Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-09-2024 01:26

General

  • Target

    6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

  • Size

    1.8MB

  • MD5

    3bcdaf8aa8a6f0ca2f613c8c14bc5a6e

  • SHA1

    14e7cff2628e339009821bdb95673a40299149d0

  • SHA256

    6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

  • SHA512

    d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

  • SSDEEP

    49152:GQlomvjK2/8k6ZJ8EBHJGCHONwoFCRUUoYk32nOg:15vjak6z84uszoYkGl

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
    "C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe
        "C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1464
      • C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe
        "C:\Users\Admin\AppData\Local\Temp\1000030001\4c2f9460dc.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:652
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account
          4⤵
          • System Location Discovery: System Language Discovery
          PID:948
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2168
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
            5⤵
            • Checks processor information in registry
            PID:2724
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
          4⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be2a389-01ce-4cde-813e-dd7013d81023} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" gpu
            5⤵
              PID:3404
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c8a1311-2e3d-4bcd-aa58-a21b8ab917b4} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" socket
              5⤵
                PID:1060
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1572 -childID 1 -isForBrowser -prefsHandle 3456 -prefMapHandle 3356 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d623736-4001-42f1-a230-e3ec92ec2ed3} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
                5⤵
                  PID:2976
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f3c4509-3ea7-42f7-8330-c5941022a208} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
                  5⤵
                    PID:1816
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4272 -childID 3 -isForBrowser -prefsHandle 4264 -prefMapHandle 3204 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d231df13-1cc8-4660-a64a-9ec385da9dd7} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
                    5⤵
                      PID:1708
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4908 -prefMapHandle 4988 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {137a2190-03dd-4a75-a0c7-d7ac66f26d8d} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" utility
                      5⤵
                      • Checks processor information in registry
                      PID:3336
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5824 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c419c312-11f1-4dbb-a635-c75727b53603} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
                      5⤵
                        PID:6072
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6024 -childID 5 -isForBrowser -prefsHandle 6016 -prefMapHandle 6012 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2e01d23-e6ed-4f0a-9620-9decff81a330} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
                        5⤵
                          PID:6084
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66f01f80-81e2-44b0-86b3-af21cefd32b6} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
                          5⤵
                            PID:6100
                  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5584
                  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5636

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json

                    Filesize

                    24KB

                    MD5

                    f78ef1944027a9c36fbfa80a3f535076

                    SHA1

                    fb69ce2ac1ab7ab784d5c79c192abb74f5f54192

                    SHA256

                    ecaa0653dd19ff5a00d3924a0e77f80d43c39ef867f359de0a4a53060be182c6

                    SHA512

                    2228ce5f7629d0c3ff32b66614446e0a694dc136a8a962f1eefb182c907e574bf2899ffa4b07aae6c10ea69f7c817ffcc130f774f1ea3e490a1b2992845fc080

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

                    Filesize

                    13KB

                    MD5

                    053126903f986f4040329526718782c8

                    SHA1

                    6829c8dcce54263173160217111bb35cf371996d

                    SHA256

                    b781aae9e887cf9246efff20c4e903cbf9da77b268247095da903fdba559f96c

                    SHA512

                    963822dac385baec38fa47e827dbf7b3aa14a59a1d584970685f8154fdc806355d742889147943d7cb24eee2d308ee303b8af2277f657e4cbbf8b27431cce2ed

                  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

                    Filesize

                    1.8MB

                    MD5

                    3bcdaf8aa8a6f0ca2f613c8c14bc5a6e

                    SHA1

                    14e7cff2628e339009821bdb95673a40299149d0

                    SHA256

                    6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

                    SHA512

                    d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

                  • C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

                    Filesize

                    2KB

                    MD5

                    e05e8f072b373beafe27cc11d85f947c

                    SHA1

                    1d6daeb98893e8122b8b69287ebd9d43f3c6138e

                    SHA256

                    717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f

                    SHA512

                    b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlg4wtrq.lwl.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\1000026000\d6c383d585.exe

                    Filesize

                    1.7MB

                    MD5

                    ce4bfa9c358165bde9bb408a2cb57b89

                    SHA1

                    e7d7c6e20a558cdbb8ca0a8614bf48a1bdb60396

                    SHA256

                    8b715b6ede4282228d035a69684c3e67328cef609504a7353c5151aa8ffafef9

                    SHA512

                    3ace12ec036ff30834223176f3b8f917e62e853afb7cf7735d426be5cb2d02cfc39b0ce2879a162dcfb7f32003f7f954a81ad527e247a2b424dcc1a11af5f6f3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

                    Filesize

                    6KB

                    MD5

                    f2661c5253e21a672b06c382959ce84f

                    SHA1

                    ff3c7a572fc24339a13497076bcdbef87e75ea67

                    SHA256

                    5853d172447e9bf5a6082603346c1bc508ee7ccdd3ae6b359b2ca229870a54b1

                    SHA512

                    1a04fc19a23d142d6be05aa894802d347d5b702b7064dd3b7fca35f4f9c5b0de0513f69b622b034a71139da1228cdf35ba4aaf1f415ada3f46aacdf2442ac8f8

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

                    Filesize

                    10KB

                    MD5

                    278b21bc12005e1b974d168549615e27

                    SHA1

                    ac346a6a056af44eeac2315c7b33a9f4bb22af7e

                    SHA256

                    950d46e6e6f4f8779b1e97bddcfca43e250844942f49ecbced60fbca172f2d32

                    SHA512

                    d32a48db4017fb36e2d6fc9305bdeaf4e15f3468f4e591d0882ec853dda1c93a326f031021b27c4192c177acf3a5c2efcb61bdf028984188ba144c3fd79dd626

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

                    Filesize

                    13KB

                    MD5

                    76cbdf57f5d735ba411dd898a0fbda94

                    SHA1

                    e855a4294f26d1fec882fa70cf8ebae69c82744f

                    SHA256

                    7bd4aa140f9d06c345480b624131046d7274a1001f8ff40ddd2369b1c17568cb

                    SHA512

                    736abf55f6d0fd49d77a299770d38c0144aef2b41e1c70d639f159c87825bf52c4d507c70898b3f86f593bbc393626285d6367cf2e5a601749c49166e0dba0d0

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

                    Filesize

                    15KB

                    MD5

                    8b94d64a22485271dc9c85e52b7db6ee

                    SHA1

                    2686cbfd75e097787008b5eabcfcd21e2d7f5b80

                    SHA256

                    cfd4e0398ce9e830569551318f0df81db6955332faf623eff36a4646d230b84b

                    SHA512

                    ffa822174baa05e3c4edc29063b73bd9b3c460eef12b4d682ec8cbea70fb9c6033e4cbb68f7d43b7d22c7cd93a54efacec6fc84cdcdf1a264ab2ef147ad451c1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

                    Filesize

                    23KB

                    MD5

                    3ddf6839dc10bf0b989db75a81282d75

                    SHA1

                    6a70b3638ba7f60108821b9fc989c56eaa39294b

                    SHA256

                    4c79f2836b38ca67097c2354770ff0788c41e23fc2f4533325469b804ff90cf6

                    SHA512

                    72c7215819ec218bee711f2dd696d82eccf5cb1959d3f2673b14df6ea8a2e49b06f84220f2f2d9eaa524fc5a6cac5417429f54c77a04571e1c43af75753f0f19

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    22KB

                    MD5

                    338db648db6aa5339259a43ba9687e0f

                    SHA1

                    2a4dac4bd5b48f4e514d43241b4d4b72265fb90b

                    SHA256

                    c8a7b08a17bfb7da09886bf6c0a094aaa2cb49f53629fac8e445f1b32556c68d

                    SHA512

                    ff4b4ed9eee29a0382e2a05009bb74d43033476c8b5b737ff8b1d6330a5234bce07b9903bb28ad803edd68aa409af8d239360ee129fe64c9c868b5d8c2b5e39a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    22KB

                    MD5

                    6c4ff4025194d841084c7e2b483b7723

                    SHA1

                    48b84acd28fc95822dcc40b20b20dab4c45ee713

                    SHA256

                    38748588ac6fa391c913e3ab7f8d333ea98a9ff1cecf0439bb040334dfe1e4b4

                    SHA512

                    42262db7a94bae0d8048d0943d23428e001d3aaae0dc24a2f374f8efd6146fac2d1ce20b714b899fa2d0bc460d5a7c932b303db80f6b40885ad02e706ac069e9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    22KB

                    MD5

                    453ccfe1b9d80a610bd06b744683084a

                    SHA1

                    a5d09a125cce2e152b4f57c608ed565ae944a20a

                    SHA256

                    6f0ee7023bf954018fa3b6ac39b7b4ed50d6814c082aad052fc048a7a5b373dc

                    SHA512

                    b91fbd43ee8e1f7f8ee97276c2f879236e2d19ebe29e7862abb6ebf8a9e4b361f2d06a2defa3facade60deb2b333cf3401f2bcb25d644c61cf64d07e277bc576

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    34KB

                    MD5

                    c161d0d750d5d7f73083312e332ab2c8

                    SHA1

                    027c31c43eff3db6a9d875bbeb8f832bbed1df99

                    SHA256

                    e39e2453e6c4f6dca7970eaa850553d72b71b9ff3762a4a21378a5f70f955489

                    SHA512

                    c3c2f72f7e0c963406944e8e51446af100b54026cd80b64494a7b5226744b353e8a3f68d68724a81d0036b41acbad631159fe526c0bd230d7ad8a43857ba2d27

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\cc57f411-b2b4-422a-8869-d1d79d0b62d9

                    Filesize

                    659B

                    MD5

                    4b382e37448e885aa299d69916ee19d7

                    SHA1

                    2b473169b67b3f8f50cf403c3d565901b6f87abe

                    SHA256

                    b4e013057e720a5cdaca35abd6c68779ca8158e81e028125fc24ca8451175359

                    SHA512

                    d75320e074451a668cfe52d715742a26887b3af8787c667e6b450c7cee76e17459e22a3053284135d06c0692c3fd98cd898f5adb78b7907bf2baedb634ed2d44

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\dfe68154-a62b-4dd5-b6c0-cea2286ee4ed

                    Filesize

                    982B

                    MD5

                    d0532e9d0eca481186b5d1c7723a88f3

                    SHA1

                    573380008203806495f6a85bc2145a017fbfb8ca

                    SHA256

                    b32a1ff758240486f87380f6dfde7f31d67090965e814fc27e16de07754c4a1c

                    SHA512

                    759cfae958c225d25107d52394140551c76b772baa56640799026a26d5dcd370fbaecc644dfa5ae6a530190eceb4d0708cd7ee81c046437b1ce182dd05ebfcae

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

                    Filesize

                    13KB

                    MD5

                    742a5365ea6b32c2064d1a7aa867f8bd

                    SHA1

                    360d389bd5f2b0258649662baea7d21aa3ef49c5

                    SHA256

                    ea7b7c3f6995019d46dcd547f83fe537ab7eb3ba3ddefaf07f8e75daa9dd3aa3

                    SHA512

                    4ecb04f7253e5cb1ec2771acb1355ee3a57ec47f535d0a72b3abb3c8a9986900307f744828f76503d484d8cd988bcc227b0352c0fa93dfb222a8e32f4ceed622

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

                    Filesize

                    11KB

                    MD5

                    d859b0d0178c9cddb8bd0fb18fc39c29

                    SHA1

                    800202f1c546372f3392c368598560a9c118241c

                    SHA256

                    83597ced29a8c7eab843464ea1f320c8057e808f76a08127416d21ac982bdcf2

                    SHA512

                    c2cd3bf4de6b29b1883f7b9526073545570ca2756e50188861816c4442abc93f904f2b30de2e4974dcf368aff2c4ca96b048a7d6d23cfb28fdb0d97dc9f29e1d

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

                    Filesize

                    1KB

                    MD5

                    7da0a609352773988e0a2144939842af

                    SHA1

                    0876926c34a5e3c73184323e1b089ab890be7c36

                    SHA256

                    fe420dcfcda92d0956eae2dbb6636c51a19b0c8df89d65abef28ae6e6c1bbe89

                    SHA512

                    28f6b637fa552d523dae24b06d193efcbb6e171d6afcc90001e749dd576f7d8093dfaf12bce63b9da92187f4efadb7c3a7fe2627ef47337136d711412f93c884

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

                    Filesize

                    5KB

                    MD5

                    72cd9b72cdb056aa2208c557dca4b170

                    SHA1

                    ebe809613b1dac3aff449723646018277eb8895a

                    SHA256

                    d0a4b316aa1159f87cfed25a7600c37232a2d060412b97faa12250ae3546b788

                    SHA512

                    c706861893f5e15a5f1f828b0ce2fb85dbcb63c5c7771721764bad9d6f1dd3fd2afd573b7394f4ac0085fd219847d00b9476c3615b2034d8fd1b62b0aaed9947

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    376KB

                    MD5

                    0e1fb6d6893b822ae74a7499ef841326

                    SHA1

                    94a60b863fee10065313a822a1307e9a12a1812f

                    SHA256

                    de32cbc4eb8e234509de6b725892f3d9568ca3984858f88d0b365a9637637a73

                    SHA512

                    b36033dcd472868902b05c94f5e53f518381d49fcf93e8f114fcba043317794744b9a26bee24ec906590b9fd2df4a8dc6ec5cf7e032c137d8cb7811820a0f41c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    1.4MB

                    MD5

                    cba1db20a5b811a4bc23e21439e36dbe

                    SHA1

                    48648946c5806b9c7257dbe6911f1771ab40f653

                    SHA256

                    ea544cda49c0a5de46d7a6574766bbdecc4da8f0ba6d1c532514784dc56a8f79

                    SHA512

                    80e1fca64a2112892c5b7c502cf68a0cc024c2155e3c890dfc209ac790d4a47860a3baae338f3e9a0daeca6fe9cf966a7ba466bd39e1ca0b202a76fc029ac827

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    2.0MB

                    MD5

                    a02ce5d91776840c982c9bf8cc4b9bde

                    SHA1

                    7e1a6240681d634e819f897c87808a6af7babe02

                    SHA256

                    189749174905ce0c94de1f691b457d26d0b5b0e986a2b1dc6011a33d9bbf69c7

                    SHA512

                    504ae854b00d6893743d0a1bf744eb07f4a1bf4a617a2e0d0677ef28d4e73c43122010f95622eae616918646c1d1fe35a07eb793b87ab949084562adfd58a5da

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    9.7MB

                    MD5

                    adba886a81996af21e20cd361bb61b09

                    SHA1

                    c341446c252798eeaed56de9acd2a4bdd54de391

                    SHA256

                    14bcb8456ff7124b94f6b606e3d570a71286f468e2d2dd15d269cba396213759

                    SHA512

                    5c858f2447e6bf0c41c4bbcd8793d2ee09b8de798e3f06f925d1173eac8d277709543806400d8dbb6c68a29df813d9a376aee2bbddd54b8bcba7e3c2232eb4a1

                  • memory/652-56-0x0000000000680000-0x0000000000CFF000-memory.dmp

                    Filesize

                    6.5MB

                  • memory/652-456-0x0000000000680000-0x0000000000CFF000-memory.dmp

                    Filesize

                    6.5MB

                  • memory/840-17-0x0000000000160000-0x0000000000612000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/840-0-0x0000000000160000-0x0000000000612000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/840-1-0x0000000077CC6000-0x0000000077CC8000-memory.dmp

                    Filesize

                    8KB

                  • memory/840-2-0x0000000000161000-0x000000000018F000-memory.dmp

                    Filesize

                    184KB

                  • memory/840-4-0x0000000000160000-0x0000000000612000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/840-3-0x0000000000160000-0x0000000000612000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/1464-37-0x0000000000C80000-0x00000000012FF000-memory.dmp

                    Filesize

                    6.5MB

                  • memory/1464-47-0x0000000000C80000-0x00000000012FF000-memory.dmp

                    Filesize

                    6.5MB

                  • memory/1464-53-0x0000000000C80000-0x00000000012FF000-memory.dmp

                    Filesize

                    6.5MB

                  • memory/1464-64-0x0000000000C80000-0x00000000012FF000-memory.dmp

                    Filesize

                    6.5MB

                  • memory/2340-2687-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-21-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2677-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-452-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-357-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-491-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2684-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-500-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2688-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-46-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2689-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2228-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-20-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-19-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

                    Filesize

                    184KB

                  • memory/2340-2694-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-18-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-83-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-82-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-721-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2695-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2702-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/2340-2707-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/3736-66-0x00000000051D0000-0x00000000057FA000-memory.dmp

                    Filesize

                    6.2MB

                  • memory/3736-69-0x00000000058E0000-0x0000000005946000-memory.dmp

                    Filesize

                    408KB

                  • memory/3736-87-0x00000000074E0000-0x0000000007A86000-memory.dmp

                    Filesize

                    5.6MB

                  • memory/3736-85-0x0000000006370000-0x000000000638A000-memory.dmp

                    Filesize

                    104KB

                  • memory/3736-86-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

                    Filesize

                    136KB

                  • memory/3736-67-0x0000000004F80000-0x0000000004FA2000-memory.dmp

                    Filesize

                    136KB

                  • memory/3736-68-0x0000000005870000-0x00000000058D6000-memory.dmp

                    Filesize

                    408KB

                  • memory/3736-65-0x0000000002620000-0x0000000002656000-memory.dmp

                    Filesize

                    216KB

                  • memory/3736-78-0x0000000005950000-0x0000000005CA7000-memory.dmp

                    Filesize

                    3.3MB

                  • memory/3736-79-0x0000000005E00000-0x0000000005E1E000-memory.dmp

                    Filesize

                    120KB

                  • memory/3736-84-0x0000000006E60000-0x0000000006EF6000-memory.dmp

                    Filesize

                    600KB

                  • memory/3736-80-0x0000000005E40000-0x0000000005E8C000-memory.dmp

                    Filesize

                    304KB

                  • memory/5584-1736-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/5584-1675-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/5636-2693-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB

                  • memory/5636-2691-0x0000000000CB0000-0x0000000001162000-memory.dmp

                    Filesize

                    4.7MB