Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-09-2024 16:26

General

  • Target

    ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe

  • Size

    1.8MB

  • MD5

    eeb139916aa5a94fb6de01d67d329939

  • SHA1

    7881a77833d76054afee411c19b37b5ee08ca9b1

  • SHA256

    ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801

  • SHA512

    f9645cadcc7893d3a4d5d5db17654653c3336c58f98106a28ee04d5f3570582d9c6ec8bc8e76c092f4795f7779b8571eb561d5651e7ee667205727938a0f2bef

  • SSDEEP

    49152:U7cDiWv20IGA9yOEwr22eavHXsQQVQutTqrIBxjsSst06:Ug5+Zoa22eav3MVQutTkIBx1st0

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe
    "C:\Users\Admin\AppData\Local\Temp\ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe
        "C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:392
      • C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe
        "C:\Users\Admin\AppData\Local\Temp\1000030001\114eb35934.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:700
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start msedge https://www.youtube.com/account
          4⤵
          • System Location Discovery: System Language Discovery
          PID:952
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start msedge https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3828
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4288
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68642c2d-721d-4190-8af3-693a44697a7b} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" gpu
              6⤵
                PID:3368
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed0da6d2-6294-4826-99b1-b70fec00a89d} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" socket
                6⤵
                  PID:2032
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a0539ee-5919-4d6b-9270-81fcb1d27e3b} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab
                  6⤵
                    PID:1520
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3440 -prefsLen 22693 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3516cdc4-080a-4d81-9b9d-f495545b57a0} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab
                    6⤵
                      PID:2224
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -childID 3 -isForBrowser -prefsHandle 2928 -prefMapHandle 4160 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f70571e9-c1c4-4620-960e-38ea2eb9ae32} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab
                      6⤵
                        PID:2868
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5168 -prefMapHandle 5152 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {968843e3-acbe-4f4c-b446-c165e71d043f} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" utility
                        6⤵
                        • Checks processor information in registry
                        PID:3592
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5748 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aecad104-9dcc-4083-8525-0ff651e3a68c} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab
                        6⤵
                          PID:3268
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 6008 -prefMapHandle 6004 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c8a0738-d19f-433b-aa74-87868066c515} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab
                          6⤵
                            PID:3448
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 5920 -prefMapHandle 5916 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1052 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {594068db-eede-4633-a425-306d7b3ce170} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" tab
                            6⤵
                              PID:5064
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
                          4⤵
                          • Checks processor information in registry
                          PID:3640
                  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3392
                  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4512

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

                    Filesize

                    29KB

                    MD5

                    38c35afe1c736cad27a77e99c6653887

                    SHA1

                    ff57120c1bc8a39e8bad431869963c1b26df3e8d

                    SHA256

                    34457be02b8f57968edf18fa07c4210c3df0109234ea1598fadfb2dbbfac2051

                    SHA512

                    063a0b48cf5c29a8efad07cd33eea54e5f7863d40e185f4651d14240d978723f49079d7e329bb74b367c89abed67dfa3aba0c7a321f64c6dc89a20d0ebcd17ab

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\0EA2E1AC3653A248EDE38E975FF2A4ADDA308244

                    Filesize

                    480KB

                    MD5

                    8265322172b2cbeb6e357b0f3388391a

                    SHA1

                    4fa9c9a543741d4837cb176459b1a354702013bb

                    SHA256

                    5754eb88b7eac0e20aa9a612dea908a20594d5157e5c79fbf6ed8290c438df17

                    SHA512

                    d6189cb76bdef3412238483d8c7096cf0ba5607b163a2578b7e6b2b82c9bd46b11e5cb43350e83edad850028590dca86e214b027fa5913fa0cbbb4072c396431

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

                    Filesize

                    13KB

                    MD5

                    fd3b9e3bde621cd4db60a04febdebdc2

                    SHA1

                    ed2846d16994b9b45131c7a47b880540a9f1bb2f

                    SHA256

                    41240c489cd3c2c9328ed2684effa7eaef1fe76e63150a955d6480043b998219

                    SHA512

                    efa5b87a2f8a908a0912a50694aab5ef08d82a43948a816c523b0bbc2521583765a305ab7e5be04149d0ae82198937551c1db5131ca4aeb12fdf3e66b165b037

