Analysis

  • max time kernel
    299s
  • max time network
    288s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 05:06

General

  • Target

    b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe

  • Size

    1.8MB

  • MD5

    71a0c8fa3b7166ee00b2871ab257049e

  • SHA1

    a10d5aa83d11a6a1f661ef5422e8d5455791e897

  • SHA256

    b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e

  • SHA512

    aa95eb6e6aa71fb298babcc9a97cfaf55c3dcd7fd607acafd550a03d21365e0367c89d1da3f41cb26d68a6ef5131e761d1d67b9022cbd1cf599136e25013ca95

  • SSDEEP

    24576:U015/xtUjxORnKVliMwoqgPD0rskl7qVfJqkHLsF5fcCmn7oB2I/tyYtCuhHjUVP:71dtKVliM4AMzYV8kHLw2n8fFycZSS6

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe
    "C:\Users\Admin\AppData\Local\Temp\b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1628
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              6⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1560
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.0.223252204\153869984" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a36da469-ee90-45fe-85c6-80cdb053e101} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 1308 120d9658 gpu
                7⤵
                  PID:1568
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.1.1291139743\1041408827" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1dc879a9-b3bb-4b4a-8e33-0e5680f329a6} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 1504 e71b58 socket
                  7⤵
                    PID:1608
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.2.727964529\1817837209" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9cd77ab-0a15-4715-a17c-2157f72e7eea} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 2096 1b4aea58 tab
                    7⤵
                      PID:1676
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.3.2127734601\1862376573" -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9e4e7be-17db-4368-80d6-0b8f7aaf0ae2} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 2904 1de52658 tab
                      7⤵
                        PID:3000
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.4.734154689\283840631" -childID 3 -isForBrowser -prefsHandle 3064 -prefMapHandle 3324 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4408db9e-790c-400f-a575-9b9f24b4642a} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 3652 17edc758 tab
                        7⤵
                          PID:1496
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.5.632221550\1317404080" -childID 4 -isForBrowser -prefsHandle 3760 -prefMapHandle 3764 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {baf8b5eb-e880-4212-b40b-3978fb16ff2b} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 3748 1f438758 tab
                          7⤵
                            PID:3012
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.6.747275035\1833779120" -childID 5 -isForBrowser -prefsHandle 3924 -prefMapHandle 3928 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad431895-bf4f-4f27-ab02-1c05f198a779} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 3912 1b6c3858 tab
                            7⤵
                              PID:1588
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.7.588952137\1504560271" -childID 6 -isForBrowser -prefsHandle 4224 -prefMapHandle 2760 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c8a75e-7ea1-48be-8605-2ae2ad0a6205} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 4300 1c51e858 tab
                              7⤵
                                PID:1404
                      • C:\Users\Admin\1000037002\d4b55d499e.exe
                        "C:\Users\Admin\1000037002\d4b55d499e.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1220
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1324
                      • C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2244

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\1000037002\d4b55d499e.exe

                    Filesize

                    206KB

                    MD5

                    62c81eb8cd78dbcf5767f84caad6972e

                    SHA1

                    9a508e8724c1431394717ebd3c6dee2f9f21d082

                    SHA256

                    166a8fac98b553a4e3647cefc034fe826b753958c0be902d9483148edb001250

                    SHA512

                    2feaa6cb070e548790b01601fe13846cd7eb005e2f1b8441092f4f92a1e4cfea6c1bc84314f78ea023e10bec8e3d5712ca43336c090eed0073c7ed99ebbf5af5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp

                    Filesize

                    49KB

                    MD5

                    03e3a20f3c4b82e87609d7c1d0ec92ea

                    SHA1

                    1c275393dab2cdb288eb98dbe2ed5099e6fc2838

                    SHA256

                    c4da46ac22f8c4d0b893a5acfb00f9921100c4ef07bdd2abd3cdb78f026a2f41

                    SHA512

                    2844ca16920642cfd117cd74f333c1d71aa389cb2e559a2f7c1bc500c995227c49c25cfc424e08455d220ad52969051e66cace001a3c0463d6cb3cedeb904415

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

                    Filesize

                    9KB

                    MD5

                    21ce1780baa4d90ced22bc633c83f045

                    SHA1

                    5be805c966e50f407a5d076df792144a20984e36

                    SHA256

                    7b951a4a974057f8d65ec3fb7afab01cff86db6cd7de90bf201a813baa2f32bc

                    SHA512

                    78350592819faa631cb32cfb2fbbefde01fedcfb989e0d430fc8d2087569d1d79931e5571b55170041e5773ad101e5bfee85c1b7a82e93c8673a2941ab4fde58

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\1E3866B584D906DD8CB8840AB2070142E2DEA38A

                    Filesize

                    14KB

                    MD5

                    819c2b867e6f889158daa81e82ec0dbb

                    SHA1

                    b549d553150c138213a9fb599722e006a4016445

                    SHA256

                    12dcae339ca2eb300ff6f78688d86306cab3a8f4e143a9246e1b6c3e46d2fa38

                    SHA512

                    535e6a03ed973d560683266c3f52ff80e2d2a51068d0d931edbd8c08bd2f60610b23707e98b45c6b56422fcf7d67bcec9ce5e26c499be57df0d074e4b3120f40

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\37D2E89C1D0242DDB3DF8EE21723247430D7DDCD

                    Filesize

                    37KB

                    MD5

                    44032a48ac9de37f55498d87971ccaf4

                    SHA1

                    aad68955504237a7e012dbee5c01c040d0451b40

                    SHA256

                    48e10bdca9375c7fc44c01dcb46b7ead1a9b139cef9d45bfaa640f494ce06b01

                    SHA512

                    fd69f58ba4e5a39d9e206a13bfd37754cb60e5bed3cccc33d85efada74dc77f3cbfc881494fd45781d002c7eef8244f0fa44cf88605656ecaa1ad6564d7d9143

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\552D7E776EF97053734643ADC0C74EEAE5E0BE4C

                    Filesize

                    107B

                    MD5

                    bf87a81f021eca94ebe3eddaf321cbb2

                    SHA1

                    5fea4dcde86ab8541f60ee599fa22bfbc3cfd788

                    SHA256

                    7e29d9328344a32a57ee16f36882f8998f0efa6c974ef0e3f507d90764d53369

                    SHA512

                    ec6112d11906cdaa6d42a2470a63539adbbf61c5bb9bc4b79da3f72422a25a76083db5b6717971cb2d2406b1688b70c697ab072672b30755718162dc248650e5

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

                    Filesize

                    13KB

                    MD5

                    2f7c2f5385bedc79641b7c3114bed4d6

                    SHA1

                    69d239bff3bb8d933d5d6156314aed1b8c0e76d0

                    SHA256

                    c636d626cb2a5cb4cd9603434ffd6b9f2ca1b4d95eb444494622f7d9389ef6a4

                    SHA512

                    41b5214628fd1ab4363bd513006cc3fd1c182d35b2164fb7978b36d8650d1dbcf99080de5a6222adb63ad1039a4d38498964c9accbfa8995f9e66b9118682df2

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\981FF3057E35D6BAFA9551BD06F32D0A288FBFF9

                    Filesize

                    13KB

                    MD5

                    90085d292f4e7cd493bb9ed1a44ae389

                    SHA1

                    1a2751e04af751865bcec0d683546d6542610754

                    SHA256

                    ae3364ffe5d7fe7c0ea13ff557924e5a422eb0ea794afbde11b9a0695c30e6e0

                    SHA512

                    47cba5eb63d9448721cf322034537f539d61e7dd85afec754029f99bcc26f5cfba0d36c08aca8a22676089d8ab5068e28b9d1cb4c0dc1fee4281a66a1239d41c

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

                    Filesize

                    13KB

                    MD5

                    43b54205736e29507e5a988fe461049d

                    SHA1

                    0a8394728511c8088a6b9fbf79223a498a24ae53

                    SHA256

                    0ed1d1df02479f20b01d5501554394a0cc93cdf5157c00dbf74ba08a2b5f8c91

                    SHA512

                    13cc67bfa665066bc6d596b5debc9681f294c87b10ac02897180e5ffc2bf3ecca9d3967af08ead51617f0c9139566f7fefd7a504c7c6559277b02717bcf35772

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

                    Filesize

                    11KB

                    MD5

                    8da2defb57478b36c4835c525d59fcef

                    SHA1

                    9b41ce64996499f405586d3e519d3a6676176c72

                    SHA256

                    496f4203c67c5a2ad8f8d07f73e3801e21c0541a56bd7c0a021deca1328f3314

                    SHA512

                    bcb9e6970f8764bdf3c5ce52c4a93944b1f025ef7a5b351d935e35c9c2d0fbd49626a6d28a46af848bbc6984ce235a562442e70d53d6f0a0ef8a876da5fc1634

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

                    Filesize

                    9KB

                    MD5

                    41162ccadb00169040dd646b1bd5c49c

                    SHA1

                    0af889dec51e8017a176e82c9d48ce15f1e97049

                    SHA256

                    ca1c994f15cfadee58d7fe747ff44cc2d8e21725f168d5e09095663500bcf31d

                    SHA512

                    9557dc03717cdbe41af3d83cd6ab411b57c8cd1d0499e67a178b87c1d734fb8fc25d4066ed62b97c3e925e236529442a765b133e410be3c0d09fdb365d41a115

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                    Filesize

                    7KB

                    MD5

                    c460716b62456449360b23cf5663f275

                    SHA1

                    06573a83d88286153066bae7062cc9300e567d92

                    SHA256

                    0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                    SHA512

                    476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                  • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    71a0c8fa3b7166ee00b2871ab257049e

                    SHA1

                    a10d5aa83d11a6a1f661ef5422e8d5455791e897

                    SHA256

                    b7f96c69f3ea24af265a57bb9a8799a3501e06b2551ff170d768cf5949344b4e

                    SHA512

                    aa95eb6e6aa71fb298babcc9a97cfaf55c3dcd7fd607acafd550a03d21365e0367c89d1da3f41cb26d68a6ef5131e761d1d67b9022cbd1cf599136e25013ca95

                  • C:\Users\Admin\AppData\Local\Temp\1000036001\4bdb7803fe.exe

                    Filesize

                    1.2MB

                    MD5

                    db946418424011c782182c76ab8c179f

                    SHA1

                    d640d54d341cf6341bd434c9015d23d22156612a

                    SHA256

                    bfdffea79fd6126c2256fab3f3b0421ec9b3a77a618fc406cd0f2e7d4a38f04e

                    SHA512

                    a73c645fe96ff6e49207326af35635998af343d2aa5ddd5e8b2bbd2bcded52869d588bb8c69eb220593d3152be99812e3462b1b09deea80adcac30bed9ed8956

                  • C:\Users\Admin\AppData\Local\Temp\1000038001\6951581cab.exe

                    Filesize

                    187KB

                    MD5

                    278ee1426274818874556aa18fd02e3a

                    SHA1

                    185a2761330024dec52134df2c8388c461451acb

                    SHA256

                    37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                    SHA512

                    07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    8.0MB

                    MD5

                    a01c5ecd6108350ae23d2cddf0e77c17

                    SHA1

                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                    SHA256

                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                    SHA512

                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    9a04157e124d7a83a013b7cd6e33f4ac

                    SHA1

                    99be893330b6b9ae0cfde69da39adf14bece307b

                    SHA256

                    9011c2ccc00f156ac318fb22a52d37e3b131f23ee101d8a1b5616b66db6ccece

                    SHA512

                    c965cc9b670a7853c465078cb23831fc018adf04a4b1aa61e96f768e04bbb8ceaa8ed9b5f3457aeb31965eabc9c3e0ee33be567ddd0a50ac83833b524e766562

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\addonStartup.json.lz4

                    Filesize

                    5KB

                    MD5

                    451345068ee2338192b2ad20cae34076

                    SHA1

                    baae501c9a75ecd35f6bb885f000f9b17e84300f

                    SHA256

                    0b20523edacbb0cb40e35f1fcaf1accf30bd741fe353bcfc06a3dab18a8ca76f

                    SHA512

                    2e17607f964f46f2274245dd4274b3d558d090aad7685eb1f5f60891a196388a53fe3f453fc37650b873325c79ca04b6b88e1817e189dffb931b17ef9cb7e61a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\bookmarkbackups\bookmarks-2024-08-12_11_xTq2h+S603FCU6C336nrGw==.jsonlz4

                    Filesize

                    952B

                    MD5

                    b87efcb27c4625955a16e8cdc79d70a1

                    SHA1

                    79b8ea7edd452d86d9087407aea75e612aad92a2

                    SHA256

                    98982fa608a6d2ee9e544bfcf5856f62bc003d67861ebb4d63937bbfc23ff8f3

                    SHA512

                    97f68c78d98079c31c18eaf47eb1595a646c095a9c400bda4a31f1c42345d6f0ab60187d2a127de21215d29121923f2c4aa7fe30319d0be86a1db601f6b26a80

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\broadcast-listeners.json

                    Filesize

                    204B

                    MD5

                    72c95709e1a3b27919e13d28bbe8e8a2

                    SHA1

                    00892decbee63d627057730bfc0c6a4f13099ee4

                    SHA256

                    9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

                    SHA512

                    613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    a37ad8c42fbb6ab5c561aa777c3f70b3

                    SHA1

                    aede960791738d0da5158893495374f7fd12ec96

                    SHA256

                    673c18336be9534fefbcf346870771d5c51c652cf5a94403b7ccd699adad7f12

                    SHA512

                    4b7e5fbfa2830c3cb877b5acb63557fe7a4ea52cb8d1af7dbb127d925fe96a8d4fba9f76c2493d20b49a15b05796f3bada616078cadec3abddf95b91a4345293

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\8e8a15c4-6ab8-4680-ad91-016a2910e35b

                    Filesize

                    745B

                    MD5

                    32d0a35d8f6381274c8ca893c7f04ca4

                    SHA1

                    a849a0d7b081824102ed2230181676097542dc41

                    SHA256

                    fb3d067be9d5a4e827cc6b398756ae7a19b9c184dd5f049331c65c4fc5dbb58f

                    SHA512

                    6910476d93f32cef1c60dc56afeb7f7a68131dc76dcf6e1f62d9e9d2a24abf9376abcf1a03b38980bedeec661ace7e65439d860c561a8f8c38229631f8a271b8

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\ae89e14a-c741-4b22-8b00-79a9fa3195db

                    Filesize

                    12KB

                    MD5

                    283de8bde38acb273c7098fb9d5717b2

                    SHA1

                    4a5041c42645b6707e43dbd85c81bec4df9bb172

                    SHA256

                    3850bf5084ed7e4a0d1ee339441ed69cb4cb9aa8c6d7a2c5894c63ac7df1ac62

                    SHA512

                    b5a6c30a1ef9ac9e848b19bde6f10e7e58a1670f531e7441479111125470b5bc44797e99779fd7a195ad3196dacd4d4bd7b88261d019e6de4c74a060c969c647

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                    Filesize

                    372B

                    MD5

                    8be33af717bb1b67fbd61c3f4b807e9e

                    SHA1

                    7cf17656d174d951957ff36810e874a134dd49e0

                    SHA256

                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                    SHA512

                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                    Filesize

                    11.8MB

                    MD5

                    33bf7b0439480effb9fb212efce87b13

                    SHA1

                    cee50f2745edc6dc291887b6075ca64d716f495a

                    SHA256

                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                    SHA512

                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                    Filesize

                    1KB

                    MD5

                    688bed3676d2104e7f17ae1cd2c59404

                    SHA1

                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                    SHA256

                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                    SHA512

                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                    Filesize

                    1KB

                    MD5

                    937326fead5fd401f6cca9118bd9ade9

                    SHA1

                    4526a57d4ae14ed29b37632c72aef3c408189d91

                    SHA256

                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                    SHA512

                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    92658c74dc9a811547cfd501fd196f96

                    SHA1

                    060d73db6cb8e3b791edaf9c70383fe85bf141ea

                    SHA256

                    13f9ce7429833b9d91ebe6d2ad5d40e0147592835ecd4d4251fc91df3e15b9b5

                    SHA512

                    65e91f2a5db22ed276614cf0d7265672465f76d8901c25334b3ddf7f78107ab0fcae747a3f0b491b3569c651ff71a92a67560bf806dedb7dd796211f0c7f8314

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    a85e65ce9c3ceb9e8489e0e161716cfd

                    SHA1

                    521b1eebd920fca36d2c33dc676a0a1b9a61e0b9

                    SHA256

                    cad9dc6055200d3838c0393423899b377e31dd5a82ffafc51fc7753726dfe8c1

                    SHA512

                    ae71b37be8dacd0ccb74b01e50b47342bc392c0ccac0322ef97f83ca07e9208f5b7104d349558117a9423c2abe2f31a4f0443f0355ff035b873121b5a3680447

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js

                    Filesize

                    7KB

                    MD5

                    d8eec301c8cda35bf0ce5252e1eccc9c

                    SHA1

                    78bc22cabef451434577883ba4e09615375df71d

                    SHA256

                    cc21053b0629bd11776faf243d54c8b03aab79581c66198ef05767adaf1e94df

                    SHA512

                    6a67ac307e410fe396cda21c28531b6d13d386d2e66bdc68b46e09e1a6d04306f1945177b05855ecb41de4d6d66dbe9cde2d51d2c3ce3224077607560eab4d34

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionCheckpoints.json

                    Filesize

                    90B

                    MD5

                    c4ab2ee59ca41b6d6a6ea911f35bdc00

                    SHA1

                    5942cd6505fc8a9daba403b082067e1cdefdfbc4

                    SHA256

                    00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                    SHA512

                    71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    4KB

                    MD5

                    239d055b3e3dc74e974ef37debb1b656

                    SHA1

                    04dd04d983b3b0bc8c7d549217b90f21d3f0f844

                    SHA256

                    b9d36efd47ef9e9f11ba8db02a9b720e9f3a630687a46df967c8464cdf07a01b

                    SHA512

                    b71c259acad3cd69a75faa68583b529ac69b12cd63f854879a3719cc7219a912855658818b3593608974ac852b63b6b53584eba4ec875f851eb764b8ac80ebd5

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\targeting.snapshot.json

                    Filesize

                    4KB

                    MD5

                    0658301bb26be1d3c199eb19ae1564a2

                    SHA1

                    b84a1e492e7e656372298668971a334367f70ead

                    SHA256

                    6f9d8db828d3605857012d9f38b663edc5461f469c7496d2ab4ae5df87c5c84e

                    SHA512

                    49ef7a8718c5ff0e712524f0c7307a3126c744a16dc34af39998cda3d70c857132963d5c58a943fa295aa2833a6dbe0a44c7e98d20d965ab2a09137f3b5abd1b

                  • memory/1220-71-0x0000000000AB0000-0x0000000000AE8000-memory.dmp

                    Filesize

                    224KB

                  • memory/1324-77-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1324-84-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1324-73-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1324-75-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1324-85-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1324-79-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1324-81-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1324-87-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1508-288-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-18-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-258-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-259-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-260-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-529-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-521-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-295-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-105-0x0000000006570000-0x00000000067B3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1508-516-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-104-0x0000000006570000-0x00000000067B3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1508-515-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-514-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-505-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-501-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-252-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-19-0x0000000077200000-0x0000000077202000-memory.dmp

                    Filesize

                    8KB

                  • memory/1508-21-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-372-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-374-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-376-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-388-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-390-0x0000000006570000-0x00000000067B3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1508-389-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-391-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-392-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-393-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-394-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-400-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-401-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-402-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-408-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-409-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-410-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-411-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-413-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-414-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-415-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1508-20-0x0000000000821000-0x000000000084F000-memory.dmp

                    Filesize

                    184KB

                  • memory/1508-23-0x0000000000820000-0x0000000000CDF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1764-38-0x0000000001080000-0x00000000011B0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2244-107-0x0000000001340000-0x0000000001583000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2244-106-0x0000000001340000-0x0000000001583000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/2660-4-0x0000000000040000-0x00000000004FF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2660-0-0x0000000000040000-0x00000000004FF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2660-1-0x0000000000040000-0x00000000004FF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2660-2-0x0000000000040000-0x00000000004FF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2660-17-0x0000000006E90000-0x000000000734F000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2660-15-0x0000000000040000-0x00000000004FF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2660-16-0x0000000000041000-0x000000000006F000-memory.dmp

                    Filesize

                    184KB

                  • memory/2660-9-0x0000000000040000-0x00000000004FF000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3032-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/3032-49-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-44-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-50-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-42-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-46-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-40-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-54-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-56-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/3032-53-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB