Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe

  • Size

    1.8MB

  • MD5

    45dd9a569cfe0c0629b04c7df06dfcd4

  • SHA1

    3376e39a006081cb9fd18bff5110eb12bbfa241a

  • SHA256

    33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1

  • SHA512

    dd158bb54b46b8c1f61d202af80f610cd7599d41b5c03977d25e2b95215daaf0c163cfe74f32499b1366a1904fecb010db2891be2a8d0ca85c4a176a8cdbc574

  • SSDEEP

    49152:nFJWTJAzOJ/Xw+HuLlmOskO1WeMJ2TKqLKo1Xxf:nCTJ3H4lmlkOEDCKo1XJ

Score
10/10
amadeystealc4dd39dhatediscoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

hate

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe
    "C:\Users\Admin\AppData\Local\Temp\33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Users\Admin\AppData\Local\Temp\1000006001\457f3cf2e8.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\457f3cf2e8.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4408
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDBGDHIIDA.exe"
          4⤵
            PID:636
            • C:\Users\Admin\AppData\Local\Temp\JDBGDHIIDA.exe
              "C:\Users\Admin\AppData\Local\Temp\JDBGDHIIDA.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:324
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIDAAAKJJ.exe"
            4⤵
              PID:2044
              • C:\Users\Admin\AppData\Local\Temp\CGIDAAAKJJ.exe
                "C:\Users\Admin\AppData\Local\Temp\CGIDAAAKJJ.exe"
                5⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:4876
          • C:\Users\Admin\AppData\Local\Temp\1000011001\876d58e143.exe
            "C:\Users\Admin\AppData\Local\Temp\1000011001\876d58e143.exe"
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3208
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
                5⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4884
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54f09e6-8463-4fca-a322-76d907c670ad} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" gpu
                  6⤵
                    PID:2128
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adb9255-2646-4ae5-9740-7909f395f58d} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" socket
                    6⤵
                      PID:1980
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 2948 -prefMapHandle 3148 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {938762e6-5777-42b0-bf9a-0d707bc4c72b} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
                      6⤵
                        PID:4804
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3992 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 4012 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed6a9fff-6338-4e6e-9a7a-0f1181b800c1} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
                        6⤵
                          PID:1560
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4596 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80b9ede1-3543-4d99-8b9b-1a6f1e695b85} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" utility
                          6⤵
                          • Checks processor information in registry
                          PID:1660
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27131 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f518e229-7f23-49ef-90e0-687d5303ccc2} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
                          6⤵
                            PID:1740
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27131 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05be70b0-344f-4b9a-9603-d74a22ec0c57} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
                            6⤵
                              PID:952
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5748 -prefsLen 27131 -prefMapSize 244658 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b9a681b-ee18-442c-9491-d5dec727e108} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" tab
                              6⤵
                                PID:1500
                    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                      C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4584
                    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                      C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4416
                    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                      C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4584

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\mozglue.dll
                      Filesize

                      593KB

                      MD5

                      c8fd9be83bc728cc04beffafc2907fe9

                      SHA1

                      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                      SHA256

                      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                      SHA512

                      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                      Download Submit

                    • C:\ProgramData\nss3.dll
                      Filesize

                      2.0MB

                      MD5

                      1cc453cdf74f31e4d913ff9c10acdde2

                      SHA1

                      6e85eae544d6e965f15fa5c39700fa7202f3aafe

                      SHA256

                      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                      SHA512

                      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      21KB

                      MD5

                      e22962254786008950b0c0223c44a51d

                      SHA1

                      1818220d3f8878b5b119ebf192b0fc59992a839d

                      SHA256

                      d62e9239e763e0ab5c4d7b1ecc3dd2cf9d6f3bf0e48413624793258d848314da

                      SHA512

                      249bcb23cefb518871b9b421152429b24e893c0052f8c0c35fff1564c7ec96c0714da3cdf226f1a0f4d84cc23a84a7200254e8396b0a577a8293021567e42900

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
                      Filesize

                      13KB

                      MD5

                      837746a41312db2c54eede0173b4d513

                      SHA1

                      27ccc7127ce84ce68c3b912c368001559233275d

                      SHA256

                      4e787fe1d59571d536394c316ffaba614adbcaaa9a524e937717e5c4441a8e6e

                      SHA512

                      c107cbba4b813d8c8f65e2640e05dbb41fd78a9f68bf223c6a72a66b1a4f63e8930d64482513a4d1c1829ba9f538e72d778ad6f51a59b959f667e21b5be9df45

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yol9faaa.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D
                      Filesize

