb06d624b0cd080056393688

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionCheckpoints.json

                    Filesize

                    90B

                    MD5

                    c4ab2ee59ca41b6d6a6ea911f35bdc00

                    SHA1

                    5942cd6505fc8a9daba403b082067e1cdefdfbc4

                    SHA256

                    00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                    SHA512

                    71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    c1152d9281ed94b266ddf90a5637cf59

                    SHA1

                    432e815c11e55f8ec4f1ace5b232beba90a561fd

                    SHA256

                    04a08b473434e655f85a0659e625a4c383dbfbb173d083fef7695046dc31ac72

                    SHA512

                    cfb2f51815fba3ef441d7babd1b9c51c4d1b3d669e444e56cee08e771e177b8c735259d88655d67c86a5155b3fe28c7d94167d90ea2efd91b6edc9bc7ceece22

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    208KB

                    MD5

                    6a9af6e89c6a51a5fb8ec79c8375a3f2

                    SHA1

                    8eae4ba1d4b6733c5c908817e1ec8912fc73cf48

                    SHA256

                    fd26a47f34305f464ce62312bc7c7a66231d914fbb333e1318a444a6f68d2ee6

                    SHA512

                    1c1a3e59da73256f9a83adbe19e897d46349cbda784a7cd7890abd188cf59ec294a8ff9aaa99fea4a3c61917f7088fb171b32fbed7b2ac26b0cea830470450a3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\targeting.snapshot.json

                    Filesize

                    4KB

                    MD5

                    6f9134de23f7f583e12d3da16a375aba

                    SHA1

                    94495e76ac7eb70fbf44a486fbb995ed325891a9

                    SHA256

                    713d9689aa4e73bc56279ccb2704be25150b77798b68df40c0d39e5a69aff81b

                    SHA512

                    e2343d86178c0287a2a4192f6f14244ccbd8718c3893100990cbe90889fef628a57d0b387fd763d5f799c78f766da194bac4642b4745a74b9cb73e1e8dab5dab

                  • \Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    d051474ba32beb9890bd6bdfd587d190

                    SHA1

                    8a7d008fdedc8efd7ac43b071f0b1d9d4e3b2156

                    SHA256

                    7aaaa43f3cc9d0cf790dad8eac81af1eec005d5d04ec58e486834f0a43378593

                    SHA512

                    ca17f5aa86bd09cddfa2e52967f248d9f7245e66fe6018fd93d83e22f88a66c6da0558416171c3d9857776d60e15839a613ad8c23e2ffd1a904bca63731a669a

                  • memory/344-0-0x0000000001110000-0x00000000015C7000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/344-17-0x0000000001110000-0x00000000015C7000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/344-10-0x0000000001110000-0x00000000015C7000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/344-15-0x0000000006910000-0x0000000006DC7000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/344-5-0x0000000001110000-0x00000000015C7000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/344-3-0x0000000001110000-0x00000000015C7000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/344-2-0x0000000001111000-0x000000000113F000-memory.dmp

                    Filesize

                    184KB

                  • memory/344-1-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

                    Filesize

                    8KB

                  • memory/1228-38-0x0000000000D70000-0x0000000000EA0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1304-85-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1304-79-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1304-81-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1304-84-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1304-87-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1304-77-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1304-75-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1304-73-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1636-107-0x00000000002F0000-0x0000000000533000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1636-106-0x00000000002F0000-0x0000000000533000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2172-71-0x0000000000800000-0x0000000000838000-memory.dmp

                    Filesize

                    224KB

                  • memory/2460-56-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-54-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-42-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-44-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-50-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/2460-53-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-48-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-46-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2460-40-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2912-274-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-377-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-384-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-385-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-386-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-387-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-388-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-389-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-395-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-396-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-397-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-402-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-403-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-404-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-406-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-407-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-408-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-409-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-371-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-369-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-355-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-288-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-271-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-270-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-263-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-203-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-104-0x00000000062E0000-0x0000000006523000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2912-105-0x00000000062E0000-0x0000000006523000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2912-23-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-22-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-477-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-20-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-481-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-19-0x0000000000AC1000-0x0000000000AEF000-memory.dmp

                    Filesize

                    184KB

                  • memory/2912-490-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-491-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-492-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-497-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2912-18-0x0000000000AC0000-0x0000000000F77000-memory.dmp

                    Filesize

                    4.7MB