Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe

  • Size

    1.9MB

  • MD5

    4677c508190bb4d41c07adf244226dc8

  • SHA1

    13f0fef0d61f1c7ecd5681ce95d8c7a30d894b8e

  • SHA256

    be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd

  • SHA512

    3006a047e583b589d60b61fefc961856d820f5936d214bb9f33f18e989804ddf7b7da07e0d9940ef07f3d7c527bf01f308d07c2c7fddd975165ddf72ba863803

  • SSDEEP

    24576:NE2foL7YIOQGJpuaMCfQiFhQWxit32CvpDM6QMYm02QfN5rOFA4eAItjKOT77uuM:NFoP+Q6w4fzATvtMLmxQfP5d17ugcv

Score
10/10
amadeystealc0657d1defaultkoracredential_accessdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

default

C2

http://185.215.113.24

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe
    "C:\Users\Admin\AppData\Local\Temp\be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\1000036001\e271e93a68.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\e271e93a68.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3088
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c7c2a05-1f98-4198-8699-dbb0f4d9fb08} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" gpu
              6⤵
                PID:4780
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2388 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919984a4-f9c8-4b7e-9cd4-d432f9949c39} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" socket
                6⤵
                  PID:4544
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3212 -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 3204 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {110b33a9-5fa7-49da-914f-7d918dd8ab4a} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" tab
                  6⤵
                    PID:4420
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e2a9dc4-fb83-4b28-a2a4-27182f6885b4} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" tab
                    6⤵
                      PID:4308
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e7c941-614c-44c5-b1bb-cbf1e8eb5a86} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" utility
                      6⤵
                      • Checks processor information in registry
                      PID:3536
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 3 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdbcd3d3-044d-4c50-b1f3-7af0e178ab73} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" tab
                      6⤵
                        PID:4336
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5880 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2251a9a7-1def-449f-9016-6d89e2553d66} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" tab
                        6⤵
                          PID:4132
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5892 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1febdc75-1bba-491c-a64e-b34769480dac} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" tab
                          6⤵
                            PID:1124
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6132 -childID 6 -isForBrowser -prefsHandle 6028 -prefMapHandle 5824 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b0b1240-9786-4503-8fb8-a88085e06543} 2660 "\\.\pipe\gecko-crash-server-pipe.2660" tab
                            6⤵
                              PID:4048
                      • C:\Users\Admin\1000037002\6feab4cd4e.exe
                        "C:\Users\Admin\1000037002\6feab4cd4e.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1684
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1384
                          4⤵
                          • Program crash
                          PID:4860
                      • C:\Users\Admin\AppData\Local\Temp\1000038001\229c464510.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000038001\229c464510.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:4132
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1684 -ip 1684
                    1⤵
                      PID:3480
                    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                      C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3064
                    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                      C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5116

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\1000037002\6feab4cd4e.exe
                      Filesize

                      2.4MB

                      MD5

                      37a0929b19918e97a78e12deca6d41bb

                      SHA1

                      eccdca67543dcfa735126b76fcd0d8573c788b93

                      SHA256

                      eebdf6b9a3379b2c150cefbce99478ac46794bc57b4d4e417cc08555b1e208c0

                      SHA512

                      b1538e41655f0eaf31175cf6e3f13e29cbdc53e890062dbcd1fa76b4086153364c7a1246bb8e19f34e5f75be3fc8f2e8d4d302ea18c4d926c1a7667b78dea353

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      18KB

                      MD5

                      07a3cc65d50895d89c41b985d5cf45ae

                      SHA1

                      3c79558e58e02efb04e451dce857930b6b244c75

                      SHA256

                      0a0781cff9161a0878ffb47286b6ba7aaade7cc209726cce76f714f624e03cd1

                      SHA512

                      121c8227863c7ac44688cbb94e3230236fcd8168ca05905de40b96ba2ffd67d1963650edd4b5f7313ef3acb0635ed97b8538eef4cc0b97a77471c22e6783785f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
                      Filesize

