Analysis

  • max time kernel
    299s
  • max time network
    298s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 05:06

General

  • Target

    a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe

  • Size

    1.8MB

  • MD5

    f19c5b8c97857169bbfc5aea1e12d2fa

  • SHA1

    6895c85c50e0214bb4b144067edd829a70cc5dcd

  • SHA256

    a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08

  • SHA512

    e33440c55909fe053745c71220701663897eae4f4e57c1d80d02168cd93e15934643fba20cdd5455702c57f4c3474def52b72a13c65f51addb3a680deb21b0cb

  • SSDEEP

    49152:CsV1VaoB9emiCynu3qskp3n96gD1nCcqn6wXclixlffFNN:CsV1FeXKqD96glC/n6RqFNN

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe
    "C:\Users\Admin\AppData\Local\Temp\a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2900
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2480
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              6⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2348
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.0.117122171\562446046" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31ac260c-9ada-4353-a54b-fb893ba6a442} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 1292 115e1858 gpu
                7⤵
                  PID:112
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.1.692474941\369092715" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18c873f3-dabf-4f59-8c0d-ff78e809033f} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 1504 f73358 socket
                  7⤵
                    PID:2548
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.2.893094459\764723427" -childID 1 -isForBrowser -prefsHandle 1876 -prefMapHandle 1988 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4621c236-ac80-4513-a1e8-db56d72ae867} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 1836 11560758 tab
                    7⤵
                      PID:2868
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.3.48218789\1436933025" -childID 2 -isForBrowser -prefsHandle 608 -prefMapHandle 572 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {448d7d3a-b4b3-4a24-9a8a-acb542360164} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 2388 f73058 tab
                      7⤵
                        PID:2432
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.4.1985243906\764023589" -childID 3 -isForBrowser -prefsHandle 3812 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b702f4cf-96af-4ba0-bd39-5613517a9559} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 3824 1de0e558 tab
                        7⤵
                          PID:2968
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.5.1244208476\101597115" -childID 4 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9788436f-9da9-4269-a2fc-e38f92fafccc} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 3920 2119e858 tab
                          7⤵
                            PID:1956
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.6.1879564007\1835320592" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {17b622cd-8896-487d-aca9-d7e44b413914} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 4100 21f0e958 tab
                            7⤵
                              PID:2888
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2348.7.609352567\1719480921" -childID 6 -isForBrowser -prefsHandle 4364 -prefMapHandle 4368 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {642f01a8-76b9-4044-8cb0-fdc36ecc602f} 2348 "\\.\pipe\gecko-crash-server-pipe.2348" 4380 1b4c8958 tab
                              7⤵
                                PID:2636
                      • C:\Users\Admin\1000037002\3463c39ad0.exe
                        "C:\Users\Admin\1000037002\3463c39ad0.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3044
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1056
                      • C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1052

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\1000037002\3463c39ad0.exe

                    Filesize

                    206KB

                    MD5

                    62c81eb8cd78dbcf5767f84caad6972e

                    SHA1

                    9a508e8724c1431394717ebd3c6dee2f9f21d082

                    SHA256

                    166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250

                    SHA512

                    2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    46KB

                    MD5

                    4cfc61b3c74023c65ce45cf7b4be13e6

                    SHA1

                    d074ebf92f816dd3b00b7bf0a78fb436e0c3bc11

                    SHA256

                    002e5fd1f4ef567363fb381448ee09f3ebc1cd6289e92289f60d070b1eeca786

                    SHA512

                    64b35d5627090eb4db04f81cdb8f4007302fd200d36fae6abd7c3de8bad9669d58fb66ec33289ae9af4d876db079ded0237330499fa028509fe2350c4141aeda

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

                    Filesize

                    9KB

                    MD5

                    021344f3aaee97b8c4297566cb148eee

                    SHA1

                    277eeb1ada38c46d20f6152a9959092329b077ec

                    SHA256

                    bc154ef4ec5f44089e467f56c6ae95b05379e304edcc137ad9493b0b32c109ac

                    SHA512

                    18422ba43265c81e07097bd4b57d12a221b8a8fe0a63188ad139a0617fa1fb463ad1d421debd4d90869c9e631e25188765aa76fe3a6b1ddd2e97826f57d6525f

