Overview

overview

10

Static

static

3

162febbe29...c5.exe

windows7-x64

10

162febbe29...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5.exe

  • Size

    1.8MB

  • MD5

    9a21c9f1ea95adb56b592de8d905d554

  • SHA1

    81ebfff6a11b00ff5355025b2adddcbd0ab2e23e

  • SHA256

    162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5

  • SHA512

    e93bc208dfe4a9a42fe2f5f2f1daf1e933b342b30d19d7a4a1de90eb21dd3a07c2ad9fa931cee0aedb1ebfbba8846ec89ca75ac215c930be1912c74fcf394ca0

  • SSDEEP

    49152:DovShhuVCw0IMBKL+OPgBWpYTzUnrVtwwQGTrn:hLEMBK5PgspOzQVt

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://necklacedmny.store/api

https://founpiuer.store/api

https://navygenerayk.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5.exe
    "C:\Users\Admin\AppData\Local\Temp\162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Users\Admin\AppData\Local\Temp\1003532001\127a7a5385.exe
        "C:\Users\Admin\AppData\Local\Temp\1003532001\127a7a5385.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:808
      • C:\Users\Admin\AppData\Local\Temp\1003533001\ba451c5fca.exe
        "C:\Users\Admin\AppData\Local\Temp\1003533001\ba451c5fca.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1084
      • C:\Users\Admin\AppData\Local\Temp\1003534001\8741d96893.exe
        "C:\Users\Admin\AppData\Local\Temp\1003534001\8741d96893.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3928
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4812
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1644
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1880
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1136
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4724
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1100
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {271950ae-4bc6-4e24-a337-78d58c86ba2e} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" gpu
              6⤵
                PID:3576
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d950b9d-f593-4dc8-935d-8f03179a4344} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" socket
                6⤵
                  PID:1368
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1204 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac8ea302-011d-4402-bd0c-c07d2a9eaa45} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" tab
                  6⤵
                    PID:5116
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -childID 2 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1204 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66c45e43-51ff-4313-99a3-bf4c8be8d0c6} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" tab
                    6⤵
                      PID:3104
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4044 -prefMapHandle 4768 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ff16b7e-dbe8-4a61-863f-29609ab5588e} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5316
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1204 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f3db184-a448-4861-a892-c57d33209494} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" tab
                      6⤵
                        PID:4360
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5552 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1204 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f45633fa-3d24-434a-8d3f-2abcc494a597} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" tab
                        6⤵
                          PID:5140
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5776 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1204 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9df77840-7adc-40e1-a345-90e22c8831d5} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" tab
                          6⤵
                            PID:5156
                    • C:\Users\Admin\AppData\Local\Temp\1003535001\ee5e041490.exe
                      "C:\Users\Admin\AppData\Local\Temp\1003535001\ee5e041490.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5040
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5796
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1648

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
                  Filesize

                  24KB

                  MD5

                  b30b2ce7060f56f94739a9e55fdc3b01

                  SHA1

                  41d575ddbed35674586efebfa6f58c6d0430f7a0

                  SHA256

                  c142090d14964ef214708a89c4990853ee778708863e814254f5159f68d09662

                  SHA512

                  90b0628baa77d8303782b3a3a286a21ee6b77b64056644754fd1f4fa9f57614ee5620abd1463ac70599999054aba37e1381879e61b33449bf6826cbc33b34aa4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                  Filesize

                  13KB

                  MD5

                  3cd29b438fb964c4507fbd9588cc8884

                  SHA1

                  e687d43c0ebfec69e4f9f0259eda2be1ef507431

                  SHA256

                  c6d22a6940846b849bfdbb43014444fe67d31ba079a0d19cf766b7a761a1d32e

                  SHA512

                  21ddf89c0e0ae25c29559bfc8a9b5098afe959c0e9e8090827ddb2080c00652deeb02f4078c1b6dc31c231a70309b024844fb700c9bceec6a5a0398861b967f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003532001\127a7a5385.exe
                  Filesize

