Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-08-2024 17:11

General

  • Target

    628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe

  • Size

    1.8MB

  • MD5

    8e7fc308ff9bf6e84237762d6c71c4d6

  • SHA1

    d873da020bede1bc7e9218adbbeb5c7442b65d71

  • SHA256

    628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa

  • SHA512

    30bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a

  • SSDEEP

    24576:DHgxcCP6RRVgSVN/U7xOC4lJPxGROJMrgclx3Wb+Qtdbq7Wd8lHg3CsJhLBz:jgxcKSVgSVtgOTbgMYxGLtsqKehJ

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

nord

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe
    "C:\Users\Admin\AppData\Local\Temp\628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe
        "C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              6⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3056
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3411eb0-af57-4f97-81b7-58d854df2135} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" gpu
                7⤵
                  PID:1208
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab1f32a-4213-432b-a278-b33a5ac06fe2} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" socket
                  7⤵
                    PID:3740
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2896 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 3204 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22e5929-2c2f-4c6b-a86b-69970ff301fe} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab
                    7⤵
                      PID:2280
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 2668 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9a4594-6310-433e-a051-4d3f89ee764a} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab
                      7⤵
                        PID:1508
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4752 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6f2b16d-7f93-45dc-9f0e-612126e361b7} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" utility
                        7⤵
                        • Checks processor information in registry
                        PID:3932
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {317b4b13-90cc-4096-ae1f-027537198044} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab
                        7⤵
                          PID:5444
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8044cf-3ee1-482b-b00b-751fc3eb82ad} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab
                          7⤵
                            PID:5456
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 5 -isForBrowser -prefsHandle 5628 -prefMapHandle 5400 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d1e6f06-eebe-47d0-80f1-fd8ea1f57a15} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab
                            7⤵
                              PID:5468
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6268 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f931c5fe-3c24-4167-832e-7bf56b7dda81} 3056 "\\.\pipe\gecko-crash-server-pipe.3056" tab
                              7⤵
                                PID:4800
                      • C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:4416
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                            PID:4936
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            4⤵
                              PID:2656
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:4516
                      • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                        C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                        1⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2468
                      • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                        C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                        1⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5204

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

                        Filesize

                        34KB

                        MD5

                        000ad41eccec41ff63544862e5dbc684

                        SHA1

                        1d5a641bd740dfa24ddfe4a770dbb01b318b6867

                        SHA256

                        eacf3f5cd4361eeccd38fa0d71e251f421570cb8f0b4e1fc3340436f09c889b7

                        SHA512

                        375f8ae6fb3ec39f5d1be7ab7ace272676a7238a3051278daed1d61cebbc2df803f5780c11d085777d94f01c24ddf4f7a7717a362fac565ba51fefe30a7b0023

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

                        Filesize

                        480KB

                        MD5

                        1998ef2d58f598f631585cdbcaa45aeb

                        SHA1

                        9b5c71bfb178ea1269a582edb738c073a1c20762

                        SHA256

                        39e5711217bf8cb6b425e1c7a5f8dcd9d666f2c3decc66aaffad87399125f1bf

                        SHA512

                        5887c976a647642963667348cca50cf90bb4dc0a17f30673fb79af0fd0926492d4ffcdbdbf24602018131453350a64e1122636e692d5d12d4ad5c30e059d3365

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

                        Filesize

                        13KB

                        MD5

                        e12b1054526962f31c28eafc924641e8

                        SHA1

                        0d159ce128783a0ff1b60bd4d9adc4a65d51bc0f

                        SHA256

                        3fcae4da8488bfaf0903b7751f998da83c60e366ce14a3cdb900855b8488c06e

                        SHA512

                        e83ec9f443c1caf2b800156661428db316b8e606f8c0b017d8b4cc0599554fab9b9dd8ece883e286a69e50171dd44adf64e10b3465f54b95ddcf91311d948b52

                      • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

                        Filesize

                        1.8MB

                        MD5

                        8e7fc308ff9bf6e84237762d6c71c4d6

                        SHA1

                        d873da020bede1bc7e9218adbbeb5c7442b65d71

                        SHA256

                        628f01b3d34efab1e378d651eb06acc3118ffa707cca22d093d519de4da4d7fa

                        SHA512

                        30bea01dfa81312e0eb3edc2942c5076d865ea70d1e8a2ab49bbbf09e8d8c8916ee656c98d09280f8ffd949c33f4b911cb45a426f692f47aedf051c5db8cb46a