                      13KB

                      MD5

                      bb36c955a62589ed7914ea58ef35da79

                      SHA1

                      d63cc2aba73c5b574b19886de88b6d788992fc1c

                      SHA256

                      b238d6675415f5868842e5a67d4882a8c630083f827a7d1e420a4cd8b58a6944

                      SHA512

                      3d6f520245ace652e494ecc2b6a79c3705d97cf680e66ca0314ae488d89822ddf2fdb3e3f28fa424b30b5b622e4ced69544bd1a7a858089e0f3a6f4fdf7547fb

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                      Filesize

                      1.9MB

                      MD5

                      4677c508190bb4d41c07adf244226dc8

                      SHA1

                      13f0fef0d61f1c7ecd5681ce95d8c7a30d894b8e

                      SHA256

                      be7fb59ebd2d12172a01d9ec641b64444f18ac7e72c1df1b27f9207ce67e34bd

                      SHA512

                      3006a047e583b589d60b61fefc961856d820f5936d214bb9f33f18e989804ddf7b7da07e0d9940ef07f3d7c527bf01f308d07c2c7fddd975165ddf72ba863803

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1000036001\e271e93a68.exe
                      Filesize

                      3.1MB

                      MD5

                      19417b03222b012127038fb25e2eb2d3

                      SHA1

                      79bd763cb76d85c5eba125c41c9185b70e996a99

                      SHA256

                      ac3c551f36ea2c77d8685944cab9522b9b379935de874f84388abf8be0c45f9d

                      SHA512

                      2e063757be6571d4c9943509ffaf3972ed0490130c483e54cff51905a35352afd91499798a7273ab039e6f80a93e3cc3137bf756ca7df1a9b411337bc918dc8e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1000038001\229c464510.exe
                      Filesize

                      187KB

                      MD5

                      278ee1426274818874556aa18fd02e3a

                      SHA1

                      185a2761330024dec52134df2c8388c461451acb

                      SHA256

                      37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                      SHA512

                      07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      479KB

                      MD5

                      09372174e83dbbf696ee732fd2e875bb

                      SHA1

                      ba360186ba650a769f9303f48b7200fb5eaccee1

                      SHA256

                      c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                      SHA512

                      b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      13.8MB

                      MD5

                      0a8747a2ac9ac08ae9508f36c6d75692

                      SHA1

                      b287a96fd6cc12433adb42193dfe06111c38eaf0

                      SHA256

                      32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                      SHA512

                      59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin
                      Filesize

                      10KB

                      MD5

                      9bf6c9a248e3719aeb35ad4ed1f81b23

                      SHA1

                      314a1547325b47acff4b12948873ab437ed9bcfe

                      SHA256

                      48aaca1703e7088353aa4fe1c3785a6e9882056aa52e5df051e8c4c4a9650574

                      SHA512

                      48229b948ba4bb6ce068b4a65bd1fd3392bfdc63040818fd0cbc8a3d35e01362530d9d055236c908164aec73f678f41743f5ab8348936503649617b36bc3fb85

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      f6e7ac0d13dd5f117f2c29d9223c2802

                      SHA1

                      407776a11ac0cd8883402e3c5203e2f27ffe2a35

                      SHA256

                      ab5681bc802784a5c835b99b3493a9bbde78be4b333d423a385068ef09cf265c

                      SHA512

                      4db211fbedc75cbdc9a007eec9972e0215c5c7611b47c060e2b8c6b80418f476ec3aa7c432b5ad2a08b44aeb9f8e9cacafef3921c8264f28a042e0c719f12fdf

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      31KB

                      MD5

                      6443fc95720b0d64dcd7c57fc78a716f

                      SHA1

                      330ec30cd57ecff0e9abac6de24701adc4a54fd1

                      SHA256

                      5d406914e82cc587eaf9ca8de27746657fa4726d60025b35c18a12c63c519e77

                      SHA512

                      9bfa4bc4aed1883e5515edb107ab5504cecf38d907f25d423c1e55d155c0fe3d300e9ef79ac6e6f8d04ad98feade4c9f0a96c34d05547c4d479434b658d4caf7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      2152f3027ff344c63f94d238e61fa6d4