                      13KB

                      MD5

                      460e7996f86cb06405b6d6e8322ad157

                      SHA1

                      f4d565721011f9d940c9647d365bfe32ba83dae8

                      SHA256

                      69b1cce20e418039fbda7c40a29794d5e4f268f8ea18fd6e1881787765e48766

                      SHA512

                      d0ad9d7e3f6ef432e916ffb8170e0367f2754820d27bebe08e1a8f44bd0b2b925b57d0383eaef758d5ab43733f017ec7d68b8cf8820ebaef6d0ca068457f7574

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1000006001\457f3cf2e8.exe
                      Filesize

                      2.4MB

                      MD5

                      6df237049e2950a0da53ae449ade3db4

                      SHA1

                      5872182fc56499f265c841a068865245d692e971

                      SHA256

                      110a3616523579af31689b0adb305d0dde68d103d2d836b1e1649df802dac599

                      SHA512

                      dac17c622baf098208552e9a8dffb5fcbc5fce6404f7c76c8a555fd3bdd977ae732bd2225b9ac2ec35b694b7fc96750a7363b389f506fd891fa1a4014247e033

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1000011001\876d58e143.exe
                      Filesize

                      1.2MB

                      MD5

                      5b007186724d7e9e503a07b4d81462d0

                      SHA1

                      534940537380f689630b4b2c430a49d89bc3ad8a

                      SHA256

                      1a2b0b66d16f99a5cd0c4e88e0e56e186fdf7d7eae86f9bd776d6f2de9d7e971

                      SHA512

                      999498a8dec3f541eb59a42485d4bc265e3db41796409dd19a1135d6aa673645e269640b8cb5a4724ae072f1bf6952f856fe850ab08c371e96b2a6fa198bada0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
                      Filesize

                      1.8MB

                      MD5

                      45dd9a569cfe0c0629b04c7df06dfcd4

                      SHA1

                      3376e39a006081cb9fd18bff5110eb12bbfa241a

                      SHA256

                      33710666d9f8d087b77b5912336ff568f469436c71aaacc805e53ffcc64debf1

                      SHA512

                      dd158bb54b46b8c1f61d202af80f610cd7599d41b5c03977d25e2b95215daaf0c163cfe74f32499b1366a1904fecb010db2891be2a8d0ca85c4a176a8cdbc574

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      479KB

                      MD5

                      09372174e83dbbf696ee732fd2e875bb

                      SHA1

                      ba360186ba650a769f9303f48b7200fb5eaccee1

                      SHA256

                      c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                      SHA512

                      b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      13.8MB

                      MD5

                      0a8747a2ac9ac08ae9508f36c6d75692

                      SHA1

                      b287a96fd6cc12433adb42193dfe06111c38eaf0

                      SHA256

                      32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                      SHA512

                      59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\AlternateServices.bin
                      Filesize

                      11KB

                      MD5

                      a76fb948c329fa556541c050f92fd919

                      SHA1

                      743cdb783691fe2ff2f0b22485be2cd3251b71ab

                      SHA256

                      d4020adace8ffe631bbb7c93deb5d3f6a74c0e6122200115e69b3bc5d134b093

                      SHA512

                      12904107e0631ed8e0f3adeb3578bbd4abb0ce8c6a9b20da82ae1dfb2b1210d3bf78cd285fb6d5104f3aa1c4b8417fcf37a558ded3b6f4c951e13d7755488aef

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\cookies.sqlite-wal
                      Filesize

                      256KB

                      MD5

                      6e0b9184fe6c0590d90f978fabffecdd

                      SHA1

                      064a0569a9b8dbb6242b73278dfb924cb8ed3259

                      SHA256

                      3ff7e088022a121e17e4284cd45b8ac6c2a7c557bdd1a4bc1e9043fe66363bb3

                      SHA512

                      f3fa5b5642f11f56b48d51e483f4e468169fed101b928f227b120c6931a9846be42ed0a591ba8b715fb6a2bf576f77ab2d1f6e2f254f70a386dee3df5d9f38dd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      de94fec449c3c8923ca76c558e5006af

                      SHA1

                      e71db046ae0506b36846e9a45ca6c3a64858ee4c

                      SHA256

                      af0a120762ed20f649c99314485d082ba87b7a9f92619005dcb07683c5fcf723

                      SHA512

                      4d9042af71a995b049be3a0ca6cf063c295cb986f4ebaaa244f1db14f90cfcdadd44732c1d1efc714d003aa01ad7c3b4d60e6d26f45ded1cec9d77b2ba9f3d09

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      a0a1c31e08d99ce951aba94f0557f68a

