Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe

  • Size

    1.8MB

  • MD5

    a551c4cc7296af05a51ce367e84bca6a

  • SHA1

    b660f9ece06d72523ab860dc11d21cc516a89f88

  • SHA256

    1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09

  • SHA512

    14a8880ca3205f8d62afc8876c7015415c35ebfe530a4a1cab0f474565d3cc6fb3b54ae3cfe8faaffe96a7d8ad6a0c73b68b890fbfb950fff08ea278bc5aa03b

  • SSDEEP

    49152:dtv4SOUyxZep9Ehgd0QPJPQ+z/fj6hTb2Jf0Z7ctAT:dF4T3ZCTd0QhPQon+hu9eP

Score
10/10
amadeystealcc7817dkoranordcredential_accessdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

nord

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe
    "C:\Users\Admin\AppData\Local\Temp\1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe
        "C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:4524
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3728
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1172
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
                6⤵
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:764
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {930668c9-8d00-4d92-925c-edc16355764f} 764 "\\.\pipe\gecko-crash-server-pipe.764" gpu
                  7⤵
                    PID:2700
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dfdfb9e-be47-4f83-8ff2-8551a0cc7027} 764 "\\.\pipe\gecko-crash-server-pipe.764" socket
                    7⤵
                      PID:1984
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3120 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c61aba0-ec27-47bd-b5c6-609bcad69892} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
                      7⤵
                        PID:3152
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3968 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2da54d12-c86e-42db-9b59-806926dff51c} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
                        7⤵
                          PID:1720
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35078fb8-99d7-45af-9685-b31e74153a5d} 764 "\\.\pipe\gecko-crash-server-pipe.764" utility
                          7⤵
                          • Checks processor information in registry
                          PID:5320
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5392 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52c7f8a3-cce5-4d6c-a87d-2697498cfd8e} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
                          7⤵
                            PID:6076
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5588 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a5ca59-8ffe-4120-b055-ae669c0b9eef} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
                            7⤵
                              PID:6088
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 5 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50706199-f317-4134-be35-f2a2237a8da7} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
                              7⤵
                                PID:6100
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6360 -childID 6 -isForBrowser -prefsHandle 6368 -prefMapHandle 6364 -prefsLen 27039 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09911f29-47ec-43ef-84bf-cb471f0f4405} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
                                7⤵
                                  PID:5244
                        • C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe
                          "C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:4556
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:4472
                        • C:\Users\Admin\1000003002\723b7eb608.exe
                          "C:\Users\Admin\1000003002\723b7eb608.exe"
                          3⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4464
                    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                      C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5772
                    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                      C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2996
                    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                      C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                      1⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5744

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\1000003002\723b7eb608.exe
                      Filesize

                      187KB

                      MD5

                      278ee1426274818874556aa18fd02e3a

                      SHA1

                      185a2761330024dec52134df2c8388c461451acb

                      SHA256

                      37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                      SHA512

                      07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
                      Filesize

                      13KB

                      MD5

                      f67bee32c0077e5210032ca69d4f4de1

                      SHA1

                      713280c0bb9e33318d6f23378195fb681ada2a41

                      SHA256

                      11e81d689f077d9c98beb25233f1de9dd884bf7668f004fc2555a6da0d0c6372

                      SHA512

                      9925448b717c817f45babf0cbd5d27093cc5d4fccdc6c9c9b849981af2fb5390d3c908e8042545e18faf138ee8fa6efd3d19f1d167dd66709ca94f534ac416ce

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
                      Filesize

                      1.8MB

                      MD5

                      a551c4cc7296af05a51ce367e84bca6a

                      SHA1

                      b660f9ece06d72523ab860dc11d21cc516a89f88

                      SHA256

                      1a57e34d85775c7335f37961bc07658a839d04931a31ad07380985fce3e10a09

                      SHA512

                      14a8880ca3205f8d62afc8876c7015415c35ebfe530a4a1cab0f474565d3cc6fb3b54ae3cfe8faaffe96a7d8ad6a0c73b68b890fbfb950fff08ea278bc5aa03b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1000001001\45922c1dea.exe
                      Filesize