                  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

                    Filesize

                    1.8MB

                    MD5

                    eeb139916aa5a94fb6de01d67d329939

                    SHA1

                    7881a77833d76054afee411c19b37b5ee08ca9b1

                    SHA256

                    ac9d727f71fde0eeb640065fb857e797eb55c7b0570270769db0cf1ad5b48801

                    SHA512

                    f9645cadcc7893d3a4d5d5db17654653c3336c58f98106a28ee04d5f3570582d9c6ec8bc8e76c092f4795f7779b8571eb561d5651e7ee667205727938a0f2bef

                  • C:\Users\Admin\AppData\Local\Temp\1000039041\do.ps1

                    Filesize

                    2KB

                    MD5

                    e05e8f072b373beafe27cc11d85f947c

                    SHA1

                    1d6daeb98893e8122b8b69287ebd9d43f3c6138e

                    SHA256

                    717c09427fa5754ba92f92961545534048d0a76528c2e95c4d5ec6cef47c612f

                    SHA512

                    b3e34162e5ee43bb01f289eebc45fd3ea3e07f30be40dcf6635606540f912fe5c84d301e9f78e97dfe3ffe53e72547e50f3bcd7d4ebe5ab8da451a1989c469a0

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qprvgngj.j1t.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  • C:\Users\Admin\AppData\Roaming\1000026000\3de546954f.exe

                    Filesize

                    1.7MB

                    MD5

                    73bbd225dee50a7cd44e58a8fc26e148

                    SHA1

                    6ac24985dc5d2e03d1c603c05b9b739b3e5bc7eb

                    SHA256

                    dc21dbe83a9a684aa2e77849977a9ab60e8c5b52af4e2a4f4f0aaa148dfda587

                    SHA512

                    5ab645b0da9e90cac4b66de3cf89325fde48de512bbedf7555c1da8da6dfdc193a7790d5b14c7215459acffe02cb393ff9f9b42dfccf0cdc78db413571f442f6

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                    Filesize

                    6KB

                    MD5

                    67f5aebb53d7bfe185423128a8d577d9

                    SHA1

                    ce497e5eb0ac9be84796ec6238308dfd2c99be64

                    SHA256

                    5fac4b4928c6c80ed90562fe47ca7ecd0e1f47e444ee9a3f95287dbee845ec7b

                    SHA512

                    51c1921b0460de4d8e006df73f376996312100d99595f12020bd73501cf31197860900f7692efba85004e345284a5465cec679771a57250f7433a4ec4f4fbc49

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                    Filesize

                    10KB

                    MD5

                    890972006f4936e421981ac18f8d5c00

                    SHA1

                    7efadd3123bf76bc0b6fe0c3b5d41e31fa8f5d4a

                    SHA256

                    a3de69a2a24f25439f3cb91f893cbc01524e9bc0662aeebfe7a309166eb30207

                    SHA512

                    fb83f81c1877fc13b261d1a55d6c24ddc891a66141439471cc0186026d554f292b0fd0ca5978fbc24d8385f2734c1c3107ebf72f929cec81800e21e67277fcec

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                    Filesize

                    12KB

                    MD5

                    f0da5284357e8b2665e3e214c940f3dd

                    SHA1

                    f75045c987c5b6169d95b2f6c033b4b9ec7cfa54

                    SHA256

                    24c0b692a976a75b540e0de978a04bacd85bbbe9cfdee85daeb7f1696bba3973

                    SHA512

                    b5a07236e13f7c6cf18b0d458263f81fe1e6cecbd83407e62d1f6a059b2aa0b3523863ad66437867477452016d13cadb8a7254783591d62019240970a1468c6e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                    Filesize

                    20KB

                    MD5

                    2bf72fb9833be3bfbe7362d1cebfeafc

                    SHA1

                    bcc113b2e8fcc4a5435b9b37dd8bcd836884b29c

                    SHA256

                    181e92106900f93f8a7ae047742a98c2f068cb5c1f43b7fd76a4c416b63f8817

                    SHA512

                    9015ae12021d1567b5149a5acf172374bfa9f3b80dcd91c3be2ed9a50e04e5b479478209b00f83d608a613fd631ec0feb585161a5b67879e901500bf7373725e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                    Filesize