                      SHA1

                      5f4a357dd87efffbaa1cfc3195de992a3612eb2e

                      SHA256

                      2c1d834549f942a4ae812bd88c6c41b6ae523633176c9d924b2592ad5ef0dbab

                      SHA512

                      e40071b8cdb3b22e68d5de00ea1b942849edfa26b388e9cd7d31f2f8a90ba78218337a8075eba19e38d3c8c3ad867e9afb650d0c7ccbaedef8ed2492e2b3f7d7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      16KB

                      MD5

                      2ad5f92345b1dcb232408b6f54b4a902

                      SHA1

                      80dfe910b3b3eb84f535d880b4e6c5ef287d65f8

                      SHA256

                      293f9f53e9ef8059b690d2ed101ade71ac562946c16b17f387b3ea61f54d23ff

                      SHA512

                      b47c859216e568de14c0ec7bc27e0bcaa9a16f0bbe7820fa895ca3067b2ad0d2eb021fcce70b651e150dd4fe590293f737f365138c7b2b6999218da13be7cb8d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\814bb6f2-5376-4810-9ee7-38ef743ba2cb
                      Filesize

                      982B

                      MD5

                      8dffef63bd4896f2a962ab8d6cc25b49

                      SHA1

                      cc5f71f94845692aa852a2d810a4fa34cdb1325a

                      SHA256

                      ff541b37c462b1cc0c48b06b9c603d7422d91ed5789a18fd0e745713413b45bb

                      SHA512

                      1b2243fc90cae9341bc16a8701ca03b81dfafc17c396bee17dcbd5a4f87cfe564aab0c5ffb8b9de8d064f0e328c1fbf21d99501204f8a521d49fa5186c4be253

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\822741cc-1088-4f0c-ae77-d73cf392af1c
                      Filesize

                      26KB

                      MD5

                      adde43d81ec625b29ddb317b21705905

                      SHA1

                      98e9a5e049da8b93cd88e1d1ef0c35736e79882e

                      SHA256

                      f87c8502c05a4c36d8e2c5e91f1b40bb05b53971b191db2e3cbd6794041a6c56

                      SHA512

                      583c651284b9c5df99b23ff5398eba3c92f76bb124ba968618284d4a9e714b331fb9b9cea28f75c414f9c81c989b3853953e765eac9c7cf30a50dcac4634ef31

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\datareporting\glean\pending_pings\bbfb5ba3-4dd8-4f38-975c-ebb7cebcfdd8
                      Filesize

                      671B

                      MD5

                      e6897badfdf000b28c30489ba9d2ca92

                      SHA1

                      3135940c8842b41c50df5bf555cca1b36ff81514

                      SHA256

                      488be2c325dde3d8db216a75b65835aed406f9510772af7673ccbb804c733404

                      SHA512

                      940d430b7153f02f6a1780c6ff5aeb15562a2fb80b81119f5f8146b2df624a81b29ce2dd6d5b1747e2f08827382b6d16357c3f29b49c24e7698f48e1933e65d6

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                      Filesize

                      1.1MB

                      MD5

                      842039753bf41fa5e11b3a1383061a87

                      SHA1

                      3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                      SHA256

                      d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                      SHA512

                      d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      2a461e9eb87fd1955cea740a3444ee7a

                      SHA1

                      b10755914c713f5a4677494dbe8a686ed458c3c5

                      SHA256

                      4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                      SHA512

                      34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                      Filesize

                      372B

                      MD5

                      bf957ad58b55f64219ab3f793e374316

                      SHA1

                      a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                      SHA256

                      bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                      SHA512

                      79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                      Filesize

                      17.8MB

                      MD5

                      daf7ef3acccab478aaa7d6dc1c60f865

                      SHA1

                      f8246162b97ce4a945feced27b6ea114366ff2ad

                      SHA256

                      bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                      SHA512

                      5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\places.sqlite-wal
                      Filesize

                      992KB

                      MD5

                      46a4a4a94595e952284c71f8b79e1ab1

                      SHA1

                      6861abdf18c4a516de336a5ad81e588d1a39c824

                      SHA256

                      943e13a1d941b2f09048913c9eb4c5c4961b0bda693690151bad20f596955071

                      SHA512

                      83448bdfd9546df96980a46b7812b9c754affc8e4729adfa1a52fe06d7090c6cba518619738717542059a7e8c3077022b220e68c02a19d77148cebd13213f755

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js
                      Filesize

