amadey | 4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66

Analysis

max time kernel
141s
max time network
23s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.9MB
MD5

c30bb1cdd7c6d8b7147f161f327827b4
SHA1

22c0d90d552d4ae19ba3d46cd07b13253622eb6f
SHA256

4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66
SHA512

a46417a3ca5771fe0817e51222bf28114121ced6fd7000fd414ae8ae422f6d044a1c03852903eb9e2afebd3770e31396ae282dea8493bd3d25e8d7c86b67bb16
SSDEEP

49152:NpFiseBZXDBPta3ahbTYBB0LofNbHC8nHH3b+5ETRspoJMAn0X:NpsZ6KYB2MnnEEVTCh

Score

10^/10

amadey lumma stealc 9c9aa5 tale discovery evasion stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Extracted

Family

lumma

https://necklacedmny.store/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0852c5dc06.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0852c5dc06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0852c5dc06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	skotes.exe
2932	0852c5dc06.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	0852c5dc06.exe

Loads dropped DLL 4 IoCs

pid	Process
2296	file.exe
2296	file.exe
2268	skotes.exe
2268	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000186c8-114.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2296	file.exe
2268	skotes.exe
2932	0852c5dc06.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0852c5dc06.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1868	taskkill.exe
2008	taskkill.exe
1944	taskkill.exe
1296	taskkill.exe
2604	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2296	file.exe
2268	skotes.exe
2932	0852c5dc06.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2296	file.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2268	2296	file.exe	30
PID 2296 wrote to memory of 2268	2296	file.exe	30
PID 2296 wrote to memory of 2268	2296	file.exe	30
PID 2296 wrote to memory of 2268	2296	file.exe	30
PID 2268 wrote to memory of 2932	2268	skotes.exe	33
PID 2268 wrote to memory of 2932	2268	skotes.exe	33
PID 2268 wrote to memory of 2932	2268	skotes.exe	33
PID 2268 wrote to memory of 2932	2268	skotes.exe	33

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\1003363001\0852c5dc06.exe
    "C:\Users\Admin\AppData\Local\Temp\1003363001\0852c5dc06.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\1003364001\b6f8557d38.exe
    "C:\Users\Admin\AppData\Local\Temp\1003364001\b6f8557d38.exe"
    3⤵
    PID:1152
- - C:\Users\Admin\AppData\Local\Temp\1003365001\2924a5fc4e.exe
    "C:\Users\Admin\AppData\Local\Temp\1003365001\2924a5fc4e.exe"
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:2604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:1868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2812
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:2772
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.0.1158751541\1637080568" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c1acbe8-2788-4dbd-aa39-32f17b6a9749} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 1272 45d8558 gpu
        6⤵
        
        PID:2784
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.1.426320576\1790206049" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63acf976-f628-4afe-960d-91162ae54807} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 1488 e73f58 socket
        6⤵
        
        PID:2144
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.2.1277933072\2018616867" -childID 1 -isForBrowser -prefsHandle 2108 -prefMapHandle 2124 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {962072c8-23f3-4f84-9b86-c80ccd948481} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 2160 19fd8758 tab
        6⤵
        
        PID:3024
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.3.566005123\2044297765" -childID 2 -isForBrowser -prefsHandle 2888 -prefMapHandle 2884 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35d56437-04a8-4394-a001-bfa89b5fc8cf} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 2900 1beb1358 tab
        6⤵
        
        PID:468
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.4.808094606\950598032" -childID 3 -isForBrowser -prefsHandle 3884 -prefMapHandle 3880 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38fd33fc-c235-4f48-81ec-50d7151b497f} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 3896 1fefb658 tab
        6⤵
        
        PID:1088
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.5.997430150\1050407037" -childID 4 -isForBrowser -prefsHandle 3996 -prefMapHandle 4000 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73822016-a913-4c67-9fcf-eea87b0796f8} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 3888 1fefb958 tab
        6⤵
        
        PID:1860
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.6.316767402\1168745346" -childID 5 -isForBrowser -prefsHandle 4136 -prefMapHandle 4140 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc55931-38a5-4b17-a502-b22ee10c60e9} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 4124 1fefad58 tab
        6⤵
        
        PID:1612
- - C:\Users\Admin\AppData\Local\Temp\1003366001\87b425d2a6.exe
    "C:\Users\Admin\AppData\Local\Temp\1003366001\87b425d2a6.exe"
    3⤵
    PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
7a48b31e539bf0cdd35e6969eeb56163

SHA1
f2e533aac5f65230f5d4974d718687636f515c0c

SHA256
45a3946f466ecb107cc7f965ac9d9d2a4ae6e8c452a2ba474b74a84f4297a2c7

SHA512
76ddb20387973c788539afbae2030a25ac04af2d466ec755617192c7f30a15ac8c74dd5cebe356ed1419c1f1735644473c336317d0fb925bfc39a832c96e87c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003363001\0852c5dc06.exe

Filesize
2.8MB

MD5
762b9734658bcf0f69adbdb37358a997

SHA1
52ec80cc49b938adf5cad2b9340a4d96a0a465d4

SHA256
cb84c6f6529d74fb8285e19ebf945837f5590ab46527a16a97d7f3ad3ef79c41

SHA512
4159737d991441c960699cfabb419d1f135a39b3cee37683ba6197c4e6731d2d239abc43437ed3343c377f60a169b0ac4cf2608e5d469157171a71a6ee65945b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003364001\b6f8557d38.exe

Filesize
1.4MB

MD5
f2b29908dc468009629b1eb0c5b8e731

SHA1
cb85c29c042d04c2df741a6f195c8e25ba003e4b

SHA256
c401cd405cf445d4d969d11716bfd9fd147946bcdd0ab831bc223c75e06d9393

SHA512
d9fb0f8e1d8e77a39232ee6406e55525b7306b6a0a742fdb643258aaceeca19debb20a8cc9662e048681d1d30c152ad247982b2afa53e4c7db657883f966bc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003365001\2924a5fc4e.exe

Filesize
898KB

MD5
78825134cff791166f2f07a6fd634d2e

SHA1
2f1d652c1c068cdea42cd7bc51f88c411ddd7cd7

SHA256
e9b1fbd796431f4d67189e35457eb9f26aa80cccca57b218f757669bb8e24a75

SHA512
f7fa2549079c78a46bbdcdb16e752cb624a36f5c410361af6724c59bf3e56555bfcf392436ea93e5fae8e91af2cc366de8567217273849f406417bb42d42ebef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003366001\87b425d2a6.exe

Filesize
1.1MB

MD5
fd2274f7d5a8f81ee4864b7557eb31c9

SHA1
09e436570e77ea802ec2067750dbcd50e953c463

SHA256
d3280c9cf1e2a6eacb5906bd9a87c2f78284b2b52362e9352daac4f65c0d7cd9

SHA512
2a39e5eaf3453eea9bddeddabd17e70f6fac376251502ea111f1dd1a6396fb974fc89d5fb6454b9edd051047dfadaa640f3ec7d785ec895000bf1c7296e9941e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003366001\87b425d2a6.exe

Filesize
1.4MB

MD5
f2715f814820d582c150b13f2d88bab9

SHA1
5dcc139660515d70a0478a2277960544adb72326

SHA256
b9fadb6bcceffeb34e683cca2abce5cada91e229dae5556c788c24a3507c06b9

SHA512
d24337e05352324ca8ff800d4fe5151ab37e26e4a7397199b8606b6c153bef9bfeee9c44defaa371fbb17e01c35af79d4d2261e59fd42d3603cb0d174b4de54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab149C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14BE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.9MB

MD5
c30bb1cdd7c6d8b7147f161f327827b4

SHA1
22c0d90d552d4ae19ba3d46cd07b13253622eb6f

SHA256
4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66

SHA512
a46417a3ca5771fe0817e51222bf28114121ced6fd7000fd414ae8ae422f6d044a1c03852903eb9e2afebd3770e31396ae282dea8493bd3d25e8d7c86b67bb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
923KB

MD5
16dcc5a6cd797c5a04979f6b386a46e0

SHA1
daff8ba7aba7117c58d7602e0f2f70fb07ec5e56

SHA256
a54eb502693f64d5c9dcf6c09d1bea449fa96ea4611f08809f321e9c63e3d638

SHA512
a96f49c5e9429806919adbe1ed4d5b2bec1206dd29bcae93187fa8a4815688bd53347d4e78202705f7a3a55659330ac66a0d21b54b6ce4a06fec590e1dee6bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
cd10bc9f298be12d0d445816a9b98fe0

SHA1
6294d3bf29a62ebb23985603c0f9eed67e1a08a1

SHA256
b1c7a4637f0f0444c9e79512e753b1a013142caed0bfc533a1711cad803c427e

SHA512
fbe44347767690e0b39fbf6514c11889d26230d4045c00edd557e19f984736050748a1f3e74546e27f5f57378d71d7d3efb12b4a607d51d782c3206ddf09ef71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3b0be341af37fb01d97525d4f5da6d07

SHA1
0ae2bae8bb6810fe2fd24e9c17dc55cd9ab90a16

SHA256
1e1251d0cbe74cc04c23e92cf71d11d38cf33dfb7bd14c2de7d8d5513ad78827

SHA512
ec7a27f2ed596549f418952c039ccde0fb9b7c11c0a69f699365f8482be385519e187a844be492a697bee92b6a92827a583d12c205686a871979158cb0db7aa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\815d3cc4-c128-4ae1-b701-b47ca4f1477a

Filesize
11KB

MD5
c782f6037f2fbe29a8f753c14352f5fd

SHA1
d4ad9796036b1aa0ef9367d8e7486e1a8ac68fde

SHA256
9d4da2f888946e4c38a5932e3f3658b57ae541283b7e8fdda71711991bc74807

SHA512
e66d5469bdf9e9405187af945a033fb5465d6d823ffd931d271ff895eaf7878d3ba1c6db6ffd469e14047459155be923186610295694b41a4e356020aeab2b89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\be756aeb-613a-4191-99fb-1d1df66cce3d

Filesize
745B

MD5
49d33833d1ab7c9c2699609f09253eda

SHA1
b15b3e9acc01e2db7859e323e440d4a91d11103b

SHA256
0c335d19576362043b9dbba0b75255240cf348d153f7c1f3d42c1646e4a021bd

SHA512
47b86cafa16dcc7563ad8e73049add275b1aa06550f4ba35ead6f1924cc257ff94a52dadee507cc422617be3e1c75051190a84fe1b650990cc4485c477c63dc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
411KB

MD5
c4400a73b4df30959c3a31e20f4c0366

SHA1
c2f57cd5b7f5d82c4115b47275df6d98e32147af

SHA256
9d56bfd9e03da27a9a7155d4a7fdf2fb2f67a7b123a19f937eb9258332e2e5a6

SHA512
9ff31e46b29f7271de22225b1c1671b6b93dc00f1ba2255b3440c27ee32886d5ec819c5a7011fb861daffc15a56a0f3a582a1844bdf7022a00b34a71352976b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
923KB

MD5
80ceac980c64270382ef850d0fb6b2c9

SHA1
16eeb62611ee1b685af55bb7b556076d0bac88d7

SHA256
b7ed27b7f0cb87b93929b6a04e40dc7eb29fea21330256bca9fa4dc67509a171

SHA512
66ea06d8403967d07a2c97c0119e0f6109e4552e1aa1b7c48619eba97e52563bcbd0db0cb273c56cf6f7269838eb2db4a6f913744dddb3339bb5b4fcea257e2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

Filesize
7KB

MD5
aa5d3ee43efd5b7cb3bd9aaf845cb34f

SHA1
c9f4de7e4e40285188d388f39e961d412f56ec75

SHA256
973421fb6c316969ad40481e95ca0db6d2632375d3a7e19dd0e9799753c57753

SHA512
59aaa087fa7a4cabf26a6eb2e000be77a37b1ccc0c21b8190f87003f57cb9940c6066d22f64ee51f75a9d5e04395f95c987bc9238d1de77bf87467f3bac4a462

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
4202fab5bf26d96576f9580f3fb245ad

SHA1
cab61deafc6ec6727b18d2165663244b46d1c639

SHA256
8c6f416948b745f71c564fc28d2865468a1497aa9a01c7ebe0e22af197901ecb

SHA512
ae91ee08c1af491f115459ea11720e8a59dc7c3ec4854f2fdfff1a16dabd20963834ca4e92a36851efdc99003ea640434ae544354ff0285e8d4ba200f981fec7

Download Submit
\Users\Admin\AppData\Local\Temp\1003363001\0852c5dc06.exe

Filesize
2.4MB

MD5
a363c3d394a3463ce9f0af1d8636d1c5

SHA1
d73e23142ed7213618a066afa8aabfab70dd92d8

SHA256
4de49ea5263f881b2049c4d4e3fab86211b3c68fd0f3e319320ff3cf4c20e117

SHA512
0d9e6a7c024c63135525143afe328397381325dd23c344c131336a32fc559c65ae27b2454220646ed74e2bd574694fdb09db0e17ef77e789975952cdc83f333e

Download Submit
\Users\Admin\AppData\Local\Temp\1003364001\b6f8557d38.exe

Filesize
1.9MB

MD5
e97c61817855c4fdfce3e029dd30071d

SHA1
4180dddf4ba997410a11321be74e563dbc0c908b

SHA256
be09a9256c266f2cffb7e0ff6adde2d865ca51caa4c94d033a46c0560d9822e2

SHA512
89d1f815470323786237c64f766274bd448655ad854e35c30fb131e2f4d9e488651ee954b988db15f12c37991aa06d38de99434d18f32c1fc9b92299c9f4f91f

Download Submit
\Users\Admin\AppData\Local\Temp\1003364001\b6f8557d38.exe

Filesize
1.6MB

MD5
8fec2fbc81e12c9e893b0c09a9ebc10e

SHA1
131720337d12eed382558454b9c2c4d1c02a6dc8

SHA256
49d672d03b045972908a8d7909c28e324d7cd42e8907590bf1df5df97717ebde

SHA512
624eb52ddce23bb9e9ab06f97cf75770c13ab57559e720eaf227aac0427733b424495d3f831690f8e3f32968e0cb278b4ef08db0c8aedd6c70705d14520cb5a8

Download Submit
\Users\Admin\AppData\Local\Temp\1003366001\87b425d2a6.exe

Filesize
1.4MB

MD5
328178361a76374bc2035e860bd9eb02

SHA1
94c26121e44bb6264c3e0405fa820c43e0aae290

SHA256
d718409ea271d39e70745c802360dff3a417e2ebcb8082c4fbbdbb3f1739cf24

SHA512
77c121dd2fd97968dba353370310a5ac21b5065e714f59b4f4caadc37637566840d06810f6a55c09c0b04e36e677f6ee26d659471874895e4e79143348989a61

Download Submit
memory/1152-107-0x0000000000D20000-0x0000000001446000-memory.dmp

Filesize
7.1MB

Download
memory/1152-104-0x0000000000D20000-0x0000000001446000-memory.dmp

Filesize
7.1MB

Download
memory/1220-282-0x0000000001180000-0x0000000001422000-memory.dmp

Filesize
2.6MB

Download
memory/1220-284-0x0000000001180000-0x0000000001422000-memory.dmp

Filesize
2.6MB

Download
memory/1220-304-0x0000000001180000-0x0000000001422000-memory.dmp

Filesize
2.6MB

Download
memory/1220-283-0x0000000001180000-0x0000000001422000-memory.dmp

Filesize
2.6MB

Download
memory/2268-253-0x00000000069F0000-0x0000000007116000-memory.dmp

Filesize
7.1MB

Download
memory/2268-252-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-23-0x0000000001251000-0x000000000127F000-memory.dmp

Filesize
184KB

Download
memory/2268-407-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-406-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-405-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-404-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-310-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-103-0x00000000069F0000-0x0000000007116000-memory.dmp

Filesize
7.1MB

Download
memory/2268-267-0x00000000069F0000-0x0000000007116000-memory.dmp

Filesize
7.1MB

Download
memory/2268-403-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-105-0x00000000069F0000-0x0000000007116000-memory.dmp

Filesize
7.1MB

Download
memory/2268-27-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-281-0x00000000069F0000-0x0000000006C92000-memory.dmp

Filesize
2.6MB

Download
memory/2268-402-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-26-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-109-0x00000000063D0000-0x00000000066CC000-memory.dmp

Filesize
3.0MB

Download
memory/2268-297-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-298-0x00000000069F0000-0x0000000006C92000-memory.dmp

Filesize
2.6MB

Download
memory/2268-108-0x00000000063D0000-0x00000000066CC000-memory.dmp

Filesize
3.0MB

Download
memory/2268-391-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-24-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-21-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-390-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-388-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-28-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-29-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-50-0x0000000001250000-0x000000000172D000-memory.dmp

Filesize
4.9MB

Download
memory/2268-46-0x00000000063D0000-0x00000000066CC000-memory.dmp

Filesize
3.0MB

Download
memory/2268-48-0x00000000063D0000-0x00000000066CC000-memory.dmp

Filesize
3.0MB

Download
memory/2296-1-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/2296-2-0x0000000000B91000-0x0000000000BBF000-memory.dmp

Filesize
184KB

Download
memory/2296-3-0x0000000000B90000-0x000000000106D000-memory.dmp

Filesize
4.9MB

Download
memory/2296-22-0x0000000006DE0000-0x00000000072BD000-memory.dmp

Filesize
4.9MB

Download
memory/2296-5-0x0000000000B90000-0x000000000106D000-memory.dmp

Filesize
4.9MB

Download
memory/2296-10-0x0000000000B90000-0x000000000106D000-memory.dmp

Filesize
4.9MB

Download
memory/2296-19-0x0000000000B90000-0x000000000106D000-memory.dmp

Filesize
4.9MB

Download
memory/2296-0-0x0000000000B90000-0x000000000106D000-memory.dmp

Filesize
4.9MB

Download
memory/2296-20-0x0000000006DE0000-0x00000000072BD000-memory.dmp

Filesize
4.9MB

Download
memory/2932-47-0x0000000000A30000-0x0000000000D2C000-memory.dmp

Filesize
3.0MB

Download
memory/2932-86-0x0000000000A30000-0x0000000000D2C000-memory.dmp

Filesize
3.0MB

Download