                    21KB

                    MD5

                    8d07a9fd560f980757d1720d7c276ef6

                    SHA1

                    7c3802367747bb1fc264cf34e68e1c2ee4a413ca

                    SHA256

                    ab4fce2785089abd9450716dd905c6b6f7b98619529bc1a4deabc151eb9ade1d

                    SHA512

                    1730316101529e870b78735e0acb5f03ee0612a8f2c0cfc2a4c848e0c9823ba6b3d552bea9baadb1f9211b31f1c10d817d87ab51dbef593250b38d1287a7684f

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

                    Filesize

                    23KB

                    MD5

                    db2172b327ba3f806e5c92b6cf43cf46

                    SHA1

                    5fa70e337330716274654ce91af79b009d7c79cc

                    SHA256

                    f2dfb9e02ff1eb8919f050cf69988618fc559a89a65368a0bca00cfc60e6b13c

                    SHA512

                    e1dc06619af3a0d3dcd1b23a8f974a03d2910ec376d5d98dff445d65394d9302e14acd3b1c9b19718d0ef39ee9b3871f1c525ef3b644b0ddf855b12341a77bea

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    7KB

                    MD5

                    48ee3b825a54112b50658c593c292902

                    SHA1

                    9c7251578f6fca7394ef18b20358ada6df5eb875

                    SHA256

                    4d89401f73b833cb69a6259999107672d7444c922ca23c50a03832b0d8bfe756

                    SHA512

                    ffccb44b7b7ddfe0b5689b834329b5032af866944c1c66dd9525cb60035fbb80bc87c62cb036ecee143a5926696d39c2edcf7ab225a2d22a023052189225377b

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    33KB

                    MD5

                    504931ad0132b95b82d8c9f23aa338e3

                    SHA1

                    848ad9bc374eb9bd1e540ccb572db9f7bcc5c312

                    SHA256

                    8a318969f893cef04998f85faf694a2ec07013d072b87716d12521137eb00e2c

                    SHA512

                    60357d8614a0b2a8db41fa738b74d8a98a4e082b5ba2f678f0d5ea92d23720a0e8f55fade0530579496d62944ddfc85c23ece86cf926080f2b307fd96a047eeb

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    e34713b9bcc5bdc0ce9d2a77d02432c0

                    SHA1

                    1386a947ceb8178907d268f960e2dd74a840b2a8

                    SHA256

                    5998db3ea3cad75803c4e1da142d07b91af702e413b47260acd5b904f1ab6362

                    SHA512

                    a8bc12f5db051e7b0066a0bef1bb85ad70c4783fd4dc6cca84e52f8ca40e01c9220fdc5d783e4eaf2e935a5e6a817604765f8247199556abef38c5527a7c4f02

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    33KB

                    MD5

                    48d86fc7acd8ce8f0a754292aed146b7

                    SHA1

                    5966f7f63b84b3781e5b4e7f4771805f6f88e668

                    SHA256

                    4d2c107652bca15c81a5e2357733b3a61b5e20e0cad0f8d51666915ae4a7d1f3

                    SHA512

                    beff98361ec137704318bbad8439f6abd2af771404a49f35ab6cbb4f001013163b03d8267ce93dc2e130cf93032f2f6910f0d9b652508cdd3de275f42a974c7b

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\693db4d3-e596-46ef-a912-d407224948a9

                    Filesize

                    671B

                    MD5

                    2e6c117264b4cc0674f53afcb80a7129

                    SHA1

                    84f8efa19c8da0eeeed39044dfdfbe7e4345ec71

                    SHA256

                    8987804e739aec976d20696373b705680837b001f7c9f127bc0a11dc9c30bf2a

                    SHA512

                    7130afeeab889cb16e68eeb88d01394924ca5fc2afa85dca4b48b455a3bc3820cf9828d4ffd8a53da750468e64aeec2f446211a77a8f7d70888899e25002a71a

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\a133b90a-04a4-4047-ab65-2dd08e13c340