                      12KB

                      MD5

                      1e7c13eee4cdd1784d0f9374d65d3352

                      SHA1

                      5f4b670dc861e0eb2aabf01b2df99503ba4be928

                      SHA256

                      63843a1beac2d66bbcd7ebd1b74807291d519f37dc6d95309ee76cf2e71f092a

                      SHA512

                      8e351c03f3cef58471f604a7aecb6d1c96f3aa0b0353fcfd35dac992d79b7411893a1ef8e0879ad521ee339f6c3ec88ae9127a6cf84fb4e5eee1486019b653aa

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js
                      Filesize

                      16KB

                      MD5

                      14b1e9c09dfc53dca83907c8458e3a32

                      SHA1

                      2512d50a15e70284b783903ec1844b9d101d474e

                      SHA256

                      5aacdaf9807224512b676060dc95282cf1bb94b843ed52e9f0d49126d6849322

                      SHA512

                      a3c3c46beff83d1affc48a0be9095e97ddfaa70846be795cd0e0b439f69ef1ee1e1b0447c93a957c24b1f1bdaad6625d45a19a97d3796eeb7e9de5cac01ee71b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs-1.js
                      Filesize

                      11KB

                      MD5

                      aa482da427a3a25bafe6c021de0c1b95

                      SHA1

                      a0c3ab522aeec5589c4f98185d8bb075e8e9b6c9

                      SHA256

                      b75ae672377c76fe2667950000fc92b05f356755152789a3277791cd77f23fd1

                      SHA512

                      dc7cfc1cf666bf2363462e2d44c030336d0c326361eaf509f9c79c2f7090f48146282258005d5480af28a9bdc5a4afdc0dfc4ac29c63f9e742d1a93d43853440

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\prefs.js
                      Filesize

                      8KB

                      MD5

                      5ee7c1f2df0f33935ee51e697d708b11

                      SHA1

                      aac651a555b58c68f320647bfb72a751128c1a89

                      SHA256

                      39759b656c16b3c2e16bc1d985d59bace7ab2ebec272f167cb8b710aa4f1a582

                      SHA512

                      6477be8323de9aa585d996d5ea0298e20991870ddffa9228697e77883f83829105bf1c9293285e16374c45a46716dcab57be5cf2449677548fba404cdcd8bfcb

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yol9faaa.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      9.5MB

                      MD5

                      54485740cfd31e89dee66f3cce49416b

                      SHA1

                      1c824f87ee17349544db60f354a98b389c0322e8

                      SHA256

                      d71e69290b482273a1977bcdaf0be72d41f5d94c7aa2594ed9787cf2445b80c8

                      SHA512

                      2d599306f3a128fabdfb3992f7bef7f11e7c19964b2aa57fec6ba81a29bd43ab3ecc2d389742adba1b9cb6f72df7eccbf539d040ec261b4751dad68fe197571a

                      Download Submit

                    • memory/324-498-0x0000000000450000-0x00000000008ED000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/324-492-0x0000000000450000-0x00000000008ED000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-18-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2901-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-21-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-491-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2917-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2911-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2907-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2906-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-509-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-510-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-515-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-20-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-19-0x0000000000381000-0x00000000003AF000-memory.dmp

                      Filesize

                      184KB

                      Download

                    • memory/1976-2905-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-354-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2904-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2903-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2892-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-2829-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/1976-1546-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4408-490-0x00000000000D0000-0x0000000000CB0000-memory.dmp

                      Filesize

                      11.9MB

                      Download

                    • memory/4408-37-0x00000000000D0000-0x0000000000CB0000-memory.dmp

                      Filesize

                      11.9MB

                      Download

                    • memory/4408-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                      Filesize

                      972KB

                      Download

                    • memory/4408-478-0x00000000000D0000-0x0000000000CB0000-memory.dmp

                      Filesize

                      11.9MB

                      Download

                    • memory/4416-2896-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4416-2900-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4584-73-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4584-98-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4584-2909-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4584-2910-0x0000000000380000-0x000000000081D000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4656-3-0x0000000000E60000-0x00000000012FD000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4656-1-0x0000000076F14000-0x0000000076F16000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4656-2-0x0000000000E61000-0x0000000000E8F000-memory.dmp

                      Filesize

                      184KB

                      Download

                    • memory/4656-5-0x0000000000E60000-0x00000000012FD000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4656-17-0x0000000000E60000-0x00000000012FD000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4656-0-0x0000000000E60000-0x00000000012FD000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4876-500-0x0000000000150000-0x00000000005ED000-memory.dmp

                      Filesize

                      4.6MB

                      Download

                    • memory/4876-496-0x0000000000150000-0x00000000005ED000-memory.dmp

                      Filesize

                      4.6MB

                      Download