                      • C:\Users\Admin\AppData\Local\Temp\1000001001\11f87f4a09.exe

                        Filesize

                        1.2MB

                        MD5

                        96b63367d5d745825ea1db1602bc918c

                        SHA1

                        b2ae209517ff1a6559fbc8ae160385292d3b9599

                        SHA256

                        fabb92cb47b41a5bd45a87bf84da8f2a82d266d0d97951edf6cf9e6c9a0b133c

                        SHA512

                        eda483ee95a9f4ca06857f1ab6925225c0de9fe2e2833560382a72a15e2751576c55823690638abd3e6e937e728bf50c815c326d5d09c36dbcc92dcf7848096c

                      • C:\Users\Admin\AppData\Local\Temp\1000002001\5124312374.exe

                        Filesize

                        206KB

                        MD5

                        37c0f4cb3470a9be701357b194e4a5a6

                        SHA1

                        50799d941cac74ca58b0e6f5d553cc0e31fa7b53

                        SHA256

                        bb0e9d7b4a99d16519b0967ff905eaef603412b837b070d34e482f9b5ae5bcfe

                        SHA512

                        ac9605f34dce7617814eee423f3e99c164af5b08d8622b8ed88b59cc96abbd1cf0c87c3f30bb12e13fc4d996ff3f0c27d1034821dba2cb93bbab1b52807158fc

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

                        Filesize

                        13.8MB

                        MD5

                        0a8747a2ac9ac08ae9508f36c6d75692

                        SHA1

                        b287a96fd6cc12433adb42193dfe06111c38eaf0

                        SHA256

                        32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                        SHA512

                        59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                        Filesize

                        8KB

                        MD5

                        3e9aa4ea036de2414e81b6357ab44c92

                        SHA1

                        462caea40bcd35fcd203e4016b8a23df41b01578

                        SHA256

                        5ba0805408d0c6ca466bd1d65ef460e809d8e477ea19a3fada9d14dd407ae656

                        SHA512

                        1f80b77f52387f8605afdfaa5e379af9dfa950f80319a64cbc3cd1c275a3d74e10e10bbc6a9725d554a4ce3d9ba5f916f5609d808c20bf549c40f10fa0c5d8f6

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                        Filesize

                        16KB

                        MD5

                        17e67394e505186d2efce7c8e75b7087

                        SHA1

                        9fbac8ebeff8a0445002748c1436d002aad69226

                        SHA256

                        11167e72a619e116393e942fc5abefc2c46af6f7a6d2ecebea73b18ba8eed366

                        SHA512

                        4b5f8721fe575e39028b94b769c91cc2d761dfd31821c8b44adb893491c6a82851d1673fa666c217cb52a9e93c685e0e583c53a190bd017d5948040341f7d46f

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        5KB

                        MD5

                        21516984324fecf36df19e0f81f75446

                        SHA1

                        f9d17ebccceadb303deb112314438ab37a41f244

                        SHA256

                        ee77b960ef5729f70c6fdaa16c269981daee0e23ff9b9e47705b04278597daa7

                        SHA512

                        ce8b3009c4c9253d910469ef6ffa1309da82ca143bb59c0f420671f9f01f1a15acb76716be6866ce0c7de3abb6b1deab3803b8f1f8b8ba64cacbedf59dc1898d

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        16KB

                        MD5

                        1cc8dec48d475d1d7e084c0bc5e9cce7

                        SHA1

                        2ce72044cec2613c8077148c5d0097996e30b1d9

                        SHA256

                        278d99910e6407d57edb4811a6e5cb72d51b7d2b0b18279296f2f4f9f0975a5d

                        SHA512

                        ae2b52caf3438f16568d66a55ef99dc52a5a9051503b6f618ce84c42edb3d75e4ce04d843425fd0fc9f876193b99e2d88ccddf96d9595e6b7d1b359fb25e0813

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

                        Filesize

                        6KB

                        MD5

                        3ff088c3aecf6d47fba94219c2def270

                        SHA1

                        0c27d552b5c75666c00a2e3a544caa75b9555776

                        SHA256

                        d05973402141f38af5d09c0700565a4623a79bf0da83749312834adea95d3cfc

                        SHA512

                        4a805d8e62f8d2aee7610e636744b4647a4d643a45c7f3904e892cf1b5c1fd37ae36743e20b9aaa041a2f3b429c54ae58b4f7a28b3a2d7267e5080047061f37e

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\577b1152-03f1-4d08-9faf-3f3287e14e79

                        Filesize

                        26KB

                        MD5

                        6a14e77d203b14aeb9ab2b3269c0877e

                        SHA1

                        c02393721a7c09664713fdc58608ffabea79cdf2

                        SHA256

                        c8a4687c99cdef9853b3b264eead3468f77fcccd6a31f772f4a1ae36ff085504

                        SHA512

                        8bd516c533035ff0437f64044378b63ae64f4ca3ef42877f557f7f9d0e7a3a74b285c0371b30a174844a4a8d558754f1a8354082804ab20d18d5a0ab48475378