                    Filesize

                    25KB

                    MD5

                    cc91789dd368496f564abfc90301e61d

                    SHA1

                    bb3f47056cfc29494dbd1dbe0ec8ffafbd4cb020

                    SHA256

                    4c3ad17fe5eb4df3868dc819a813c190cf013f23cea873b5d17750ed62c06170

                    SHA512

                    2227b3df3985363785bb2e3153b5bcb6c712dc65331dd858be71fb45c399563c974d87cbf43fd773f9b23f69c261d117b05ab001268ba9e78218c90cc3332b4e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\f827db34-34ab-4790-82ab-d4c87f205176

                    Filesize

                    982B

                    MD5

                    81036ba12c8f91f1ff9dbf860cdf7a48

                    SHA1

                    9dbb3b8e467c87a89e553a612fe4569b75094ac2

                    SHA256

                    6fe2e07ede7d59e81327e1639d9cc90d547ae82f913a8ea824bd14178972c398

                    SHA512

                    35d7717a0a27e98c0c155163ad80a3fa43b5937c25e31e0febb3c840f80a3985539ae3bcc1443f8f844b603ef9a867fa24f8190e1c9647eca082396db2174eb9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

                    Filesize

                    1KB

                    MD5

                    688bed3676d2104e7f17ae1cd2c59404

                    SHA1

                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                    SHA256

                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                    SHA512

                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

                    Filesize

                    1KB

                    MD5

                    36e5ee071a6f2f03c5d3889de80b0f0d

                    SHA1

                    cf6e8ddb87660ef1ef84ae36f97548a2351ac604

                    SHA256

                    6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

                    SHA512

                    99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

                    Filesize

                    11KB

                    MD5

                    314e8ec211c169ec0a45c353af2c1ba1

                    SHA1

                    7f506746731204a404938855b6bad40e90d308f1

                    SHA256

                    e3aca54d76e9e7e085b8295d50f8c79acc747d5362780b57e5d1ae353fdb771c

                    SHA512

                    41f7272ce540d5692703b5de307fa8fd444c55fbc80ba038b3c56688955ca2933a607971823132352946c176670fc0ec82f1f076422404e77067a2a97ac3b8b1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

                    Filesize

                    11KB

                    MD5

                    b37b20b4c092f31aa47e727c56fb4f63

                    SHA1

                    819fa217923432b5386835e169a1eab97f8ea33f

                    SHA256

                    67816e76900c928b13b9129888337b956b9da9140507ed3a38a2d9951fa1013b

                    SHA512

                    7ce3cba956415443a20c1e7c14f9b4c2cabc001435c6fccdf00afa15f5ae038a41e68c34c0f5ff734203e5e8f00b23938e7f469c7f731fe5d172e2a93f86edaa

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

                    Filesize

                    11KB

                    MD5

                    3d881538e8f844e4f2ecda1033ec6e10

                    SHA1

                    06885e6ea43377ded520036a740126e026bfd202

                    SHA256

                    36a13fb00be8baa13cb80c144e71c006a841e5a9634d1549acfa1d03c08e48a8

                    SHA512

                    5fa18446edff77f021880086f27efaeeb02fbdf661bf6ad477530ee862ac3830b4900e73fc54b3f0dfb268de3e358d5346ee58a241660d62cbd74d952d9d37d6

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

                    Filesize

                    1KB

                    MD5

                    0c583d822bab27fea3d6e07e9bdd66b2

                    SHA1

                    6ae77a10879ce768984acb47722eed3c022b2b1b

                    SHA256

                    2722b426d7731d00c3c60bef33e96eab97f565159b2a0f209e1caf1b7a151720

                    SHA512

                    63409b4cddffcc24601ced9d60a2c11d74b396edbe48541183645c21d5404ba29abca4fb9bc8023ed2afc99c124a18912d87e625c23da993cf6142a560172134

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

                    Filesize

                    5KB

                    MD5

                    7c017058d44a9187e2f1f0561176688c

                    SHA1

                    a26ee51f2ccce68dee6ef36de4a4905c2c19ad5c

                    SHA256

                    91a082bbf5b1131f7d588db70801451fc5d40962d2e35e1647de8d7b57ef616f

                    SHA512

                    8f6b183580a2c57ddf2c4ad9e470b51a25c73752374bfe0f5f290ae828289d792c4c69c37da2067ce890719ad19d02ee9dd825315636dba0ab0a71afbc14f15f

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    1.1MB

                    MD5

                    03dc2f7cd9779201c199d6a57cfacb46

                    SHA1

                    48845e029e3e75d637fc92d33405914dc629c9a5

                    SHA256

                    e43d6b915a0584eda25a6803269cf3cd47c71a7c3523d9110151011fdbd4e9e3

                    SHA512

                    a08e05af90a845b344b5de021934ea1be9fe446bf972e5b72fd697e0eb95eccd22d2b57e4af543d385b62b7a36579459e5c43f289ae60b5239d68c45808d99f5

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    1.2MB

                    MD5

                    5c9c47793ab712567ff87c2b430290d8

                    SHA1

                    f8bdfb4a55cc70e691f23f9cda50e4a500f530a9

                    SHA256

                    7f47f70d02a82d8b1558e05e7b4190cf87537c5a3e29cbb1081cb7cc15f69a63

                    SHA512

                    6ebc80233ed41df430ee826e884c4ca495e3e847fd5955d7f112198cbe6f14e42e1ee16df0f753fdb89ce46e02473476b62734326f16e5f4d3fa48918e9855d4

                  • memory/392-54-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                    Filesize

                    4KB

                  • memory/392-89-0x0000000000C80000-0x000000000130F000-memory.dmp

                    Filesize

                    6.6MB

                  • memory/392-38-0x0000000000C80000-0x000000000130F000-memory.dmp

                    Filesize

                    6.6MB

                  • memory/392-55-0x0000000000C81000-0x0000000000C95000-memory.dmp

                    Filesize

                    80KB

                  • memory/440-1055-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-59-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-2836-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-2823-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-2624-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-1938-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-484-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-1394-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-514-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-1117-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-1079-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-960-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-18-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-19-0x00000000005B1000-0x00000000005DF000-memory.dmp

                    Filesize

                    184KB

                  • memory/440-20-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-57-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-21-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-745-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-22-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-47-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/440-521-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/700-87-0x0000000008110000-0x00000000086B6000-memory.dmp

                    Filesize

                    5.6MB

                  • memory/700-68-0x0000000005BA0000-0x00000000061CA000-memory.dmp

                    Filesize

                    6.2MB

                  • memory/700-80-0x0000000006470000-0x00000000067C7000-memory.dmp

                    Filesize

                    3.3MB

                  • memory/700-85-0x0000000006D60000-0x0000000006D7A000-memory.dmp

                    Filesize

                    104KB

                  • memory/700-84-0x0000000007AA0000-0x0000000007B36000-memory.dmp

                    Filesize

                    600KB

                  • memory/700-70-0x0000000005B30000-0x0000000005B96000-memory.dmp

                    Filesize

                    408KB

                  • memory/700-82-0x0000000006D80000-0x0000000006DCC000-memory.dmp

                    Filesize

                    304KB

                  • memory/700-86-0x0000000006E10000-0x0000000006E32000-memory.dmp

                    Filesize

                    136KB

                  • memory/700-71-0x00000000062D0000-0x0000000006336000-memory.dmp

                    Filesize

                    408KB

                  • memory/700-67-0x0000000003060000-0x0000000003096000-memory.dmp

                    Filesize

                    216KB

                  • memory/700-81-0x0000000006830000-0x000000000684E000-memory.dmp

                    Filesize

                    120KB

                  • memory/700-69-0x0000000005990000-0x00000000059B2000-memory.dmp

                    Filesize

                    136KB

                  • memory/3392-608-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/3392-634-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4452-399-0x0000000000540000-0x0000000000BCF000-memory.dmp

                    Filesize

                    6.6MB

                  • memory/4452-58-0x0000000000540000-0x0000000000BCF000-memory.dmp

                    Filesize

                    6.6MB

                  • memory/4512-1817-0x00000000005B0000-0x0000000000A7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4648-0-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4648-3-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4648-2-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

                    Filesize

                    184KB

                  • memory/4648-1-0x0000000077DD6000-0x0000000077DD8000-memory.dmp

                    Filesize

                    8KB

                  • memory/4648-5-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4648-17-0x0000000000AB0000-0x0000000000F7D000-memory.dmp

                    Filesize

                    4.8MB