Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 17:43

General

  • Target

    b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe

  • Size

    1.8MB

  • MD5

    0400d0f91db9d1a2cb7806b94b23be8a

  • SHA1

    ec696470fcffb473ebdb5586d00a86bebb38be2c

  • SHA256

    b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a

  • SHA512

    4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a

  • SSDEEP

    49152:kS87XHVA4tnIh2erdVvXLHezW0gzq29VV:kS8D1AMnI5f/qzW0gzN

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe
    "C:\Users\Admin\AppData\Local\Temp\b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1288
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4804
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              6⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5116
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {acec6e0f-d7d3-41d9-8c5e-2b7fc05f5266} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" gpu
                7⤵
                  PID:4692
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2727b6b3-fa35-4e80-8b0f-7468020b4eed} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" socket
                  7⤵
                    PID:2976
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2968 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f6f43ea-144a-4245-bfe8-0c8bfa910efe} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab
                    7⤵
                      PID:620
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80672c42-69ad-4f1d-9360-24669f82cb1d} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab
                      7⤵
                        PID:2912
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d466056e-0f3c-45d3-b36f-ec3e30503534} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" utility
                        7⤵
                        • Checks processor information in registry
                        PID:5500
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 3652 -prefMapHandle 5320 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {740620d1-f69f-4329-8d5f-0445951baeac} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab
                        7⤵
                          PID:5988
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c110cb-f7ee-4b09-8271-546cc59b6795} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab
                          7⤵
                            PID:6016
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c58a8f3-733d-4bf5-ad73-b2eebe097dfa} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab
                            7⤵
                              PID:6028
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6520 -childID 6 -isForBrowser -prefsHandle 6528 -prefMapHandle 6532 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ba96f55-c6c6-4b03-9f67-c696393b4f0d} 5116 "\\.\pipe\gecko-crash-server-pipe.5116" tab
                              7⤵
                                PID:4792
                      • C:\Users\Admin\1000037002\464b177d61.exe
                        "C:\Users\Admin\1000037002\464b177d61.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4452
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:4748
                      • C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:684
                  • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2780
                  • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3036

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\1000037002\464b177d61.exe

                    Filesize

                    206KB

                    MD5

                    fff78902d667ae5d4d5e6eca47703322

                    SHA1

                    aee23060c9cd8dad8afa9227d5f03b89fb18357f

                    SHA256

                    a823ed8e9c412d6d62fa3ad5742054f38b81175dca7604439a8ed06abd55a8aa

                    SHA512

                    ecf897f6885f71b4af40a85ed29ddc800f32f056d299357c7c50c62a8d670583592ecaea5bbcb9e6c2ca6d9dfcadfab81dc159e8e5d060ddd4fb918367e80176

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

                    Filesize

                    41KB

                    MD5

                    f5a375801101efe7988f506278d586be

                    SHA1

                    fa3bc4134e40e4c0f72a5215183d129b242c3634

                    SHA256

                    41085c2402f4a4749c3b55559a3349d6bd7e46a114c7564747377c043f41a0bd

                    SHA512

                    5ca09a4e7378c758cd8b8d6b0c573414f984fb04cf977f397cdd1baf47313c0aa6560ca212d559406bcf75e3fdad847a4f37abb3ce3bc68b8d5715dc9a72a6c7

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

                    Filesize

                    13KB

                    MD5

                    8447760b3fc834ada193f524e813a587

                    SHA1

                    65a110914c932a762bae5b6199540e85366641a1

                    SHA256

                    9c140b731f0a5967b2d9cd4e694f625221332c273391ed7261e0d379a2a074da

                    SHA512

                    5f37e01acd17dfb1eda2c211b91dcd2f1d1e92968e054d04e8e10b33856b8bfce6be370efa314538eca8897074294327241880f9372cbc041de8c3f7cf52bc36

                  • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    0400d0f91db9d1a2cb7806b94b23be8a

                    SHA1

                    ec696470fcffb473ebdb5586d00a86bebb38be2c

                    SHA256

                    b62164aec7b602984df58f4969be8d5272c2cc38537668466262e34eaca5110a

                    SHA512

                    4053c07ff80f6d9044f241b9848071ed039a5df9472144f3a0da235fec6eb83871a6bd8b859a347205934ddc531c9cb83aa746aa1d439ff39d68ab9a5af2164a

                  • C:\Users\Admin\AppData\Local\Temp\1000036001\3d0d5b4ffa.exe

                    Filesize

                    1.2MB

                    MD5

                    71dbe4bb236cc85e0eca13bbbeddc3be

                    SHA1

                    134f1402299e1e3ddaad05989875725cfbe71763

                    SHA256

                    65ef9eb886fbf27227211f2e8d9a5266adbe3206e00835b1b9018ea79c4816a2

                    SHA512

                    c208e1ceda249822b608ab23c58d17202d1b4d0be2d451398b0b0f20eae0ce15fadd5e943047048d133dfb53107a2a710673c7e0d7baead559e305cf3381f86d

                  • C:\Users\Admin\AppData\Local\Temp\1000038001\41d095a501.exe

                    Filesize

                    187KB

                    MD5

                    278ee1426274818874556aa18fd02e3a

                    SHA1

                    185a2761330024dec52134df2c8388c461451acb

                    SHA256

                    37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                    SHA512

                    07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

                    Filesize

                    10KB

                    MD5

                    012b82d5ffffbfef1dd2c283deed5a11

                    SHA1

                    db699149b0ce552d8a5870831d1231d8db59a1ee

                    SHA256

                    4522da224e06747193f5d291cb95a38edc43c752a68a1c2b056e24e30470ed8a

                    SHA512

                    4df614dfac59166cb799f965854e8fe1ee2a8fdcad30cccb4c53770f6bc054f6c6a3d23df6b161c7e2bca4b340cfae77d7f363ebf7dfcef6a1fedd65da196705

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    6KB

                    MD5

                    d428ca3acd1667c8ff6712c090b4a568

                    SHA1

                    2b2619013950cfbde2b301543025073f67994844

                    SHA256

                    1869650b2c5dd8ec8609d14b1d2942481d145511ae882d785584e07914fa04c2

                    SHA512

                    ddec8c83a59e7d2b4121c22c49cd13f9e15dca43c58daa146c42483e1f0da9ce66c763a6bf9ea26d99079f800d87dd2508d577870daea45b51ba75a057ba3d28

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    15KB

                    MD5

                    071229094ffa5a98840b1f5f6dce9bfc

                    SHA1

                    3cf9404e08d284836ca31586e99162b480d0235a

                    SHA256

                    be56b7dd560687857706b1ae5014ccad8c04fac2ce8e062bb2353c12ad072881

                    SHA512

                    4324b2d73df2d03f1b83c32cb1b8494cfb695e3573084e3ae6c146448983a7cdf441bef04be14ce023baa7258d076f6500b1383aad52e037d39e97cbabe51a43

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    15KB

                    MD5

                    50ea1dee88ff5f7e5e89b4f67d4dc292

                    SHA1

                    c95dc712b58101c31741231a4e599fb36d662423

                    SHA256

                    b96cdb6cfb8ed34e506e442c1ee80c34a329550b88aa8a5f0340f6ef0bafda12

                    SHA512

                    aebc6b763267fa169f71c3e8cb0a249b59fd197c81791311916c32777758a953715faf719b04de32782d3c0008fe228978dc1cf1e2fb736b44fa5e19b8e073e1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    ec10ff63d88cd990760ae2e48dd4beb0

                    SHA1

                    2bc6a55d81632c7dbb0884b6ae001a3918f75211

                    SHA256

                    71da4fba5bcc18441f5ce06de16c5c739a8c9aaca0493c8e62a7d6437c0d21f2

                    SHA512

                    d968f0a13759f2b07ad0f9862161af76a0d4375f7496a9e3f30472f5456b79786d9f5da2d3ae2d144ffa52e5c9abf1bc85c9b41314e4906818c009cba6ad9e45

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\4b47700f-fe43-4c65-9811-0e43eaef8b34

                    Filesize

                    982B

                    MD5

                    f045aabc1282d117b86f949a68533531

                    SHA1

                    a9b81f683173d8b15bb1a1f69b62fcade87ffd7e

                    SHA256

                    079e9fb9a03a97181e1b39858b6fa86bed0054dd5b315ab11953a9bf7328590b

                    SHA512

                    74369e8bf9a3b9dcfe2a45bcb44d09b4a006e85ffd60197d4c055d1fc6eb87b93140dbefdb410f5202c30acb77ef44082471ff86d655d5e3042a185d266a4d5c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\4db0a51a-38f7-48e8-ba04-bc1ece5fa3af

                    Filesize

                    671B

                    MD5

                    64004ead1cba9b3f90373edb82824fad

                    SHA1

                    ae8c5506ded24e7f2d6c1c9cadb15d962d53a810

                    SHA256

                    f37590f0b550b021ea06275c3ad122a8689feb47338bbbfa323a10288b98093d

                    SHA512

                    bf50962e22f6eeab82b6c12b8f2ada615a606d6439d9cdf99608237b6637390af053393a1d52ed6cf934059fad94af5bc428684d27d466925ca401c9d4f59d79

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\74e450c5-54fd-4f3a-aea5-30f59c63a103

                    Filesize

                    27KB

                    MD5

                    2abf9e286c2c6cd455fa02ff408fb8c8

                    SHA1

                    0dc7a6404940f483b1299e538bd75131f46c1244

                    SHA256

                    67cee6cc44ae5c8c7c50c9ebff3e9bd1afbd7f55f2662861615fec5eab177219

                    SHA512

                    3a6a9c43a941b14c45803f2dfc61dc332ae778f68644f0e8a7c68b4a82a4a98c6cd8e4b752e42ebf09876d42c2ce687d9d5ef4a7447f2901f8661be6e3d36d2c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

                    Filesize

                    11KB

                    MD5

                    ef7e650a41634c16a93dbe46adfdd9d2

                    SHA1

                    549023482684eb10a99fdfafcd31b14338108271

                    SHA256

                    76735853b23b3e3eaea03500ccb8ec215d0c647f1e6eb8d8fa5899163aeb40d7

                    SHA512

                    3350727bc0b0f214ae1d9d34ea2afa7dc6395f4888c5640bf0e941d61b152e4e0fadfe6e89a3c70d7d3e090e710c06c760f1516987f22f1c3368784c3b4f5a50

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

                    Filesize

                    13KB

                    MD5

                    66862bcc0a1e692057d7aa6d17815403

                    SHA1

                    629d1311f876814ad9d53e6a64212aa8201a693f

                    SHA256

                    04a0064aeb46a299d43ea7622cb88c493ac8cfaba3cf13a98d947b2674f5e7ad

                    SHA512

                    e9dd1d552d16a97a67c96b9e33e676b7bd7c9e0a1f8eace3bb8f3e9820c7d0c31a268e3de9103b4f0bed2e3ec567bb643a55cf01d6d0bfa023e4840653cf08a5

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs-1.js

                    Filesize

                    16KB

                    MD5

                    2006dadb8739105cf977593bb0c592fd

                    SHA1

                    066d3743663446dde6c7b86ed5d0da5e68df3757

                    SHA256

                    8812ea4da2178daada1020c74c43d777360e5cd0537966fb617c30914fbe33f3

                    SHA512

                    48c8ea5b1ef0497e01ef47034ef4a1f3db1946f86597fb650f7b490ab0fbfbfb9ec3805bc58f5f41309d26d090476ff886b87959acd145e43a75993d7e9e30f7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

                    Filesize

                    11KB

                    MD5

                    5704a7ef101873d66376b567a703be11

                    SHA1

                    8fbc56b2d794d5cd0713d8046a7fb5f72520bdac

                    SHA256

                    d797b677b070eae2e5e61b61312588c43c8fc3bda8682242d944a45c87744d32

                    SHA512

                    e9c0c46e014bc32076ea6b0943da508f796b1b2949f2c94aa9b2157cebe9fc0e54c679e2214459ef02cf24f8359eaa0c6da3f07dbc77bdc8c81db88b80433518

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    1.3MB

                    MD5

                    f16af117bee2094478561dff033c9129

                    SHA1

                    f03cd847c5c8d96d791e6db123f43f137482a5fc

                    SHA256

                    ae7c57417bef45106a2cd08acc2048411accab65cf12abe171b24fdbb9325754

                    SHA512

                    9a1cbb0f0b24620263ea571c8c53549365f5993bcbdc6c2b9b994089baa9001682f760576049e02957aaa905d9a71594253bfbc16df167728e12830e05e0dc73

                  • memory/684-88-0x0000000000EA0000-0x00000000010E3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/684-87-0x0000000000EA0000-0x00000000010E3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1236-42-0x0000000000310000-0x0000000000440000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1236-41-0x00000000731AE000-0x00000000731AF000-memory.dmp

                    Filesize

                    4KB

                  • memory/1288-48-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1288-44-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1288-46-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2780-709-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2780-701-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3036-2679-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3036-2680-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-456-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-447-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2683-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-488-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2676-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-40-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-21-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-20-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-19-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

                    Filesize

                    184KB

                  • memory/3440-18-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2682-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-465-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-433-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2681-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2675-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2689-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2677-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-1451-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2650-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3440-2668-0x0000000000AB0000-0x0000000000F66000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4452-67-0x0000000000C80000-0x0000000000CB8000-memory.dmp

                    Filesize

                    224KB

                  • memory/4692-0-0x0000000000250000-0x0000000000706000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4692-1-0x0000000077594000-0x0000000077596000-memory.dmp

                    Filesize

                    8KB

                  • memory/4692-2-0x0000000000251000-0x000000000027F000-memory.dmp

                    Filesize

                    184KB

                  • memory/4692-3-0x0000000000250000-0x0000000000706000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4692-4-0x0000000000250000-0x0000000000706000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4692-16-0x0000000000250000-0x0000000000706000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/4748-71-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/4748-69-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB