Overview

overview

10

Static

static

3

4ab71f5d38...66.exe

windows7-x64

10

4ab71f5d38...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66.exe

  • Size

    1.9MB

  • MD5

    c30bb1cdd7c6d8b7147f161f327827b4

  • SHA1

    22c0d90d552d4ae19ba3d46cd07b13253622eb6f

  • SHA256

    4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66

  • SHA512

    a46417a3ca5771fe0817e51222bf28114121ced6fd7000fd414ae8ae422f6d044a1c03852903eb9e2afebd3770e31396ae282dea8493bd3d25e8d7c86b67bb16

  • SSDEEP

    49152:NpFiseBZXDBPta3ahbTYBB0LofNbHC8nHH3b+5ETRspoJMAn0X:NpsZ6KYB2MnnEEVTCh

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://necklacedmny.store/api

https://founpiuer.store/api

https://navygenerayk.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66.exe
    "C:\Users\Admin\AppData\Local\Temp\4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Users\Admin\AppData\Local\Temp\1003536001\9afffe49b4.exe
        "C:\Users\Admin\AppData\Local\Temp\1003536001\9afffe49b4.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4496
      • C:\Users\Admin\AppData\Local\Temp\1003537001\829938cd11.exe
        "C:\Users\Admin\AppData\Local\Temp\1003537001\829938cd11.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3756
      • C:\Users\Admin\AppData\Local\Temp\1003538001\7e12f2c9c4.exe
        "C:\Users\Admin\AppData\Local\Temp\1003538001\7e12f2c9c4.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3680
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3668
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2484
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3676
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:824
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5048
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cf44fcd-1b08-417a-8e37-4e47e0f31fe1} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" gpu
              6⤵
                PID:2696
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {419cbbcd-913d-454c-a841-ef0bc3aafb95} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" socket
                6⤵
                  PID:4588
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2872 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4625ab8-c58e-4f11-9f23-f26f07a0d3a3} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
                  6⤵
                    PID:1600
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 3732 -prefMapHandle 3704 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16140052-cecf-4f5a-bacc-f6f26cc86fc7} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
                    6⤵
                      PID:1804
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4704 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c398a42-2297-49a9-a29b-32d7afa70fce} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5328
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 3736 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40e96284-a68f-4b38-b7e6-7bd2af1eadcd} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
                      6⤵
                        PID:5896
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {507bb665-e029-4a4c-91a4-0eab7eb3f329} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
                        6⤵
                          PID:5908
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a42945c-f285-4815-b259-041b21e54e48} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
                          6⤵
                            PID:5920
                    • C:\Users\Admin\AppData\Local\Temp\1003539001\8c41facc8e.exe
                      "C:\Users\Admin\AppData\Local\Temp\1003539001\8c41facc8e.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5376
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3108
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3664

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json
                  Filesize

                  24KB

                  MD5

                  d904b52d0573afbb19b2db68766be219

                  SHA1

                  0994fbd7346e544582fd36212dd007a2c43eb751

                  SHA256

                  7a033a2f0e8b1175b4168d74695d6497d31d29ca5297aed41059677d3eee9a93

                  SHA512

                  25f82e9b8a35a849b6f9ac62cc7c9f5c3c304c4fc9bc3f918a23cfc7c7333a4252cfdadc131a4456c7e2dba643bca2866b7fad5ee3e46f0464a7f417d967ebd1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                  Filesize

                  13KB

                  MD5

                  bd4af48db7e01eb72c7f79fa90635a12

                  SHA1

                  74482d6ae4d4570b2f4abecaedf8a002e17fd616

                  SHA256

                  034c92fcd6c61560c634e91a9fd550c9223bf0dd1b36b15c798223bc9fd1f2e3

                  SHA512

                  d09f316add63984c10c86f6951da78daec2669ba1566bb74e7111b94bfa77b594b6ab9a7ef74fd8caa57bfef1e3533375711f788f6240f708c9949efbd66b22a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003536001\9afffe49b4.exe
                  Filesize