                      1.2MB

                      MD5

                      839be7c9a15556648c2c0fcaa9bfc281

                      SHA1

                      90a16d02ba8d7e8d3446937d385b4bc891ed6367

                      SHA256

                      94a674f673bd386a4f192d505b7317687e15185b176c0f3e3b9df437677a961a

                      SHA512

                      26f2a50c67901b3b9fa3b1666069899ebc763437d5be7dee46a972a0f10038ef04ed9ea8a7e20f671fb86a7cd8c8ed73c4bb36441db0d24da64fa1a78fd57d00

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1000002001\60ad5a8e84.exe
                      Filesize

                      206KB

                      MD5

                      aa22e27c237d9c1753c1d0f5b33ed5cc

                      SHA1

                      4a2814dd180be11b9cb1ecae696d7a7d579e5d84

                      SHA256

                      ac7db8694704845e72e96199e21f95630177f59dd7139139a5d1cbe1b26334a8

                      SHA512

                      11fdc766d7ec9aeb414d1fd778b5bb58650756db081c4b8e85f1a9c0a160e13bbfcd94b5bee03cffb14c0b1f997425f0f76d8a4bf1d81c1b5a1644474c946780

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      479KB

                      MD5

                      09372174e83dbbf696ee732fd2e875bb

                      SHA1

                      ba360186ba650a769f9303f48b7200fb5eaccee1

                      SHA256

                      c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                      SHA512

                      b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      13.8MB

                      MD5

                      0a8747a2ac9ac08ae9508f36c6d75692

                      SHA1

                      b287a96fd6cc12433adb42193dfe06111c38eaf0

                      SHA256

                      32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                      SHA512

                      59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
                      Filesize

                      16KB

                      MD5

                      a5d16b6ffa016f8ac25cf2f7e3983bb8

                      SHA1

                      a899ee0a6cb33f8788bb7fe78ac278f87d1faa67

                      SHA256

                      48e3330ce516971b2b9fdbeba4957e634e09581da135553a4e743aa528ee2596

                      SHA512

                      63f950900e73a61b6101f02bb89851295d021e607e77c7a3097773778a0a25e61bc3f2d31bc9c8fe77dd94b7247a00d292c541bf2813906caf1fee0d125fe702

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
                      Filesize

                      7KB

                      MD5

                      015c314f286fbc2e4a48da17283a372f

                      SHA1

                      668fa9cc8e51fc49d97242b7543cb033187793a0

                      SHA256

                      c64a65509a7e089e4a38ead1879b49a1e46a944a830a1df5bc24e9bf0c5b100b

                      SHA512

                      e9bc6d74a9affbfc416bdb8b91f77c2bf85a501d084b309289ed13484396bb355e5eff3ef7055c7ad1a2ce59859794820aa3dbcc2d662d90142d992c4e3256f9

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin
                      Filesize

                      10KB

                      MD5

                      a9fdec2a6b0f9519843277a46752460a

                      SHA1

                      c697f5390951b634541b0eb8670966cce3f1be91

                      SHA256

                      b30dd6823fbe899385e62d7a326ebac6233602256c675bfacdb9fb2a52fe0ab8

                      SHA512

                      e73b8311bd8ee82eecc8fc8548bdc204a22161c99139348cfce67928214c62f0c7b6cc1da88fe9ff81c2eba90f17d109ed9ef876c93e118cfd16f5b862276fca

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      cef7a9aec7bff53697d4b6a7309fc957

                      SHA1

                      f85c635c3f6fa6e7a3e5c565209decf37723b40a

                      SHA256

                      3f2d65ec18664ec50a88280970fc0cec5410a655baa859cb0304f7923c706938

                      SHA512

                      d48000e545a361af20c3641e35869ad62489e7ab9e48be3abc29c87bf51b59560d38cc7f37427ead25abf37b117cc81df221c8534b7eafaeec10d749df83d07f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      16KB

                      MD5

                      8f34abb2135335a030eb29c76758c60e

                      SHA1

                      d0ca5f80541d76e3d2dc904114433d654931803e

                      SHA256

                      f7b71d97b223dd1b84adb33be9a0ffcd3cfa7a75fdd9143f594cb8ba52c42739

                      SHA512

                      3865df146b08f3e4eece5a9e23ff1c7b9a5e92c7664654952c7b2d22bf249a5ed1b3d09074a7ab4ddca8ec59b1061781b9ad08d30850e583712e3d066e686a66

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      16KB

                      MD5

                      c26376b14230f2708a8698b37af09e11

                      SHA1

                      1f08303ecf770fe9593f3858b81d997ab6a9d3a1

                      SHA256

                      d982630a4ee2d6f06b6c395c267549861cc020f0b3f5df5c0db8e954e28344c2

                      SHA512

                      3d137e75ed0e2c23d6b8db4aeea9e5fc78195a749e315fdc3491610cf2e7bffbed4425cfde566bab8323ba34432b6665f81282b436698487d538c35ee5a992ca

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\08d9b8a5-f6e4-49ed-8672-437491f02297
                      Filesize

                      982B

                      MD5

                      80d14f335364024645e03a0cb5a8a60a

                      SHA1

                      eaa4cfb2ecdcbb92da6d182baf8ca2c3aa555645

                      SHA256

                      2e12599ecaee0b36749b28335974bfeb868ec239e2fb0175d827f3e89be05aea

                      SHA512

                      13d777094fbe11ffe87c77fe08b2eb936933ceaa6b6b31fdd389bb96a442c46b6979561bc3169f47a53d13770be9a7ddad9ef1b306eb45a46f7ce95fed11087d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\1f24fc78-7298-4667-aa14-de3626f9bf56
                      Filesize

                      671B

                      MD5

                      9f0ee9a67eab08e909cee5426cdc9283

                      SHA1

                      52703ab563d62ff8781cc542f72b69cb48f0b4fe

                      SHA256

                      e2fa759a29e86b2fd325a89e41e45b1d2ed2eac87fbdd2ed99e357d567449739

                      SHA512

                      d54dd13b993677cb5498f09dc8de94e6c0cb84f0d15bb9365f9cafcd64cec124ab77938098a0cc787bf228395cf75a30c8b6726ca84c34d4efdcee7fcae8e9af

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\3e791817-ac8b-4115-ba9f-edd9e28bc64c
                      Filesize

                      27KB

                      MD5

                      e588a7ec6b90a92e56805eb2d9c74c2f

                      SHA1

                      931f9858a94f27c31d15c670deda69b946da9842

                      SHA256

                      f56718c727143f7cf337ffccf665312c1a3d32dbd8f3ae58e6aa4735706a3558

                      SHA512

                      9bb22f384a772e484b148f42c0f1db62703e8b8cc1a1177c0857c4d89826cd90375939b78bb8650981d7b7ed900fce25c45e8098f08cc3c89c92d45cc98142d5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                      Filesize

                      1.1MB

                      MD5

                      842039753bf41fa5e11b3a1383061a87

                      SHA1

                      3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                      SHA256

                      d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                      SHA512

                      d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      2a461e9eb87fd1955cea740a3444ee7a

                      SHA1

                      b10755914c713f5a4677494dbe8a686ed458c3c5

                      SHA256

                      4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                      SHA512

                      34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                      Filesize

                      372B

                      MD5

                      bf957ad58b55f64219ab3f793e374316

                      SHA1

                      a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                      SHA256

                      bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                      SHA512

                      79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                      Filesize

                      17.8MB

                      MD5

                      daf7ef3acccab478aaa7d6dc1c60f865

                      SHA1

                      f8246162b97ce4a945feced27b6ea114366ff2ad

                      SHA256

                      bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                      SHA512

                      5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js
                      Filesize

                      11KB

                      MD5

                      f4970fdf213223b00f6cbbba1f271c08

                      SHA1

                      54922a8fb0ac26b785837357a762edbef8f573f7

                      SHA256

                      85c4bc4f0af89fa8ec56a2585168be90564a18221c6a98cc2fac517fff6b25f8

                      SHA512

                      27bdbcbddb99c5a98b4ba7c483fd70e03acf43ff8fb679950c3b01084802de450c46bd5d4734c2c221a8cc485540ab8b14911e95dfb6caadf42e8221c6d05d04

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js
                      Filesize