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\099EB2BF8827A4F91EAB3E38B14650D0205226F2

                    Filesize

                    15KB

                    MD5

                    537f20568e8d56901f42517220660ba9

                    SHA1

                    10c08141f76289b5b2ed1271496a6e29623b4104

                    SHA256

                    0f125acb50c474b4d07769cdb7e2a1900c305f2f3d0b6a224b7e9f41781fe508

                    SHA512

                    1274a43614e6020651bda8140f38c4fb38ef156c453afe6615ca32d8aefe8a04503371441c676e3b322175e1f3533b9694ce5a2eb10afe8d33a00a0d52d2b2f0

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

                    Filesize

                    9KB

                    MD5

                    f42edf712252dc4197986aeb13772b59

                    SHA1

                    b240d8043390ba02704dc178694f0fca554a5bff

                    SHA256

                    5ab6ad54d86c3974acbed5730a1900f3ef266ae93e29c6c8e8feb5f0ef9b0292

                    SHA512

                    2b07b44f698b519fd7ea7aa1abe7a1ed9cd7645ebc3874a4dfabf449eab917685ecac07e21cadc7fa44de666f82ae367be9572dbd67f6a3d23c6e98e30fc4c7a

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

                    Filesize

                    13KB

                    MD5

                    7323a679f2823662a1f66ae6f4122fb9

                    SHA1

                    cfd2571abd5d7c21a8a3dd4ec97ffeecb34e6bd4

                    SHA256

                    2b252816c77cec54d576141447dd937f2450dc35126f05777e8493a2b0b1d160

                    SHA512

                    befca88a634fde603a7f045aa0c384619393cea069b0c2e8cd4748b2af4ddfa1ca99631a4bed9e2d86fe25c10db86f863a4763cf17e9fb294c0caf9a90ff36b5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

                    Filesize

                    15KB

                    MD5

                    711c4cc6d8051fe21c47d194eb43f6d3

                    SHA1

                    1e1ece970a901824dd725ff9d1d1d0fe7b286cea

                    SHA256

                    479e986b1f447cf8f1e60b9f6f8f8970db35482ed9862ee168f6cc5dab122709

                    SHA512

                    91032e8fd052caffc94d6a9d37103bca0a43578d46eef632d1404141a87f7b6870368c99c035df7bf4ee8b1fab9830045037e91ccbf6e4fd169ff8b5851109bc

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\AA7662676C412E5EC4DEEE18BFDF4261862A08C8

                    Filesize

                    32KB

                    MD5

                    a78413d162c89cbb4bafc78e366f68d9

                    SHA1

                    e5cf224ff2b19095f120d177a5b9c3587be993f7

                    SHA256

                    23cf9aab050422eebbf01dcadda219b125858c59dc8f36423777242652293434

                    SHA512

                    876b1cdf3cee6232a521f5d3873417f61a189ae92cd268b2942368bc76f2470f550923a2f1f815c1b6097054e37deb14425229da44b4a4e71d7e9e66d105ffc3

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

                    Filesize

                    13KB

                    MD5

                    109781a51e23cfa1bbe82fcc4ea235a0

                    SHA1

                    929689bfe7c4414f367b96afc3990c979b03da07

                    SHA256

                    bb4a13c444e1dffa2e78517616d51c5bb5f41d04df337689bd1f2fcaec6eeb2c

                    SHA512

                    28f70349f4a7f9be6f44f24652ea3f83b71c8fa79fd664f6c1ffdd3b55cff84f2e08cd509fde4cbd04b87c9b67d28989a6ab55e7662acc70fbc7644a23616ff9

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x07tfuqf.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

                    Filesize

                    11KB

                    MD5

                    281b72ee3ead4a01b019a47f81352466

                    SHA1

                    ff0cbfb06c23fac42a2e3dac6d152e7003511e4e

                    SHA256

                    0eb504cc05ca3123f1e440ea3a321801267251a6eff6acc68c43bac54625e954

                    SHA512

                    5c54ef3b8259399eb5926a91afe2ebec42afb37205b27e913f3a4dfa9641c4e1e8aa2b5ff90eff9d051c30cdb48fe9e43d686bcb44e1beb37dac8541c46d6b15

                  • C:\Users\Admin\AppData\Local\Temp\1000036001\ee319cb5d0.exe

                    Filesize

                    1.2MB

                    MD5

                    db946418424011c782182c76ab8c179f

                    SHA1

                    d640d54d341cf6341bd434c9015d23d22156612a

                    SHA256

                    bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e

                    SHA512

                    a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

                  • C:\Users\Admin\AppData\Local\Temp\1000038001\a9bed322ab.exe

                    Filesize

                    187KB

                    MD5

                    278ee1426274818874556aa18fd02e3a

                    SHA1

                    185a2761330024dec52134df2c8388c461451acb

                    SHA256

                    37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                    SHA512

                    07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    8.0MB

                    MD5

                    a01c5ecd6108350ae23d2cddf0e77c17

                    SHA1

                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                    SHA256

                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                    SHA512

                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    cb1b75b915b683074a0ff9a3de3e3331

                    SHA1

                    69250d39e214cd1deba64352cab1d15435f88766

                    SHA256

                    750c36a8f222a4e33410b4da91e9d1aaea11dc4041769e17cd6a97ee0782eb14

                    SHA512

                    2c7b4fc682590780fca4e93233d5ab162cf016280f79804c3a2947ad9e8b40edde7694973a7cecce317e1166a966ab5e80052667abd2cf1cea0cc5cae6633184

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\addonStartup.json.lz4

                    Filesize

                    5KB

                    MD5

                    35860b7440797fdf92b6b343858fae39

                    SHA1

                    62c24f43eedf6e71b226f0159dbbfeecc152f47f

                    SHA256

                    fa8d0fffa1b53a2ef40a65da9e28fe04dd91f053f4784f542714e60b4290f498

                    SHA512

                    5ae3d1a8279ae0fdf7954c3cf2279ea9c525e36547c4ed92049f741be6bd46bfef82b40763c7d01e0620dcf356fc9fc45b12be4dce319d4d9b354f6fa15d1a69

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\bookmarkbackups\bookmarks-2024-08-12_11_L2sLur954nYBdQ3s4g+3lg==.jsonlz4

                    Filesize

                    957B

                    MD5

                    ecd71170c37ebb24f04d6d8ba720b793

                    SHA1

                    5d0d3c42d121d7d5aa06f6b6c16a8f158ea29972

                    SHA256

                    293e5875f539e4982d26fa3729c0d68477bd41f1b25ce8ede3c5149f6cac6d21

                    SHA512

                    564c63c165bd972bc9f5dbce1ba0c6ffd163e6a18c284c0388ac5addc86b935ed05a7ce1c5e01bc0ea55d0fa33fbb9420cb13c9f409601e09b0cd2befecfe6f9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\broadcast-listeners.json

                    Filesize

                    204B

                    MD5

                    72c95709e1a3b27919e13d28bbe8e8a2

                    SHA1

                    00892decbee63d627057730bfc0c6a4f13099ee4

                    SHA256

                    9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                    SHA512

                    613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    445d8376bcbb7960d48c64fb6b4b1391

                    SHA1

                    6ee907c84c41dc3493420220ed22d86daddc6f09

                    SHA256

                    42378b9534cae033c921c3a06c413fd280e68bdb8fe6068d5f78e313638f17d6

                    SHA512

                    c085f4022b5a0cf8c1ce0ad6bba13108a10e975197798a80361fef81d642da79bb3074e849fe0e0518f7ce1b662d7849816b9ed6b5b80046bb9d88c7c4b6b2ce

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\2e24c821-2d17-4445-8671-b4c7186cf18b

                    Filesize

                    13KB

                    MD5

                    5e0152985062651095139db02b46789f

                    SHA1

                    ac81394bd6ba7e55931270d59d02c624100e8441

                    SHA256

                    56a641bbdcd488a415d505b4752dc72234590b913e7dfb312d72f953034a025d

                    SHA512

                    a39505ed8a5382c93a2eea60ff7864f26425c98c74b2acfb3df422ff0c9e4beea8da3db65956a47b8be6900589042c167b8d17f052eab376757b5b5cc89ca357