                  2.8MB

                  MD5

                  1799d7fb036a3f308a44f25f5e16551e

                  SHA1

                  c330aac3499f5835977476d71e348b396d05427f

                  SHA256

                  e520d68864b5bd7f6e54afa9a7f346e850f57c06d11f0780d7d4277e3a5c3bb2

                  SHA512

                  495869f18cc308c94c639a33f5eb1551c00c883caf701f02d318acce0d198124fba38414917c5332523f7a0b1643801ea5a6571f2457344a9aaa88083395ad5d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003537001\829938cd11.exe
                  Filesize

                  2.1MB

                  MD5

                  5f115b983b60317b4d9e936cf5bdbe24

                  SHA1

                  d9e525f2e7fe5c89b2e05b66cc250515b689d5cc

                  SHA256

                  ed5aaeace50d0a131b997c7fea354f6f07db12e3df82caa9da5db4d2380cea18

                  SHA512

                  eedb7bdbc5126c1b67de3765c620eceee3ad300da4f5804ab636a241d08dba46d436143985dd9e0d757c39401f8547b3f5e8b5da5248bed08d5ff48754c4ad48

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003538001\7e12f2c9c4.exe
                  Filesize

                  898KB

                  MD5

                  5265dcde5ea6a27a3475c937b5398279

                  SHA1

                  b21450b5d007f5ad99ce2d4778bb03927cbc17c4

                  SHA256

                  56cd7a444e3f0c16d2b245d5e23f475bc69645bba2aa3d6c9bd22d34dddeb540

                  SHA512

                  eb6aaae24da6df7e04d11bbe876fcbfa20e5f8d82b5ff7d68396e2b0537a7950c88337cdccbf3e6c76d71ffbd58388df3fc52fe737c7960eecb9f0b09d54967b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003539001\8c41facc8e.exe
                  Filesize

                  2.6MB

                  MD5

                  9be7a7b4dc262499f590d16b148c33b5

                  SHA1

                  6fc7de2cb2a04a9ecd25284c756d330b36277c59

                  SHA256

                  a978da26e3782765bee3d190ce3462b793d3efd4530534137eb5611abe39043f

                  SHA512

                  fffd2a97b3752a724dac5e0fad09966e371b6d37ac212191286963f6ac62ffe95ad6755dbbd1a7082a27d2d78df794fcd90b520a4952088db83b7a1d4cb9a998

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.9MB

                  MD5

                  c30bb1cdd7c6d8b7147f161f327827b4

                  SHA1

                  22c0d90d552d4ae19ba3d46cd07b13253622eb6f

                  SHA256

                  4ab71f5d38f2223abb935f9993aab0e5a7a2ca49ba8e8ed89701ffbbf4dd3d66

                  SHA512

                  a46417a3ca5771fe0817e51222bf28114121ced6fd7000fd414ae8ae422f6d044a1c03852903eb9e2afebd3770e31396ae282dea8493bd3d25e8d7c86b67bb16

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
                  Filesize

                  18KB

                  MD5

                  c65bdd7ace3869048e83c250a2c13087

                  SHA1

                  b3ab147615016c4e61220583bf93edeb84831091

                  SHA256

                  04d08dc7ed9d6e6d736ab4df7a78344e4e1a140cf8427a223b83b1cb8e76e32a

                  SHA512

                  c366cab06f0202de0ceff5f9af99f9e8282ed20f213cdde2bee61e570a6209a5c203dbc70bfa0286bf8b4765ee957517829c6e086cb4fdc3df4468792c67d49f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
                  Filesize

                  11KB

                  MD5

                  711173dd264632f3adc2d76a5ad91e51

                  SHA1

                  7565705aab013f02b520e4376646b82300da9caf

                  SHA256

                  2a2808415496fbc194f0e614d862d4138c542a9b4360b4fc6c15e5494c00b17b

                  SHA512

                  783a75b643223b7ccefe83d11bc957dac01ee7c60a4f1f737f6e586b8e324536eb3d9cec93b8622322e8a85c6653b59f056f68ae9f80a002f3df2b2323c149f6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  22KB

                  MD5

                  07b34dc81b24891d852f42588e708603

                  SHA1

                  936d4d3cdf5d832fdf68ba2227ac8f16458025c0

                  SHA256

                  7c2f8784e4fca028d9c451a2c33e8b8dcedac57a15cad3f8612816474470b58d

                  SHA512

                  87a11d05a71f1ea1a1bac779581e4489d0c93efc571604625795cbeb21ddafb05b841106776ea999abfc1de0637b0ada6060155ed91641607cf3c34c5de94ac7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  25KB

                  MD5

                  02e07948fed2bdc2d2d4d192332c59ee

                  SHA1

                  ddcd6d719094ad04350cc33fd88104dcb88782b0

                  SHA256

                  b478e0d289c92ca6621722c9fd0bdc3de01db31378b6cd0005ef96adf045f74b

                  SHA512

                  f6b89afaf5c722ef89b30a8c6a1a3b0dc1355a6a5e8e70763e6196ff8d0a72cb2f74c4154d47ca570bf89427fdfe43f82e36a7eef51bc2c38817654d7bd6d4ce

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  25KB

                  MD5

                  dc31a5c70ef7e3b4809da87f976649f0

                  SHA1

                  783c8b4723f0c07f8a16fc8e3553e911df2fde12

                  SHA256

                  b5472276c26645188605ede481785b93e9f03b75097fe0cc7d3c9983d5ece9c1

                  SHA512

                  c4608970b80166ac2a569d8a858da7ea243d5a07ef734580ad3e0728e106d3d83a1fd64355231bf52a2c61e4b294c745726003db9d2659145431b1a131d3bc39

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  23KB

                  MD5

                  9e7569562972f6dd2a0a3ecbaacd5912

                  SHA1

                  6e9ec6e3318ed482df933c33ded4020a8ed6e654

                  SHA256

                  42dc89718102cd005a88f82914ac13dbeec25b9bf773a16d91861ff4df032449

                  SHA512

                  3476aac1cb40eb13db63531a55d971456fea258db261e3f0294bf75c6f4d241de4b1c378aada1d69f329a20cbad91e744f211b8a07e056ee0923b62318408cb3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  23KB

                  MD5

                  4e21881e0cda0d9fca648173ca51e318

                  SHA1

                  89df5faac42499cf767840d95369f46cd42d5eaf

                  SHA256

                  8c1656fa5f31510f3298993b22b7b0527a83f25b45ff773ea8f33fdb1a037a2e

                  SHA512

                  2ba0ce86b853315d8a443d47beb3df40b3eb8ab7def3f1081d46062308181053d34e76710f3696f36032114c8a079e31bb0208ae7b23dd2a7e3e242b79656eb3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\06a2f665-9e66-48f3-98d4-94819c58d7a0
                  Filesize

                  982B

                  MD5

                  309fb9f4e8a12c4b100c2ef9fb645556

                  SHA1

                  355eca24dc1d123046883a7018e9f8ac03613335

                  SHA256

                  1f1b085c6429890cd84d4341055d140de2ae31354e6b5eec8c0a31831f77e27b

                  SHA512

                  65e81767e056632e2896e9a6f908ef14b2db1ce476128d5b518955921383a3800ac3069aea6a2e1d072eae8add8199cbab7fe7ed57869d3b19f5a9b4139bc592

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\ae8de539-123a-4702-a351-d0fad4fc9115
                  Filesize

                  659B

                  MD5

                  9b9eb66ea163196b8cce8b6090759c87

                  SHA1

                  2de13dc9f3e64e43656d8f5102a73b29abb9436f

                  SHA256

                  3ae25e5458b1cb891e44cb0a0364656eca39f43d5ea44f0cbf6ce734b154f1d9

                  SHA512

                  39f8968e23e58ec86f52755c50c8fe73bcfd4949390c4744d7ec991742a627746f920b446174781577d42d6da6d261036766095d5655f6b56067d87d3d3d3a41

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  e87f49ca17b0ab739a14d3fbf903c0e8

                  SHA1

                  cfa1fb17bbb57258ca10c3d168c5393bf3a4e7fe

                  SHA256

                  4b7869582a2081c6bea00b18bfd9230bb813b2f26bd8fc79a888afc667e8d884

                  SHA512

                  073ce9730cca25e9c110bf8e0f8480829a290e5ed15ae36cc71e0641158942208d5dd3e6231d767ebce3e294e5df7989f25cec6ab47fe695b43521e7dac80996

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  120d1fe81e29ae1aef27e5cae59eadba

                  SHA1

                  3b1cd617f8417c236c3fe9cf78634eb0092250ee

                  SHA256

                  785e699d039a0a7c325695b7f6c8ef60483c730b337d350fbc46496064ce6cc3

                  SHA512

                  975847527f42c09deca3ff49e5986b6545ef813917345b5087a5067063188529776de2bea7ef6ede1f4d1d5643a9715a24f7fdc6f46298504ce886cd94bad868

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  7c45274e0a90dc040f5ac578d500840d

                  SHA1

                  349b20a7ed782ec91130f897c30299c27565225e

                  SHA256

                  e56574abeaf8aa9c03beadc8e305707f5d67daf0b5f2ab20c95bd2181bc67d58

                  SHA512

                  e790065b4634d0f19083efaaaf79d2ba6631c8762ebe191c0200860505f571acc6fda932b5077a8b85a89cd63c5ddc4ccd4ffc13c9236c10dd6d5485b392ce56

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  d1199420ccc53376c542fa5c77965b89

                  SHA1

                  0fe32c2654205ea0fb33436f6a93c199db60b0e0

                  SHA256

                  0f065996b27fb37ff48b1813dc4878d0e17cf12245aa98e0b6331d99bf033443

                  SHA512

                  ffc6bf7f03c123c2ef4000bf8a488cb1fc85040562defb07d2f0e34a74c38c9e9a5c01ef9327c4ea6c25a0709087e2f1c141477b8e7155a70064585e107faa05

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  1.0MB

                  MD5

                  713a080ca93d03749b4cf5c924240dd7

                  SHA1

                  b551e30857985d427e3492234604dd970f27a651

                  SHA256

                  498974b6ca0b0fde43bce3703adc4faf8b568d46cc5e35f03cf548bb8c0fa9d6

                  SHA512

                  d953650e6ab8cf8f47f255c76302235bf16b99207fa6beebeaabcaf47a5c6e16892ff0a94f2b4a90df1c1340795b99eb08b8fafb3b729d489f1067f5fbeb93a5

                  Download Submit

                • memory/468-4-0x0000000000070000-0x000000000054D000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/468-3-0x0000000000070000-0x000000000054D000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/468-17-0x0000000000070000-0x000000000054D000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/468-2-0x0000000000071000-0x000000000009F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/468-0-0x0000000000070000-0x000000000054D000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/468-1-0x0000000077904000-0x0000000077906000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3108-409-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/3108-418-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/3664-3118-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/3756-59-0x0000000000B40000-0x0000000001286000-memory.dmp

                  Filesize

                  7.3MB

                  Download

                • memory/3756-57-0x0000000000B40000-0x0000000001286000-memory.dmp

                  Filesize

                  7.3MB

                  Download

                • memory/4496-36-0x0000000000F30000-0x000000000122E000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4496-38-0x0000000005710000-0x0000000005711000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4496-39-0x0000000005700000-0x0000000005701000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4496-40-0x0000000000F31000-0x0000000000F59000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/4496-42-0x0000000000F30000-0x000000000122E000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4612-60-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-19-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-455-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-41-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3126-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3125-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-437-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-37-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3124-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-20-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-722-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3123-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-2301-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3108-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3109-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3122-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-3119-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/4612-18-0x0000000000010000-0x00000000004ED000-memory.dmp

                  Filesize

                  4.9MB

                  Download

                • memory/5376-430-0x0000000000660000-0x0000000000912000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5376-429-0x0000000000660000-0x0000000000912000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5376-431-0x0000000000660000-0x0000000000912000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5376-451-0x0000000000660000-0x0000000000912000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5376-454-0x0000000000660000-0x0000000000912000-memory.dmp

                  Filesize

                  2.7MB

                  Download