                      SHA1

                      31b336d56635f005ab06bef0c5739aa7d9653e9d

                      SHA256

                      e2725c9e433dad74db505b6c0ba3be934b5a47dc1c35acfb783a95619eda35e9

                      SHA512

                      259eb4457e6ed7e8a6b928acbeb9e41a9920b16655272dcde65cc15269961a013afa926a2fe924f1ced40f68b85689c564b43041a5267f28a74aaf912775c4ef

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      efce2c5cb767898709dc42a98971f7b6

                      SHA1

                      4f0fcbb568fe3e6bdbc0b23320ce87ad25e1cc9a

                      SHA256

                      22d822f9f7a531118344daa354374ecdf1bd431f4cad192d5115ddee8ebde13d

                      SHA512

                      444824dca9b55a079af437f88b408a16f021cbca406c91465a283abfcae34981e916c933b8d38158a581d8278bbf092f08dab6bec15712fd44d7cccac4609bb2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      06f2f223783a4ff5a962de0e4d391dc3

                      SHA1

                      11a952cebcf1101e24d402048a02e66944307b9a

                      SHA256

                      df7750e88dac1a9d6b4bbca35186fefcb0f6117710654fcfa30fc18e11fe3261

                      SHA512

                      e129353f5933bfa847a6153af7d3750d2f94551cdec3cb3a03d7c95dc3a5fa98418c5cdbf86465b92ab4e8512565ade30ff6153ceeb11dbe48a62e644ba26efd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\07c54251-d01a-4c95-9a6c-e3b00f35e6c5
                      Filesize

                      671B

                      MD5

                      02b7a2d6cb6b7c7ce77ba088017b9cc0

                      SHA1

                      c734925e5ea94aa781e567fbe7c761a4827080ed

                      SHA256

                      6f0e2486c58330c19716788899d74053066a0ad531506a48e5265e8fdb2f4923

                      SHA512

                      d729bafabb4e4930863df5f1a4c0e88075866b2309a2acad2b8a1475c0ae0387a186dc97aa7ef7cc904e619dc6368d520b2e2cda151298a6994e8e7ccca892d1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\13f12699-ac45-4643-a487-5c38f7a2fb58
                      Filesize

                      982B

                      MD5

                      79d003488b1a662f4255c8e4cfc47277

                      SHA1

                      b57c2923c7edef3faaf9dcc3dc1af458fa5691b6

                      SHA256

                      c7dc80c6ac65be3fd82319e058f4340749b23af2677d441242134500fbfe02a8

                      SHA512

                      2a12b50f1bd932232b4fe2d2dec19c5b4f71438fdbc99cf22f731e41b8d3cd5af66d97ee471258e25d0f9089875d0de733474879fa437d4b107cd5c714473ad7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\3a5b4f26-31bd-48dd-88ea-4e0c57a52dc4
                      Filesize

                      28KB

                      MD5

                      c8a47cf2c1d517eb3cbc6412b8854531

                      SHA1

                      ed07c093b28778ccc548b9fefb7aba62ca265972

                      SHA256

                      231c43a245e03cf7da01bc4efd49105ae60ca6f016bc1b3bd4bc5104e14c145e

                      SHA512

                      dde45f1a32b900fe382afb5edb1a4d857c113d6319305631c64392bc558dd804d4c5d328ec3b5f69ed9a98a50d10ca1574c7c53fcdd07b3c28242a9ba43a6c8f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                      Filesize

                      1.1MB

                      MD5

                      842039753bf41fa5e11b3a1383061a87

                      SHA1

                      3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                      SHA256

                      d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                      SHA512

                      d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      2a461e9eb87fd1955cea740a3444ee7a

                      SHA1

                      b10755914c713f5a4677494dbe8a686ed458c3c5

                      SHA256

                      4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                      SHA512