                      15KB

                      MD5

                      27d9dcf00e7dd0737e6785aec65d388f

                      SHA1

                      c3c1e35e463494eefbaa3db192d20318331f330c

                      SHA256

                      3b0f776601e12f4e4829e4cd76da63ff91941f8a1ffadfddaa3e2ea7b1a15714

                      SHA512

                      7c22fe956f0270ad4234bf1fd8f79988f75b3cc9cb8dcfea33248d296a8df7336015502d81948b9ea7282255b777386198a9724e7725591067e542002730cd8c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js
                      Filesize

                      11KB

                      MD5

                      cedc9d0ebf47ba4a91176b9699850831

                      SHA1

                      821d81e9cb358356eee3968eb6ab9dd227a7b991

                      SHA256

                      1de8042a5de4d7b70313430905f84b6895a62bffafd5ea1885b33fd5f49c7d29

                      SHA512

                      d7d1e0945523650ae042de9bfb425b77bd87b0b5bbc730ac78439488f9e44e1f108b070efbb461805dea3ad628c7e6c26410535a855a5a1b79c8f3ebe214d4fe

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js
                      Filesize

                      11KB

                      MD5

                      a2c34616236a9cc71d8d85f61894091d

                      SHA1

                      3e410b018bd571be7ab96d707e33bf5e7e9c259b

                      SHA256

                      958d479b3fa9b65f0781e08ffa3669b497316a4aea4406a7b2b6a6c57a49bee7

                      SHA512

                      1576bf7153ec44ac7b7d5c602d53927be694b2669caf18e6da036955c562ba2bf25c6ec9dbf65206546dfe175ce3a41a8ca389c8507e4aed661f057684cc4875

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4
                      Filesize

                      5KB

                      MD5

                      aeaf4a2e2680010c33c0b1cf98967342

                      SHA1

                      14828ffb012108a88877534c082a1afe57ed86c6

                      SHA256

                      7a0269d6cc3f19e2b2be65404c03d5194c861e3e084ec4236319002e0daa244e

                      SHA512

                      76abea34bfad6298c0c49e652afed68c99106b6601413f5fa384d6a50a46a611efa770af68cc70215be8fc1f8c5b3a60981f4840f5cab4adb91a618918d345f1

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      1.1MB

                      MD5

                      724a766bcff4a9a3be0c58bcc9bc2a7b

                      SHA1

                      6474950a15115cc9520e80f55212fd670baf6a03

                      SHA256

                      33e4c28b9ce48fcc9b2dda8cbd5371a8b801d6532f396489ae77053b0a03fba9

                      SHA512

                      6141cd392bad1687e1b93d2fa529eb71bc3e2290775a6219f26eeaadf610c2400a41b800880f47e86a1135d6c4f9725c69c90b756822dd4b4f28f63da5859b96

                      Download Submit

                    • memory/1896-44-0x00000000737DE000-0x00000000737DF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1896-45-0x0000000000F80000-0x00000000010B0000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/2824-2-0x00000000000A1000-0x00000000000CF000-memory.dmp

                      Filesize

                      184KB

                      Download

                    • memory/2824-3-0x00000000000A0000-0x0000000000567000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2824-1-0x0000000077BC4000-0x0000000077BC6000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2824-4-0x00000000000A0000-0x0000000000567000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2824-0-0x00000000000A0000-0x0000000000567000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2824-17-0x00000000000A0000-0x0000000000567000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/2996-2976-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/3728-49-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/3728-51-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/3728-47-0x0000000000400000-0x000000000052D000-memory.dmp

                      Filesize

                      1.2MB

                      Download

                    • memory/4284-19-0x0000000000A61000-0x0000000000A8F000-memory.dmp

                      Filesize

                      184KB

                      Download

                    • memory/4284-873-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-25-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-23-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-22-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-21-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-20-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-3239-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-18-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-485-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-3233-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-3232-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-432-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-3231-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-3228-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-490-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-1317-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-1580-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-2308-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4284-3148-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/4464-91-0x00000000008A0000-0x0000000000AE3000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/4464-90-0x00000000008A0000-0x0000000000AE3000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/4472-74-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/4472-72-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/4556-70-0x0000000000340000-0x0000000000378000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/5744-3241-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/5744-3242-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/5772-472-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download

                    • memory/5772-482-0x0000000000A60000-0x0000000000F27000-memory.dmp

                      Filesize

                      4.8MB

                      Download