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\8f7c4f69-ed26-4d2d-b03a-935ae91039a4

                        Filesize

                        982B

                        MD5

                        eaff1e7d594b40c625cde4369752214f

                        SHA1

                        d4159620d486c3152bdbc9f4c77548172aa5b443

                        SHA256

                        ca25a79e176ae55d1b02a0e6b0ff483f0eb01819a1675543463e89b5dddb8186

                        SHA512

                        0e42e4a8ea3962343fbdc599c8aadcb10cc5e46f330d136f3253ffe5f59115ad4c70d2990adba7c81ff16cebd1740c8cdbdca93d9300cc9ea5083da6fa0da116

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\ac0ef252-1a16-4ed8-b331-d8dbaf605a4c

                        Filesize

                        671B

                        MD5

                        71b1b665b8cec26c907c01c3a9fc725d

                        SHA1

                        c53db9b0ff3d94bbe54c1b73a3b7f36da7b3cb7c

                        SHA256

                        8eeed4d2327e4ad8cc85a79ef298b8d98997a4326ac04bb3e3d71041a07b964b

                        SHA512

                        183ce7221097d57cc30de44eca4a8aeedd32b91c8bc964d810eb411269208f38fec6b287386d1fa3b4b109fcb82279b2308ca5f46d822eb05024a25b5c77cc17

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                        Filesize

                        1.1MB

                        MD5

                        842039753bf41fa5e11b3a1383061a87

                        SHA1

                        3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                        SHA256

                        d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                        SHA512

                        d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                        Filesize

                        116B

                        MD5

                        2a461e9eb87fd1955cea740a3444ee7a

                        SHA1

                        b10755914c713f5a4677494dbe8a686ed458c3c5

                        SHA256

                        4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                        SHA512

                        34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

                        Filesize

                        479B

                        MD5

                        49ddb419d96dceb9069018535fb2e2fc

                        SHA1

                        62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                        SHA256

                        2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                        SHA512

                        48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                        Filesize

                        372B

                        MD5

                        bf957ad58b55f64219ab3f793e374316

                        SHA1

                        a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                        SHA256

                        bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                        SHA512

                        79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                        Filesize

                        17.8MB

                        MD5

                        daf7ef3acccab478aaa7d6dc1c60f865

                        SHA1

                        f8246162b97ce4a945feced27b6ea114366ff2ad

                        SHA256

                        bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                        SHA512

                        5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

                        Filesize

                        1KB

                        MD5

                        688bed3676d2104e7f17ae1cd2c59404

                        SHA1

                        952b2cdf783ac72fcb98338723e9afd38d47ad8e

                        SHA256

                        33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                        SHA512

                        7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

                        Filesize

                        1KB

                        MD5

                        36e5ee071a6f2f03c5d3889de80b0f0d

                        SHA1

                        cf6e8ddb87660ef1ef84ae36f97548a2351ac604

                        SHA256

                        6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

                        SHA512

                        99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

                        Filesize

                        11KB

                        MD5

                        34f4c77a148db59960a785a413a1e6e6

                        SHA1

                        188ff67537147b71c178023f42916caa2f151b0d

                        SHA256

                        8123e9856d721353d9c27c2a51fa84137ad8e1516435345f81255667067b5d98

                        SHA512

                        c6e550a397ddb9f514d1ecc16df4eb6b02ce0d4bdda8027ecd0949f921e90cea7150c27079bc2c31c4d3a7259c724de310425621818da0ea21eebc626e680973

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

                        Filesize

                        11KB

                        MD5

                        9c617d6496a89d7e0857175387d6fdab

                        SHA1

                        fa1496da5a0d4bfbf3212c5c5d563d9a83ce6fe2

                        SHA256

                        c1ada3129330120a4e8b1ba5bf8c3b0f23a286bd7b46d7b9bd703d783d3c4cb9

                        SHA512

                        23e4138d022cd47dc102fa33e287d9a3d7fa46f53032c55ff4f04199589619d7f93ddd1b0164bd2a6f49522f110b92ff12da3631e7f6d299aa2f77e16bccc60c

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

                        Filesize

                        13KB

                        MD5

                        e70fb5b62c8506ade770d0bd4d7c1a16

                        SHA1

                        78512cd66d7b779b6901da823e9420df3dd37b36

                        SHA256

                        bbd3f961d735ef6c6d7bda5fdbf26d9fbfcdfe49981f4f548fb009829e80ebd5

                        SHA512

                        79e51b4f17243b7039ad285c1ca16f2c00a258d3b3dd8e703c76a4aad016504b81d46177a67b4b2f55a53958c61f0dd232c2d9f1c54fbfb7f7c8245fbc754221

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

                        Filesize

                        5KB

                        MD5

                        1982bf7b46df0dda799dd36704e5eeba

                        SHA1

                        10d64807d1c00c5b915454d0290aa60c0b1e3621

                        SHA256

                        bfc9fb5b812f5a93537b070240580946ac3695c599b39776624a46ce3f9c22a9

                        SHA512

                        df5c75b4821000c193eae07df6ec4737c52d328395e2e1315aff5878364c86b46febef110aa3afdf26aded861b288a4393eeea7db8c395c757c25c5f6c29484e

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                        Filesize

                        968KB

                        MD5

                        24a62bf69a6e4686f06f05a722cdca92

                        SHA1

                        e82bc8adb2f1dbd04c5ddaf1bc75c14691a8dbc6

                        SHA256

                        a48004cfe53ab8b1350c93f154b8c66214154f40a6a0101218a570b01d761e13

                        SHA512

                        8e042c8c6b7e6733436b4b89c3ebface512de19fa365c2b6d30817f19eac216153129ac81bc0bd15d629f13b7564ac0290e1cbc21aac3b5fc28ce12e1cb9932c

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                        Filesize

                        1.1MB

                        MD5

                        edd58ad632046de712e19451f1e69d31

                        SHA1

                        176578e88796cc7c24b353711847e6c4f5a60272

                        SHA256

                        cecc4a069101dd6f27d031f6d78ac1959a1588820cfa46eabe5a142258b1b9a2

                        SHA512

                        50afb0def8f26182476d868ae1b22503257b0c76f808c84514ebdd90badecfb65d3a61ab5daa0ec9cedf6020cd320ae36213db483c09ed2847d94e474e36f62a

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                        Filesize

                        2.8MB

                        MD5

                        ac4f05a25705b18f1c31ae6f3133c953

                        SHA1

                        a574897ffb6dee483a798e49ef7ae34a729c64b0

                        SHA256

                        166e5b0fe70ce43e021d40310204ae76297fc26a74186b148550e31c0017b458

                        SHA512

                        e2abc116f120733e3f851acc0329e953b44d089ee2b860716df6bf20ce9da7f529d2ed9c0b0656d7b80debbf2aacc6113175aa1673bedef901cf39333ff1051c

                      • memory/1980-0-0x0000000000110000-0x00000000005E3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/1980-1-0x0000000076EE6000-0x0000000076EE8000-memory.dmp

                        Filesize

                        8KB

                      • memory/1980-2-0x0000000000111000-0x000000000013F000-memory.dmp

                        Filesize

                        184KB

                      • memory/1980-3-0x0000000000110000-0x00000000005E3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/1980-5-0x0000000000110000-0x00000000005E3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/1980-16-0x0000000000110000-0x00000000005E3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-2285-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-22-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-457-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-50-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-3393-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-51-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-23-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-418-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-1740-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-2385-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-815-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-439-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-21-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-20-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-19-0x0000000000121000-0x000000000014F000-memory.dmp

                        Filesize

                        184KB

                      • memory/2120-1130-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-2832-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-17-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-3390-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-1484-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2120-3399-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/2312-42-0x00000000728AE000-0x00000000728AF000-memory.dmp

                        Filesize

                        4KB

                      • memory/2312-43-0x0000000000150000-0x0000000000280000-memory.dmp

                        Filesize

                        1.2MB

                      • memory/2336-45-0x0000000000400000-0x000000000052D000-memory.dmp

                        Filesize

                        1.2MB

                      • memory/2336-48-0x0000000000400000-0x000000000052D000-memory.dmp

                        Filesize

                        1.2MB

                      • memory/2336-49-0x0000000000400000-0x000000000052D000-memory.dmp

                        Filesize

                        1.2MB

                      • memory/2468-432-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/4416-405-0x0000000000910000-0x0000000000948000-memory.dmp

                        Filesize

                        224KB

                      • memory/4516-407-0x0000000000400000-0x0000000000643000-memory.dmp

                        Filesize

                        2.3MB

                      • memory/4516-409-0x0000000000400000-0x0000000000643000-memory.dmp

                        Filesize

                        2.3MB

                      • memory/5204-2181-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB

                      • memory/5204-2221-0x0000000000120000-0x00000000005F3000-memory.dmp

                        Filesize

                        4.8MB