                      34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                      Filesize

                      372B

                      MD5

                      bf957ad58b55f64219ab3f793e374316

                      SHA1

                      a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                      SHA256

                      bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                      SHA512

                      79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                      Filesize

                      17.8MB

                      MD5

                      daf7ef3acccab478aaa7d6dc1c60f865

                      SHA1

                      f8246162b97ce4a945feced27b6ea114366ff2ad

                      SHA256

                      bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                      SHA512

                      5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js
                      Filesize

                      12KB

                      MD5

                      4f765c6eb25fa8694a5fc684edf0ccb1

                      SHA1

                      33fdae697ba1f5ad738ce21e32ef3bb7289c44dc

                      SHA256

                      b3d637f843099dc703b2e3d62190b2eccbce136bb8794cefa1ce6c5cfb713fbc

                      SHA512

                      a4ac2dbbb7c5b2cf711570eb21a1ca161e9056c5edc79baf0e4a8b6e875c202a0f68f474b61b8584ec91b81d4cff3db4b68f3938d2822bf3e9ebc674afe2d002

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js
                      Filesize

                      16KB

                      MD5

                      af98dba278c4c217b06f1d2c6c6e7e63

                      SHA1

                      34e2fb59e85a44259a1edd24b09dae610367c46f

                      SHA256

                      14692da3660ba2c0ba09c6dd867ecfdbd0a4486826904f7e7a8625cb05e8e94a

                      SHA512

                      ec8f208618a92458d725e41f040074a104c2bfcd7b7ae746361aa6772356b1730527dcd92b3804de6322ae57a7b796d9b6f5ee941a5b4a6442f80ad3eb9969f3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js
                      Filesize

                      11KB

                      MD5

                      2ee8b927d0346a653be545dd2774dc55

                      SHA1

                      a570416d07c1c72133db75d5558225954d3095e3

                      SHA256

                      3e5fb4eb4c7cd2d39736e0271a8b9a99d31bb15ce5d62e4b1ccf73fab56618e0

                      SHA512

                      c5ac9b2b087e9e75cb838947fb27475229fc73bf184b1da9898714f5d535bef2bd2898270bda9943403c72a761a13b938221c397394e77431a6da65e1d7ba16c

                      Download Submit

                    • memory/856-2577-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2590-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-610-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-39-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2581-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2599-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-450-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2569-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2415-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-1474-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-464-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2583-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2585-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2579-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/856-2597-0x0000000000D60000-0x000000000185C000-memory.dmp

                      Filesize

                      11.0MB

                      Download

                    • memory/1684-56-0x0000000000400000-0x0000000000FDF000-memory.dmp

                      Filesize

                      11.9MB

                      Download

                    • memory/1684-366-0x0000000000400000-0x0000000000FDF000-memory.dmp

                      Filesize

                      11.9MB

                      Download

                    • memory/2464-2575-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-17-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2598-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2591-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-21-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-469-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-947-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-463-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2198-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-462-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2589-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2584-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2568-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-451-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-411-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-19-0x0000000000F11000-0x0000000000F3F000-memory.dmp

                      Filesize

                      184KB

                      Download

                    • memory/2464-2578-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2582-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-2580-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2464-20-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3064-2564-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3064-2562-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3540-18-0x00000000004B0000-0x0000000000989000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3540-2-0x00000000004B1000-0x00000000004DF000-memory.dmp

                      Filesize

                      184KB

                      Download

                    • memory/3540-0-0x00000000004B0000-0x0000000000989000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3540-4-0x00000000004B0000-0x0000000000989000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3540-3-0x00000000004B0000-0x0000000000989000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3540-1-0x00000000774C4000-0x00000000774C6000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4132-73-0x00000000005B0000-0x00000000007F3000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/4132-72-0x00000000005B0000-0x00000000007F3000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/5116-2587-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/5116-2588-0x0000000000F10000-0x00000000013E9000-memory.dmp

                      Filesize

                      4.8MB

                      Download