Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.9MB

  • MD5

    80412b3957bd97e963d415a8618f04dd

  • SHA1

    824702ac5e71cc26540fd822fcb293c480967be5

  • SHA256

    d470c37e2ec5e94610b152fcba101178d488a280200233dca2704f04377cd62c

  • SHA512

    f8e7c5f3bfa8bdc66e448824458da97d32341f6c25118906968acc9bc1de35ec3daa520d76d25abe23be520ecb4d466820781da2c3ee686ed156a1e5332a5c64

  • SSDEEP

    49152:TO7lj/QAvv6Vt2IeSLB8FFOTTAOto+ROyyMYWSeKi5ugTOFK9dW1:TO79oaxeLBeLT+RTyMYWSziIFCdW

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://necklacedmny.store/api

https://founpiuer.store/api

https://navygenerayk.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\1003447001\c0f1deff62.exe
        "C:\Users\Admin\AppData\Local\Temp\1003447001\c0f1deff62.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1924
      • C:\Users\Admin\AppData\Local\Temp\1003448001\0903791879.exe
        "C:\Users\Admin\AppData\Local\Temp\1003448001\0903791879.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:404
      • C:\Users\Admin\AppData\Local\Temp\1003449001\782d1c2de8.exe
        "C:\Users\Admin\AppData\Local\Temp\1003449001\782d1c2de8.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1120
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1772
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3080
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2224
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3680
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5020
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {937d0b4b-3566-4398-a6a0-cf66c1a56e8d} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" gpu
              6⤵
                PID:3588
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82879561-219a-49d4-911b-cc3c388cd288} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" socket
                6⤵
                  PID:2504
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3320 -childID 1 -isForBrowser -prefsHandle 3312 -prefMapHandle 3308 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae394582-421b-4abe-9ca6-12611ac0821a} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" tab
                  6⤵
                    PID:4416
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3056 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b390f329-2f94-4581-87d9-ddfd4c7ab882} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" tab
                    6⤵
                      PID:4980
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4680 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8195eefd-bbd3-4aec-a7f0-232dfa87b05e} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5504
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 3 -isForBrowser -prefsHandle 5440 -prefMapHandle 4632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0399e5-508b-42eb-97c0-35b2f73196eb} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" tab
                      6⤵
                        PID:4792
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6841845-b735-4b40-9f78-a3c36a8ab717} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" tab
                        6⤵
                          PID:3440
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5924 -prefMapHandle 5920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e38ab1de-cbc0-457d-88b3-c18a18f0569b} 1080 "\\.\pipe\gecko-crash-server-pipe.1080" tab
                          6⤵
                            PID:1280
                    • C:\Users\Admin\AppData\Local\Temp\1003450001\486ae9c05e.exe
                      "C:\Users\Admin\AppData\Local\Temp\1003450001\486ae9c05e.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4984
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3168
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5252
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4380

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json
                  Filesize

                  22KB

                  MD5

                  a9a34c585e1fcea963cbbff326dc4313

                  SHA1

                  bade99880be3c87b6a35b0850970a3a8d097eb65

                  SHA256

                  110da6768f23762f798800bdee0111b33dc5afd5de215e340cb6fbc3fa68d809

                  SHA512

                  49c0fca056b5abcff83ec0dc39e91b829e7070a5ca845088dc2603c0a0dab9624dc27a80c681ae98f4cbc2cdebbfb7d679fb7864cccd46948d6e67a6912b09e3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                  Filesize

                  13KB

                  MD5

                  9c28e544b10275f0be0e7f7b423cb62b

                  SHA1

                  31950c6c45e9f472111a249faa7ee3706153be11

                  SHA256

                  302776966e1c052fb0a5424c9ad952cfe7b7d046f1b3adec0c997da478a493bf

                  SHA512

                  e56726bc6ec1cb1a8ea18738d879e4454ee0137470508ff7650830804e8e6a6136621bd51897bb4be3579eaf95fdca221b786493482962cf186c0d1f066152c2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003447001\c0f1deff62.exe
                  Filesize

                  2.8MB

                  MD5

                  17858fc3613b8b59a50df4b767d1c025

                  SHA1

                  5024595b41462047be1ad673445eb3a65885ac18

                  SHA256

                  43d6fdf01afdc2058403481f4b9a9008c9d5b7da4e3995deaa2a06031b983da7

                  SHA512

                  d094df2e659cb635bb2bae3c9965b496a5adfe8b058f7effd9289c81021dc6e697271de20da9bdb48c1e8055f6d96dc2b10c9883a7740444bbf3a4814e90a090

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003448001\0903791879.exe
                  Filesize

                  2.0MB

                  MD5

                  aed37464a2128c89076188d9f416401a

                  SHA1

                  1b954f16ca55bbf51b2f45c6fb71d349de6842f1

                  SHA256

                  962d675cfea4802ded2e4a1f4b70044ff15988cb73e740037298d4b2b1891631

                  SHA512

                  78bdc21975e2d0c64e0b8af8e6f18d45ce1da4c9fb1567ba5304d426ff30ee71f2b0b772d16c8415e4260c8af2fb7b92d82ab89fcc67b3d0428fdc0b1ef21b5c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003449001\782d1c2de8.exe
                  Filesize

