Overview

overview

10

Static

static

3

df1403f3d4...7e.exe

windows7-x64

10

df1403f3d4...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df1403f3d4b6105f180e78e847c2590738feaacf5fcede63db2baeddc092197e.exe

  • Size

    3.1MB

  • MD5

    e31ee403fbe876b9de85855509f5107b

  • SHA1

    79cd398dd4df952a34c3b5d410ae4b9a24f62dc7

  • SHA256

    df1403f3d4b6105f180e78e847c2590738feaacf5fcede63db2baeddc092197e

  • SHA512

    5a8dd562485397263618d2a3eac206ec7e308f371b1440a9cd3f8cd231fa3d860c01585647e3e5f886fd2a8a4e56461e6ac8403da6a66c243c075216ef6f0a79

  • SSDEEP

    49152:iM+u3YQHyvxciEAB6fRz2/vcg8khrH8AbskQ9sVeOX1lnpWyQL+oW3oG:T+jmyvhf+23cg8khrHPbVQ9sF1nWnB

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://necklacedmny.store/api

https://founpiuer.store/api

https://navygenerayk.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\df1403f3d4b6105f180e78e847c2590738feaacf5fcede63db2baeddc092197e.exe
    "C:\Users\Admin\AppData\Local\Temp\df1403f3d4b6105f180e78e847c2590738feaacf5fcede63db2baeddc092197e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Users\Admin\AppData\Local\Temp\1003564001\570f2c074d.exe
        "C:\Users\Admin\AppData\Local\Temp\1003564001\570f2c074d.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1620
      • C:\Users\Admin\AppData\Local\Temp\1003565001\58f8ce583f.exe
        "C:\Users\Admin\AppData\Local\Temp\1003565001\58f8ce583f.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3204
      • C:\Users\Admin\AppData\Local\Temp\1003566001\f6e303001c.exe
        "C:\Users\Admin\AppData\Local\Temp\1003566001\f6e303001c.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4164
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4972
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4928
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1772
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1104
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2100
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2356
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7336a7f-7aa4-4428-9028-6516ba96090a} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" gpu
              6⤵
                PID:2892
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc985a6d-71cf-44cd-9ff9-aeb9d265f567} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" socket
                6⤵
                  PID:3740
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 3132 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc10d6b5-d4a4-4c68-97d2-09184293163b} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab
                  6⤵
                    PID:1232
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3908 -childID 2 -isForBrowser -prefsHandle 1240 -prefMapHandle 2580 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7577cbf-2b0f-4d65-8f48-fead14166b6b} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab
                    6⤵
                      PID:3396
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4592 -prefMapHandle 4912 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccdbe2fe-81de-40d7-a01c-39b535f163e4} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5612
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -childID 3 -isForBrowser -prefsHandle 5484 -prefMapHandle 5440 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee007f41-b566-489e-9186-8132443adec8} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab
                      6⤵
                        PID:1280
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5708 -prefMapHandle 4960 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {820dbd5d-cee1-45ce-bec6-b2a1b594529e} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab
                        6⤵
                          PID:4972
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 5 -isForBrowser -prefsHandle 4820 -prefMapHandle 5592 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd35eebf-552b-4c00-8d50-3c20c2cfae19} 2356 "\\.\pipe\gecko-crash-server-pipe.2356" tab
                          6⤵
                            PID:3560
                    • C:\Users\Admin\AppData\Local\Temp\1003567001\7abcb9f007.exe
                      "C:\Users\Admin\AppData\Local\Temp\1003567001\7abcb9f007.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5364
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5592
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5888
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3596

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
                  Filesize

                  24KB

                  MD5

                  ce0e0bba831e12a8139c9d73dfe9d47e

                  SHA1

                  bef0d221ea654abb210df717041dcc5bd4f6059a

                  SHA256

                  70591716aa7f657fc1fb189d61ab1dc391c41a583b7f73f6a44e0d810084a7a1

                  SHA512

                  a5e9911597c34d02e9f1a18a69813e7a6d4384cbd3cd796f658fd0f2ea0f12e8d52400329613d132e9da046a931da5608e5e378003a7bc70db169644694a85e6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                  Filesize

                  13KB

                  MD5

                  11d9eb28ed8a61145f375efb87e3b70a

                  SHA1

                  b534993c01c8464620f21344f779e09bcf2d67e2

                  SHA256

                  08046b4c1d87a75222e8eefb06a09a5d4afdea7601a7d0597e3d8599198d64ad

                  SHA512

                  5ba5f039489dfea0fd824a2d5c28b4cf39d08fd282ac09a5d937685bd559523181cfab6f2d120637f9ed5587ba5a06b32faee907fa39b5b1bdeefb4737f277d2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003564001\570f2c074d.exe
                  Filesize

                  2.8MB

                  MD5

                  fcdddded82c79635df9aa2bcf9fa9faa

                  SHA1

                  ffcd7cf8d64b608307e378afbdb39791875cc564

                  SHA256

                  e878d4e2dcc874044a92756c32ff332a48a10657f79d1fa13cbbc5873b9d5285

                  SHA512

                  b0f5e17c3355c2b476c7147a7c28eaa2cc133b457a2c1941d47af955be24ac20926617563df5dd4a9a9ca238d90fa3960cb0a145ea34e914d80d10e39a6260ff