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\datareporting\glean\pending_pings\9507cce1-d512-4475-ad67-c75704db05ba

                    Filesize

                    745B

                    MD5

                    7e7130fb3edd2875cdbd9660eff7e15e

                    SHA1

                    3c443b27793d1452e1feefababc4c9fc458649f3

                    SHA256

                    f66ecf87fd0bd86ef91b8ae3ab01a70332fad46b7cdf2c270cf5f10c241a7df1

                    SHA512

                    73f9f0c63261adfa10851e41de751c2b6dbf50f67fbd2f869c064be0a590613ff06a8e0824a7385c82da2475935818547e52d34ad3229afbf1659f210d37bf15

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                    Filesize

                    372B

                    MD5

                    8be33af717bb1b67fbd61c3f4b807e9e

                    SHA1

                    7cf17656d174d951957ff36810e874a134dd49e0

                    SHA256

                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                    SHA512

                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                    Filesize

                    11.8MB

                    MD5

                    33bf7b0439480effb9fb212efce87b13

                    SHA1

                    cee50f2745edc6dc291887b6075ca64d716f495a

                    SHA256

                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                    SHA512

                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                    Filesize

                    1KB

                    MD5

                    688bed3676d2104e7f17ae1cd2c59404

                    SHA1

                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                    SHA256

                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                    SHA512

                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                    Filesize

                    1KB

                    MD5

                    937326fead5fd401f6cca9118bd9ade9

                    SHA1

                    4526a57d4ae14ed29b37632c72aef3c408189d91

                    SHA256

                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                    SHA512

                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    b73304ceb98de8aed2906377733ec46f

                    SHA1

                    8b7125bc4fee961fccec00c8db104e23eae905be

                    SHA256

                    a81c41d500172be77b03a80b7bea79b5aeec7c3ed8f9c96c8b7eeb2b80188e90

                    SHA512

                    ee7cff16a41df5ec80d727ec3523dfc0805af96e89ddffd9f15182f528da1a7646ccf81843d666b0641187fa81abd848e9ac24f8bb90f4650c1674ef026c2df2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    703b8e4e677f45857bf0496493b1e719

                    SHA1

                    c27b36be80776cf719039b72d7e1a45cfdecdeec

                    SHA256

                    842add14bf40c0bedc9859fe97c38e6efea85b442d139ce01a21152935b1b456

                    SHA512

                    d0dcf297a3a21f1a9237bd6cbc71ede652104baceb23074a44ec28835db868e4e3bb8b7caab56f492f372bd35695bb2147a733698ea4e9592e7d8027719d5a6f

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    5ee4bdfdfc61ce154be6829e79c850e1

                    SHA1

                    4a1f30eeea731875521ec69c1007e9d07053dcc5

                    SHA256

                    1bef99d75ed687a8a3bea4951cbf0a1f3faba5778e91e0893ac1d6f22ae45e5d

                    SHA512

                    c1c84db7de3262c2b45aa2ef5524e3a77bb6af3efd65307bfa6fb1029fbdfc88d5e5dc778b03af4dba4aeba041048bbd333ef4737a1a347e57baf2bf3dd2d79d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    d493dd71b0b867f909f10e782c06821e

                    SHA1

                    f58ee631625c9bee7a28a216393df67062c84ed9

                    SHA256

                    1c4017ba2afb650e9fb30627fe1f79f5c66e43e578fe071bc0fea09cf49abc0b

                    SHA512

                    7becbe5f40ae658669fd5bdae1cd96361166d0eb536c0ad29ecad026055d1d52ba030996f8440b8ebce1f5a0a2684d1abf40bed11a5618bf995afaea47b34c8a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionCheckpoints.json

                    Filesize

                    90B

                    MD5

                    c4ab2ee59ca41b6d6a6ea911f35bdc00

                    SHA1

                    5942cd6505fc8a9daba403b082067e1cdefdfbc4

                    SHA256

                    00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                    SHA512

                    71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    72777279e2f5690f149508ea19f29886

                    SHA1

                    beb9c0f1068a20c3a5e545360885558af3cc4332

                    SHA256

                    c2b758bb47bd5e6871501cdd1e904549b4097e36873c2a701136038d78f7924f

                    SHA512

                    8f8c20b17c880e9e725554c91ab22f322ee0473ab584a075fcd2ccc993f1cc562ea94da1fa4895ce4684642125fbe9d5ebd19ad5c80d53635322f3f132478ba4

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    184KB

                    MD5

                    d2733b4fbeb4e439049cc5be9c8e2441

                    SHA1

                    d785fea6f76422ab46f2c4d690c55f66f8ac2d4c

                    SHA256

                    540fcec1bebb679cfa2430462d03751d62efa79800744e3e5006756713823918

                    SHA512

                    f2de8de63e5524e6f397d28f5d0db4d8d66cef8ca29db373fb68fe4a36f6490e0440ea37f5e5defc5f6b8440e4c374b7e61279397d5f6c25e62b940b62b3302a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.default-release\targeting.snapshot.json

                    Filesize

                    4KB

                    MD5

                    fa263fcfe04d8f760ce3cc07534b4831

                    SHA1

                    bb6e5e6a206d744c012c98b2e165b83065d2ba3e

                    SHA256

                    366a419f8a83e8cd068055df9bd8ba84f581dfd78c1257b4c2e1c0e01c84b99c

                    SHA512

                    880022cd85b63e1ffef131abdedcee0fe19eb8229390bbb4bbe74c223ed0b43b3906079e1d20a9a4d2c0d4a8efd8a518815be051a9be7a985678e62672e192ff

                  • \Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    f19c5b8c97857169bbfc5aea1e12d2fa

                    SHA1

                    6895c85c50e0214bb4b144067edd829a70cc5dcd

                    SHA256

                    a5bcb19eef5f5506fbd70b2e6ae31409d8e1affd86b2a002cdd09c262ee6bb08

                    SHA512

                    e33440c55909fe053745c71220701663897eae4f4e57c1d80d02168cd93e15934643fba20cdd5455702c57f4c3474def52b72a13c65f51addb3a680deb21b0cb

                  • memory/860-10-0x0000000000B10000-0x0000000000FAF000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/860-5-0x0000000000B10000-0x0000000000FAF000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/860-0-0x0000000000B10000-0x0000000000FAF000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/860-1-0x0000000077790000-0x0000000077792000-memory.dmp

                    Filesize

                    8KB

                  • memory/860-2-0x0000000000B11000-0x0000000000B3F000-memory.dmp

                    Filesize

                    184KB

                  • memory/860-3-0x0000000000B10000-0x0000000000FAF000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/860-18-0x0000000000B10000-0x0000000000FAF000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/860-13-0x0000000006BD0000-0x000000000706F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/1052-108-0x0000000000E00000-0x0000000001043000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1052-107-0x0000000000E00000-0x0000000001043000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-82-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/1056-85-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-86-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-76-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-88-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-80-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-74-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1056-78-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2380-39-0x0000000001130000-0x0000000001260000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2656-389-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-391-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-256-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-299-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-255-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-254-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-237-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-197-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-105-0x00000000063A0000-0x00000000065E3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2656-106-0x00000000063A0000-0x00000000065E3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2656-17-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-486-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-354-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-356-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-358-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-370-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-372-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-373-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-374-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-375-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-376-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-382-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-383-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-384-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-481-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-390-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-267-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-393-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-395-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-396-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-397-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-480-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-479-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-19-0x0000000000BC1000-0x0000000000BEF000-memory.dmp

                    Filesize

                    184KB

                  • memory/2656-470-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-465-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-20-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-22-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-23-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2656-24-0x0000000000BC0000-0x000000000105F000-memory.dmp

                    Filesize

                    4.6MB

                  • memory/2900-41-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-47-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-45-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-43-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-49-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-57-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-55-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-54-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2900-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/2900-51-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3044-72-0x0000000000050000-0x0000000000088000-memory.dmp

                    Filesize

                    224KB

                  • memory/3044-73-0x00000000021F0000-0x00000000041F0000-memory.dmp

                    Filesize

                    32.0MB