                  898KB

                  MD5

                  89e2147494ce55f00e64e46a419cbd1a

                  SHA1

                  c4fdbb426556d6129bd67238a2864c9c626511b5

                  SHA256

                  eaa21e18e2215318c605ecfb7cb717742b45875430da33c2d687442a0479583a

                  SHA512

                  cf4ed97fbef0b8e94919000ce67405c9f09b8df79e4fd2c515ea7daa071de928a79e759ef6d55c9b749809c13cdae7f0001ad561c257c0b2874c53726737fe3e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003450001\486ae9c05e.exe
                  Filesize

                  2.6MB

                  MD5

                  6673fa24dab970e82578fa5ee4d78f92

                  SHA1

                  4cf4945fcd085bd247a45932e29dbab3dad11191

                  SHA256

                  d84a723ecb954e94eb3bf05723580622be164b092183f5b735b2506e4a27d629

                  SHA512

                  3a21460b88a889bf1365bbf571adbac867d6ac723a29ba91c51435d0b1a1cf046a39f011c4db4af14fe2027711e64ff0c8162ccb9fcbeb053a880250129e747c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.9MB

                  MD5

                  80412b3957bd97e963d415a8618f04dd

                  SHA1

                  824702ac5e71cc26540fd822fcb293c480967be5

                  SHA256

                  d470c37e2ec5e94610b152fcba101178d488a280200233dca2704f04377cd62c

                  SHA512

                  f8e7c5f3bfa8bdc66e448824458da97d32341f6c25118906968acc9bc1de35ec3daa520d76d25abe23be520ecb4d466820781da2c3ee686ed156a1e5332a5c64

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin
                  Filesize

                  7KB

                  MD5

                  1a9bd871896db76d2da22dea6c541023

                  SHA1

                  8292977499a27bf327876af9bbb10e677a74f163

                  SHA256

                  1a73f9558b5e0d8113e4f1fdc0596b79663fdb328745177f0fc1c5b8b3222067

                  SHA512

                  512cb3651032b75a977996ebc4e2e6082b35b4ebbc7ef1eb8c551568b20baf72d08625ac3ecde6e6b977cf752ce512cf318ad9c1bdb9bc2d8324ac46dc42ae5a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  6f12586e437d9f21f6356ccc7c9aa4de

                  SHA1

                  ab05a9dd448d02ac05983d283bf1ce148076d747

                  SHA256

                  cdf4e8d96162c47d5ccf48308291f224de17f33469cff51f024436004edda8d2

                  SHA512

                  7b33d8729bd5c00b67ea7d577be42c8949d10dadf9982ef2cb8dfe544f53ab67509e222cd83fdaaceede04ec7027f6a39203dbddc8b3d4123533da8f67655655

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  571be8408b863a15e6458500afd0f084

                  SHA1

                  5ecd8e99a26780b33c50c8e3d5bb80d7a6d8f20e

                  SHA256

                  2baed2576fb51c145ea9bf9025dbc4f7680c4bc1bcc3e0967135fee0d745cd93

                  SHA512

                  325bf2c6de78523d5a7fed75cb9163ba9bd7e9ad047ed38ad711714c73e273e83ced057c0d34d21dd57b6eb428db361b344cdeb5bff7841744c534450031a174

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  1a6411e89cef2d4f0cdb8c555a738774

                  SHA1

                  22753fec04f5826563fd3593fcc05c9efddcad6f

                  SHA256

                  9fe6c6ce03d2eb86216712c0329c5dc4d3e6b103e22b7218a913bd56fe9609d4

                  SHA512

                  700fa94db30e077eb74b60cbbd5f06d52c75249ee178a06d0288c773a6e816a4a4b6d99198413f9fcf9d15f6ae82f44c20617616511849ec5eb098248925132b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  618c324cd7005bc677ec08e89b14768e

                  SHA1

                  1a13af25efd0eb3979c92c3ae097546700005ba9

                  SHA256

                  bf817234bf756914abb393a90eba5cfac111a86ca3f7d633bf83b81130b23950

                  SHA512

                  4fa860141ffd69dfaeb5bbb817182a4ab8b44132f7c11d5cbe92fdd85243bf6b927ac87874829616766dea22969fcffb9252596d024e958114940ba81c1a9467

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\3947eada-2ffd-437a-9cc3-2f9000cc62ef
                  Filesize

                  671B

                  MD5

                  30b12e910d6857ab32f25d78f39ece04

                  SHA1

                  1df24bd0e27a6ddcd8bdac9e9171d480bdd7158d

                  SHA256

                  4361ce512d9cc35314d694cc099506198764228e556a3fce2751592fd2af0b54

                  SHA512

                  2faf9781e5eef5a12ac30d70f7916b1d33875c6862e27b908c57b97fba2771d83881468f3491fdca6541459925cdccfb0731fc5a910bb42d52f24085353a6a27

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\64234e2f-8049-45ab-9b38-4e45539c9520
                  Filesize

                  982B

                  MD5

                  494e6ce154f49bc9d7ae16ec1b19985c

                  SHA1

                  0c3c102e846bfa5cc672fd48cdce4dd9f9aa972f

                  SHA256

                  790689bfd977e182c179d8d19b328a7ae6e56be02a45ec7beb9474bd0669bc21

                  SHA512

                  bd2cb3384b68cd3a6eab6cf5d6cfbe616b6242780ec1ac9d7053c28ae3160f9705e280ed98ef493ea83659aff560470147456dd8b17f50e22b08e2b9dd0453ae

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\9c1c3117-e125-4801-9f95-b61238308392
                  Filesize

                  28KB

                  MD5

                  8eadd619bcf23483671d21a0cdb7892d

                  SHA1

                  7fc17f8b8b4c27f376f509123b07c446978ccb3e

                  SHA256

                  0da797cc8e0749e54085ad0939c109ef90f85389cc1ea7dbdb2463f43ae81990

                  SHA512

                  06a72d9a613e3cf7d8294fa0174d8f7277d6985ffd32759b057ab4279df0e0aa31473d76c8ec6562ea6f77c283bf9cea1e23e37ea0b31ebdfd7b52547e7d702d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  2a06e6462f88af8365387616e5cda21b

                  SHA1

                  789d2e583dc6a62b60d367eb047668f987a4c0d7

                  SHA256

                  db8c8a2b01a54fc6652d12a433642f579579739eb73f7a4c89bb75588ab085ee

                  SHA512

                  207074cc33fafadec734883e6a017fb3e2dc3e1fe94cab7db529fa9da68e38c39f09659714044ee69aee861a77ad6d9a0dd43a8027173b54f9f4e27eb4a62021

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  282a9926d67a4ed9611e245d1903949e

                  SHA1

                  856269d2ee75d1917b11fe6d2e1f0eea8e3a1404

                  SHA256

                  b505ce2dd3d928dc3c72b2f7e1a816348b2802a065abab318922aa7a4e32ed1b

                  SHA512

                  556ec9b8d063725d6b753430bee2bdc5333ca461a0702c332e90ab12ff7456dbe55d78f4494f77fc1f93cf25e8b3edbfa665b2a6bb8ae45b97e4a46c989f9131

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  2c1df5602082b354a33a22c8d52b8fe6

                  SHA1

                  05f3109bba97616bb771f8101b7a094b4dc04e68

                  SHA256

                  ce0e61ea701928901447b5b7d1711e7afc3db36c211c6c1fe643208461e2c2ed

                  SHA512

                  c7c7d481a8ab3de92c9d73d1a3a8b443794c4430dd8892d18483615524f8a51f5b32db741a3770c932ea7c094b04d4269757abcdbf2d6cf1fcd6bb02931381a4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  8815d771ffc7e3a041866e43246e61d9

                  SHA1

                  0c78152ffcd06b818ab7398aa60a5e7e792e32e2

                  SHA256

                  f1a81ca00735822eb63f9d1324cca9475069a9b982b84298ae46b9589d5fdcf5

                  SHA512

                  4e825aa6bfe47bb8b654a5723f451bfe184776701bb62af1676ad2f2348f74c637da8e0b9066df7102b3b603a8cbcb78d9850f0c4fae4ae18673f26dbae9c985

                  Download Submit

                • memory/404-60-0x0000000000050000-0x0000000000776000-memory.dmp

                  Filesize

                  7.1MB

                  Download

                • memory/404-62-0x0000000000050000-0x0000000000776000-memory.dmp

                  Filesize

                  7.1MB

                  Download

                • memory/1120-3-0x0000000000B00000-0x0000000000FE9000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/1120-5-0x0000000000B00000-0x0000000000FE9000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/1120-1-0x0000000077544000-0x0000000077546000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1120-0-0x0000000000B00000-0x0000000000FE9000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/1120-2-0x0000000000B01000-0x0000000000B2F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1120-15-0x0000000000B00000-0x0000000000FE9000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/1924-41-0x0000000004A40000-0x0000000004A41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1924-40-0x0000000004A50000-0x0000000004A51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1924-42-0x0000000000BA1000-0x0000000000BC9000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1924-43-0x0000000000BA0000-0x0000000000EAD000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/1924-37-0x0000000000BA0000-0x0000000000EAD000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2004-18-0x0000000000EB1000-0x0000000000EDF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/2004-20-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3708-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3712-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-473-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3711-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3710-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3713-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-17-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-36-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3709-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-540-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-19-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-44-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3704-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-39-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-386-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-21-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-1736-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3486-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/2004-3698-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/3168-393-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/3168-444-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4380-3715-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4984-356-0x0000000000A80000-0x0000000000D26000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/4984-476-0x0000000000A80000-0x0000000000D26000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/4984-465-0x0000000000A80000-0x0000000000D26000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/4984-346-0x0000000000A80000-0x0000000000D26000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/4984-106-0x0000000000A80000-0x0000000000D26000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/5252-3706-0x0000000000EB0000-0x0000000001399000-memory.dmp

                  Filesize

                  4.9MB

                  Download