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003565001\58f8ce583f.exe
                  Filesize

                  2.1MB

                  MD5

                  437db66fdc45133e7d1728892daa09b3

                  SHA1

                  ec9694ac1f7a3161fb372eb3b8835483823408c7

                  SHA256

                  575f6501ea602da4a781826d81db8c8274f546fcf7528609ba14ac0e38d5d4ff

                  SHA512

                  dc9499be979c769d53aa465b224a8ea150d93dee24dce0f4359e5a2ef11400122f0d0a511dba1ef9425b670298bf8af03e42c39a4389b0e3a11c0c8bdab8d7e8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003566001\f6e303001c.exe
                  Filesize

                  898KB

                  MD5

                  56e76255a59cc356979498c785bf4c00

                  SHA1

                  82d689ac60630cacf938c49c5fd0409b40f34b1a

                  SHA256

                  a4af94bf201e48a2a1242d2aea128aff328fbeb5ebd13faebdec74de3717bce3

                  SHA512

                  1bf5751a43b38118be228b46c138e17dab414b025b265f5fb21f0c469108877c26e21d737a87cbf0277ef2868b8539f9b986060d9464ce5d018fc2421c5112fc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003567001\7abcb9f007.exe
                  Filesize

                  2.6MB

                  MD5

                  6354373133352ba01002bf37447a6c5d

                  SHA1

                  cd4133e43fee19def2e0a31aa40f600b95c9dbbe

                  SHA256

                  5ee74cad243bc459b9068894fa0fc05d40cc8466322315f0132c8275a78112f9

                  SHA512

                  f7cf81c16ce5ceff2f6cd946896780c7f1f0e5ca78356c52d36e5079e62acb3e0d5970e32033029faac41fca73438e5a9c2d09264f9aa57dcacf4c1a483a3244

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  3.1MB

                  MD5

                  e31ee403fbe876b9de85855509f5107b

                  SHA1

                  79cd398dd4df952a34c3b5d410ae4b9a24f62dc7

                  SHA256

                  df1403f3d4b6105f180e78e847c2590738feaacf5fcede63db2baeddc092197e

                  SHA512

                  5a8dd562485397263618d2a3eac206ec7e308f371b1440a9cd3f8cd231fa3d860c01585647e3e5f886fd2a8a4e56461e6ac8403da6a66c243c075216ef6f0a79

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
                  Filesize

                  11KB

                  MD5

                  3265703f9f484c62c73e2017300844c6

                  SHA1

                  791095795b8ed36a44e3ed9581997fb8405a699b

                  SHA256

                  eee3ff2138376eb1c0227be4c9968c69592bcd1f8751d63e4a8f6c0b5a142510

                  SHA512

                  63459b6c1ac9d7326425130428121b3d7a6732cf7908d00b6b71a97707331d88757a2d8b3f73053151a1566260785f468a59689f631bc50a5b82c1f8a354c115

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  3KB

                  MD5

                  47e8e9bde38891f06efdf860eac0884d

                  SHA1

                  d78bf638a230189c37594dc995003fcae6ec3945

                  SHA256

                  86e6d60348cca295450e47ffce755d02336307c14156f15d2c537770be4ab030

                  SHA512

                  86e86f8a14db828108478db8a2abcbd4d66ed3129973e7a8f826a775aa81e2a91fd00a9d116207336d886daaee008689bf5b602d74be1e7b090ba891d480837f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  7864b8bd6788b91e3e24266a1a8699a6

                  SHA1

                  8c9d062d57f5ba5a1201bd0c8916573b5a6dda06

                  SHA256

                  b5de53aec37ec339e57cee91b31248fa570b59887c4fd9be56f08d199f6dea45

                  SHA512

                  502d27748e155a010f96f83fb6d5a2c9a59de5a5d617680d1f0de446fa0336ff7d671fedf0487f21552c80a5ae039b89647aa9523f31cee2a2d025b8e62d1c6e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  e69dcea88d67892c4e36130533809663

                  SHA1

                  f31ee3bb2974304933def328e5a7d115d8bedbf2

                  SHA256

                  2ed3defb451d38683357c4a7d36a5f0aea0f43b6a9392e98744e43f5c55bcf80

                  SHA512

                  69d07f445f45ab80f274d1a98deb915c7940f54fc6916cdc1b4b3fc897cb17eaa82c8551cb5f0fdad01452f2278c80f2b36020f0ab8e3f39ac737d7ffcdd060c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  6dca6cd28aa20f2019e2cf508e119b36

                  SHA1

                  e39c7ab70fd1cc933e633843dfce26d8980c721d

                  SHA256

                  8779192099d4b4755889d4dc8287c58a8eeecb78f6e9f4fc7f46bead669d519d

                  SHA512

                  7ff8a0b580b4039019048aad15d4310386762996c9849b4451119c44ab5f61073396649405309e27e493c1c0bdbbb0a20c031f2a5e7d0b02c24660d121ee982c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\332151b2-e6cf-436a-83d1-6c76e0b75a7c
                  Filesize