                  2.8MB

                  MD5

                  3d93c36ffba858ab1d6020582563dab7

                  SHA1

                  9ef30921fe36d019fa4657a444149811dd76f97e

                  SHA256

                  cefd576dcbbc7e62d904eb196669bc901f91dd5c6aeb69ee1b20ff8c7311e19c

                  SHA512

                  0ca648022d94999bac786754f7728f59b05e0146bfd56835f802ea4aa5acddea254dbaf4aacef7007ed67ff17e573c13041a034e9d6e755a6339354c1332acb0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003533001\ba451c5fca.exe
                  Filesize

                  2.0MB

                  MD5

                  a72cb77fb0c900c2c6044eed9c29d077

                  SHA1

                  78801b5b69ae255cd3b8b1025e4c0a6744e1f0fc

                  SHA256

                  d381a78fa4db5302f27e196158145adf2f40e87a93c5584d7c8b32153a384b32

                  SHA512

                  86b72e2786de20668492149f48f70ca77963b9a834cc4919dd09b843bb143873c5019704c5d886fb45be2b61ab995e4c0481e148217d1932e0428ceeaf12cfc6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003534001\8741d96893.exe
                  Filesize

                  898KB

                  MD5

                  5265dcde5ea6a27a3475c937b5398279

                  SHA1

                  b21450b5d007f5ad99ce2d4778bb03927cbc17c4

                  SHA256

                  56cd7a444e3f0c16d2b245d5e23f475bc69645bba2aa3d6c9bd22d34dddeb540

                  SHA512

                  eb6aaae24da6df7e04d11bbe876fcbfa20e5f8d82b5ff7d68396e2b0537a7950c88337cdccbf3e6c76d71ffbd58388df3fc52fe737c7960eecb9f0b09d54967b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003535001\ee5e041490.exe
                  Filesize

                  2.6MB

                  MD5

                  9be7a7b4dc262499f590d16b148c33b5

                  SHA1

                  6fc7de2cb2a04a9ecd25284c756d330b36277c59

                  SHA256

                  a978da26e3782765bee3d190ce3462b793d3efd4530534137eb5611abe39043f

                  SHA512

                  fffd2a97b3752a724dac5e0fad09966e371b6d37ac212191286963f6ac62ffe95ad6755dbbd1a7082a27d2d78df794fcd90b520a4952088db83b7a1d4cb9a998

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  9a21c9f1ea95adb56b592de8d905d554

                  SHA1

                  81ebfff6a11b00ff5355025b2adddcbd0ab2e23e

                  SHA256

                  162febbe2934c9ffbaf6134fe313e02fe40474fef3a4f97beb7a325118cc98c5

                  SHA512

                  e93bc208dfe4a9a42fe2f5f2f1daf1e933b342b30d19d7a4a1de90eb21dd3a07c2ad9fa931cee0aedb1ebfbba8846ec89ca75ac215c930be1912c74fcf394ca0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  d6a4e5564ea89ce984f54944975a3124

                  SHA1

                  3509cc9b246b7ba8337cfe36b93570956057500a

                  SHA256

                  9e0ef8e0b2dab0ac9e89ff57ece6334d5734f40c14d407bac7f6ec89e503fad2

                  SHA512

                  1f0f00bf575c4c3721bd4f21fb499bf8ba8ccd414612a0bf809573c624fc2185f0608062ab53a1a23938c3d0b45ead1265543a2711ec0b9f63294100747c4e78

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
                  Filesize

                  13KB

                  MD5

                  1ad43805bd59a9c1f588324df3c61508

                  SHA1

                  4e51077dba832ab49bed927f3b2bae834c8ba9c7

                  SHA256

                  7851aafb1db1ff1fc3d6264a7e7fd45423cdb8287ecb1ed5aa64b14042355b2e

                  SHA512

                  0d8e0d2fa0ec8d2da01610ffb6db012313dbd34cfc294d7dcaa474df01054ce084177e7a760dc13089d52ee3a34577af025802b66185a375c60e704cbee8a175

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  24KB

                  MD5

                  3290f9547d4e75042bb1d45247b2112f

                  SHA1

                  ad6b138c35a6aff261b724a2e354301d488f4230

                  SHA256

                  30815e3600b8f76e340c41bfa9545aee9c65c5f8f338f643661523c49a0a55b6

                  SHA512

                  8fb1c963ea0894722ff2fe475c33f1507147a2dc40b66e3bd1fed8d2267c9796b9305aab1d6aa2ef51e9283a67bbcec22cd9c5a4b5b381d22bc62c0be5e610a8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  24KB

                  MD5

                  fe563f2bb0e4ffd360330162e6c474fa

                  SHA1

                  b5125f0cc079e82900f3e069b16cc012a5d3f349

                  SHA256

                  acbbce74231292ed02fa2ba68e38cd90fc5236a1614a808ffd2da633ee93298a

                  SHA512

                  24a0a62433fe0acd7a2358add53b7437602604c7b6597bd921d9f1299c4f10e001b55e5054a49b5899fbea09c617ee33a9111cd1ca74be9ea9d0b855fd471cd7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  22KB

                  MD5

                  0c60a3a5767bbdd2bb82aaf65f8deecd

                  SHA1

                  6fadfd95cfb99a31a654499a415d792658c83ab2

                  SHA256

                  dcc7d968346e7aaef5a505c948d7ea42e0b7869c571726a0c6120d831407bf7d

                  SHA512

                  f88c193754aaef869d68f5159bd0a76dbe33c61071b0c28bdc992fd99280745a48af2703b97b9df2e1747571e92b4d171932f546a680a32c6622c31c4192407e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  19KB

                  MD5

                  15dd375555211a78c1e7d561aabb2b50

                  SHA1

                  3de77607614cf69cc2f293cc254e237bb89e0b9d

                  SHA256

                  281ff583ceb82e7d0238f8597cc23e4ac126a3295e73be49ebbb287a9fead25d

                  SHA512

                  a0837fa8e015da6b3cbd2bc6f6deacc1dbf40c5fdf782855d4d96bfcbc96faf48a386255cf51824d1052956b313df978c543eec9f0e18455f880f81851dd2281

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  22KB

                  MD5

                  fcfe182cfc9a3fd03edb736396d61b15

                  SHA1

                  1ab7b7aa04d67d6c3508fb05ae8d55227270e848

                  SHA256

                  71c529a3ecfd572ec504af0b62ed923b5e5c882d32891a686f6919f3ff38dec5

                  SHA512

                  2fb373feeba0cd5896135d20f400e143b40580761d753c2e504aab5b585d7b40b8f769cb993ca1511ec174eb6b30f792dc0d6e19e416a18af312ab5296c6e9fb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\aa6a10ad-b0d9-454a-b815-2e9bbe6b4819
                  Filesize

                  982B

                  MD5

                  7859300d94cadcd554b88ab5b01a99ef

                  SHA1

                  0d4d6659a281417021f03ceedb29f33e66c0f6fc

                  SHA256

                  7acf186f241f535d7168c5912dcc202ec6b75d52da59002fa450277d23f8b927

                  SHA512

                  e19a0c05263da95737b308d2de97d63387ac8b6ff7ce8af2161b272d2755c3038f64de528b9680cf5de716c27ba86e2fbe9a34323f4814593d3bab6f47e120d5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\ccc6d41f-422a-4761-aecd-1b04d3267050
                  Filesize

                  659B

                  MD5

                  20ad30bb5f98b7187a1acb7ace473464

                  SHA1

                  615685f91f2bd9314d7a8226be7a73b4b5c8ffb7

                  SHA256

                  704963a70a3bebeab54b96b47df1c9f4eea4ee02c9749d9840ca8c3235002e32

                  SHA512

                  ebf6cc8f7a37a06bf2897b53e55465a25735db7f7ce5ad544a89316ce40900ea7debacad906c1d905435616e53fdda242b4a6cf640a3ee6dc78e6b9725ddf845

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  b5b43c2774cc8053ca507988f62b0ae7

                  SHA1

                  c8a1b679948078388efd66e2fa5e34ecd83ba4fa

                  SHA256

                  f4f51beded8de39f1348362a1bf0aeb90a8969fbcacf537bec626350d437d696

                  SHA512

                  3b0556690bcb9a734ff4967fdb9fb25d2b4b08a9169b93ae3260a83d4fdfcf9d8ef0ab7659d10c31243f7ebbde1345c6c8dde556a0bda7839d8a11279ff92c02

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  f40bcb215f64cde69026788fbf29bb3f

                  SHA1

                  d3b843fb31ce697081f9b536c73f1a1350c91ccc

                  SHA256

                  e6e52352ab56abcce7e1cbd6db7ebf039153d42220954905669a7cc0fe421d3a

                  SHA512

                  3c76d4a5ee0054d9f1bea4532b0501b1028ec5d948c2df6e958fce8fe732df909c205fb00b395ba3377d4d1fdd530eaa31e67fcb299e021e5dc7e07af051d10e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  64efd0e0cc464c794a01547fab2ea472

                  SHA1

                  2b63682f29c5f59e223e8a42437600ba47a13714

                  SHA256

                  03f7b5b23cd9d22e88967329d420776394950604d2001f1b96207dbd7c159006

                  SHA512

                  c84e71b16f07061234b161d7ac8b6e0dd909a0e4813b8019b02565efdddbd47c8911d48feb6a46a5d9623fa2b823c6c8f3abfc8044bd92399925b2a9b8257a49

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js
                  Filesize

                  12KB

                  MD5

                  e2ace044d7902f3eaccbd761852bfe0c

                  SHA1

                  f42ef72a360c6d8a7f5288a87e8e2651d6443de0

                  SHA256

                  e4d747241d15aba2e844bb2cd68217cce8a3eeb3eb02d74ce254ddb911f38b1b

                  SHA512

                  057aaf14a22615638bfb4ee9f2ab51e3277b3d7d385c0160214ca5c75332765ed5c7860b958a2792c45bf811eb77a9c25b50f50e1a199b04695989c2d6d99c7a

                  Download Submit

                • memory/808-42-0x0000000000C90000-0x0000000000F99000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/808-41-0x0000000000C90000-0x0000000000F99000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/808-39-0x0000000000C90000-0x0000000000F99000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/808-37-0x0000000000C90000-0x0000000000F99000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/808-44-0x0000000000C90000-0x0000000000F99000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/1084-61-0x00000000007A0000-0x0000000000EC9000-memory.dmp

                  Filesize

                  7.2MB

                  Download

                • memory/1084-60-0x00000000007A0000-0x0000000000EC9000-memory.dmp

                  Filesize

                  7.2MB

                  Download

                • memory/1648-3306-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-21-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-43-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3311-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3310-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-19-0x0000000000EA1000-0x0000000000ECF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4308-3309-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-452-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3308-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3307-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-1599-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-18-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-484-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3303-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-20-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3301-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3295-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-243-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-3293-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-36-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4308-40-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4932-2-0x0000000000191000-0x00000000001BF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4932-1-0x00000000779D4000-0x00000000779D6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4932-17-0x0000000000190000-0x0000000000641000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4932-3-0x0000000000190000-0x0000000000641000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4932-0-0x0000000000190000-0x0000000000641000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4932-4-0x0000000000190000-0x0000000000641000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5040-106-0x00000000008D0000-0x0000000000B82000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5040-461-0x00000000008D0000-0x0000000000B82000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5040-451-0x00000000008D0000-0x0000000000B82000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5040-370-0x00000000008D0000-0x0000000000B82000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5040-371-0x00000000008D0000-0x0000000000B82000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5796-464-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5796-463-0x0000000000EA0000-0x0000000001351000-memory.dmp

                  Filesize

                  4.7MB

                  Download