                  26KB

                  MD5

                  6fbc5295a0ee39ffc1e25a1706c0c682

                  SHA1

                  87edac083e97ddb9a1b481e617b3a315562aa6ee

                  SHA256

                  6036139da8ebf095454ce659b399678e2b3a61c43ee4d8e7bb16129704e94bb0

                  SHA512

                  3149be73b3dfe7d228024f15287e27af5883f56eb4cb0a96b3486ccb1da114eeab91e0de69d246e67f0b1ed42e25b94cc3dd3f571466b7e84b3f6557dbba3949

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\9c75b006-4845-423e-9c0b-0de99e47e33d
                  Filesize

                  982B

                  MD5

                  836ec28809a34979ea8720370c7387fb

                  SHA1

                  d5abde7fef922df22fd4893408b16a6128179529

                  SHA256

                  de31a95ceb225ae08cce8ce340c5a04d5bf3f04f4b21acb35ae1300f37c2f221

                  SHA512

                  b1e0dc480b8741a8c4975e09241a820d60922c2b95a35d0790eca9fea3a67db020ab9136036f392b3ec509872f34ebea9ab0b243aaf975c374dd85cb88d5f3a0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\cc3d7661-848d-4b3e-816f-48fd9293fecf
                  Filesize

                  671B

                  MD5

                  2f393332c17865c02dad8f2ece0b5957

                  SHA1

                  80065ed6e43b2c14b0c6ff2c257a01dff87d5489

                  SHA256

                  8b39e554cc1ba010810e0bae0d92a355a33716d876c2e4431c6039e4420cdc9e

                  SHA512

                  f31185c107addab745b1ddf2b37cfe816112c7452b62ddd2911a08f8b3df191b4b72676cde6b2aac31d8a5380263c92ed2ef804d7ab7bf7c38c7b0335a3e0aaf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  a58db3d331281402fce319722674542d

                  SHA1

                  249cca60ea9e0c66e7b5b384df08b8f0f2a3a5e7

                  SHA256

                  b18c5d16daa7e7b610f076f4413d2e7f30cf8cd30d74a4502ab720a96ed0d4ed

                  SHA512

                  3a3c0fdb4accc38656afae85f3a31d959b00d2351678a301756691538132ae680c9d237f3013a90eafab3654ed6d0138dc354412329fb0b5452f69d155b48d1d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  c074d85fb1b0671c23517ff164f910ae

                  SHA1

                  1b5f2539da6159977f5e85db56704a0df8d4b06d

                  SHA256

                  1ad8e17a57490680dcc765035ee871351106fe43cd1fb118402fb61cc23e0b2f

                  SHA512

                  2575a626afc2ed99f6007f96afd03dd1ab646bb84b8144f60a6bebc5241230eb249a26edc70ad07dc1eb3a93ba166947c6d5693626a09f02dfc2fcf91bb72f4b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  a09d7d93a66be78eb30ef61948567fd0

                  SHA1

                  e4d00d2a78e9bd57dfc4d099629dba81c524ee8a

                  SHA256

                  f89e8493d29030c4623126f4e875bab23808c6077df12f606ce9291268aa0a0c

                  SHA512

                  389a37e48da7ee59e7a5e301d641ba8ce869afcb4815753afa4dbc3a6bab46454194c7daff7a31710d39a33f5531684a9a7a6ee44ab279a303f87f5f6210a789

                  Download Submit

                • memory/1620-41-0x0000000000770000-0x0000000000A78000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/1620-38-0x0000000000770000-0x0000000000A78000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/1620-43-0x0000000000770000-0x0000000000A78000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/2468-1598-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3678-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-16-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-99-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3693-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3692-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3691-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3690-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3689-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3688-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3684-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-42-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-457-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-3670-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-22-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-40-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-484-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-23-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-21-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2468-20-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/3204-59-0x0000000000C20000-0x000000000136C000-memory.dmp

                  Filesize

                  7.3MB

                  Download

                • memory/3204-60-0x0000000000C20000-0x000000000136C000-memory.dmp

                  Filesize

                  7.3MB

                  Download

                • memory/4064-2-0x0000000000BE1000-0x0000000000C49000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/4064-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4064-3-0x0000000000BE0000-0x0000000000EF8000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/4064-18-0x0000000000BE0000-0x0000000000EF8000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/4064-19-0x0000000000BE1000-0x0000000000C49000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/4064-0-0x0000000000BE0000-0x0000000000EF8000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/4064-4-0x0000000000BE0000-0x0000000000EF8000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/5364-440-0x0000000000260000-0x0000000000506000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/5364-441-0x0000000000260000-0x0000000000506000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/5364-439-0x0000000000260000-0x0000000000506000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/5364-464-0x0000000000260000-0x0000000000506000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/5364-468-0x0000000000260000-0x0000000000506000-memory.dmp

                  Filesize

                  2.6MB

                  Download

                • memory/5592-449-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/5592-456-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/5888-3687-0x0000000000A40000-0x0000000000D58000-memory.dmp

                  Filesize

                  3.1MB

                  Download