Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.1MB

  • MD5

    7aa9f20cbf707335f2d1b61aff27168d

  • SHA1

    5ee63659d07a1f4750765ec975df04a3a6112b30

  • SHA256

    468ad154adaf82e7eabd8ea023bfe8ea160dc86e32c9cc47811674fe8afe91a9

  • SHA512

    8ac71cbd178ba8aedc41ad2113d78ef9ec13e7c76ed298381863c97475472509d75f9d13c19f366534be0b642d5561a674e6a88dc24f31a5320846ee09e2d2ce

  • SSDEEP

    49152:FewZBbhrLZuBDcdQ0JqiP1XeORJyG1UMto+fn/c1AYtu:x5xZuBDgQ0JFtXeOR71UMa+fn/iAYtu

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

https://navygenerayk.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\1003879001\fc5f3d1d91.exe
        "C:\Users\Admin\AppData\Local\Temp\1003879001\fc5f3d1d91.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3816
      • C:\Users\Admin\AppData\Local\Temp\1003880001\a14f6c07df.exe
        "C:\Users\Admin\AppData\Local\Temp\1003880001\a14f6c07df.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:956
      • C:\Users\Admin\AppData\Local\Temp\1003881001\554ba09714.exe
        "C:\Users\Admin\AppData\Local\Temp\1003881001\554ba09714.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3404
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1220
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2364
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1048
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2260
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4868
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2224
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {376aa791-4226-4771-9fba-224ebe5b3d9b} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" gpu
              6⤵
                PID:2076
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9b13bdf-01a9-4e70-9d31-e15b2d942e81} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" socket
                6⤵
                  PID:452
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 3224 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0df6a7-d043-4439-85d5-3e5262edad06} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab
                  6⤵
                    PID:3124
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4040 -childID 2 -isForBrowser -prefsHandle 4028 -prefMapHandle 856 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b68cb4c-ad30-47e8-aa62-620b249d11ca} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab
                    6⤵
                      PID:1516
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4c150d6-181f-43f6-98ce-f20353477af0} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5628
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 4880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {744736b4-33a7-4e18-b94f-1d3e7e35a26f} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab
                      6⤵
                        PID:2428
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5500 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {168e88fd-43e8-4547-a249-d0fa4c25db25} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab
                        6⤵
                          PID:116
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5692 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bffb1da5-16db-408b-918a-c03383e0cf26} 2224 "\\.\pipe\gecko-crash-server-pipe.2224" tab
                          6⤵
                            PID:3756
                    • C:\Users\Admin\AppData\Local\Temp\1003882001\ac9a77c0db.exe
                      "C:\Users\Admin\AppData\Local\Temp\1003882001\ac9a77c0db.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4356
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5820
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5180

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
                  Filesize

                  18KB

                  MD5

                  353b99ae6299beaa5072e99d7785d3d0

                  SHA1

                  02e73e8923522a1fb5e12927b108ccb4064edcdd

                  SHA256

                  3438861baa04a5128f899c9765a62311ed2b06b20ea1e764321cc12e84e65816

                  SHA512

                  ecf6bdb448c0488f0993a6d9c593d65287a6b3b7ecc629a5b1279793fc0f7ee34bcf47749995d4afbcddf197349e645d8a6786cad0c1d5bb604af8e401cfb10e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                  Filesize

                  13KB

                  MD5

                  f4f5567e5a90a1b0e0cbf6748caa0159

                  SHA1

                  975abc5304a4e71c44859db99aefb8d86317a374

                  SHA256

                  b5465a3b256cefe151d0f3012cd6f4fcfc59933387b3b85394c2afe0af5449b9

                  SHA512

                  b784400ac682e640d86a774d9ef7e44db12cbb0a09d3039c67f94b6d28148943829b0a82347056b5b3b4cc22d4c48bd12b4317bac3608c848e65cd1eb4351b1e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003879001\fc5f3d1d91.exe
                  Filesize

                  2.8MB

                  MD5

                  67c4acf3589369c83509935e09774962

                  SHA1

                  4c3d056f3b828eb728512a389f90ab1b77454827

                  SHA256

                  d2ce87889b31d3dc33e8cc5bc06ea5924bb5c9dcd1b55179fd257fea81a65f54

                  SHA512

                  c8dd74127fdfc16afd511aeb89287974676871c58a7d4ba04283fb9113fc8879ed87281001f88beb4ceb606ba1567bed59370b3bc8ba57f71f075ede92f6170f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003880001\a14f6c07df.exe
                  Filesize

                  2.0MB

                  MD5

                  ffdbb2444f2d91d386d3d79b2b06ca4c

                  SHA1

                  3a0d1b25b7da4f691f0fbe19b35aa78b4dc02206

                  SHA256

                  585bd2f3ba3016448044f523a8202aae62ab3fa37b9566f49dd14e4439899258

                  SHA512

                  23aa8860d1c332f89d635aca6eccb26c01fdeca90b2edc2f54efb62607def54032743b25cb952e72a6571a44d8b90175bb47fd67e9bb85472e3d994be92ce211

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003881001\554ba09714.exe
                  Filesize

                  898KB

                  MD5

                  148b93356b09484e2672e9223d90f613

                  SHA1

                  50b3f2ddf041b1fbcbcb153eded57ba7ed5d3a1c

                  SHA256

                  2a9e7bee5eee970ead34b0003e675d66804c178607193f8be33a94533ac5f006

                  SHA512

                  f986737ceeed1340328fe57c05026601db03ab83faa63672c5dd3a0a1c82bb8229753faaa3371fe7743c46ce3c9f7b19fef5c9f47c1f4c5c82524b0be2afaf70

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1003882001\ac9a77c0db.exe
                  Filesize

                  2.7MB

                  MD5

                  bed86471834d723ad68fa672c21a558a

                  SHA1

                  0eb33ca7a22f3cee5fde5ca319b2d5581824d284

                  SHA256

                  960f4af77e59d23ef9311379928543abd78a33a56c5f2b4dad3675f051f6b088

                  SHA512

                  812891f6375e0f3f24aad90d68346b6d592712ddb3dcceb38daeb30343b34508f1699215a0756bce7d4bdfa8bd217f8cb618f0011e708b95db42f6cf953b5dc2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  3.1MB

                  MD5

                  7aa9f20cbf707335f2d1b61aff27168d

                  SHA1

                  5ee63659d07a1f4750765ec975df04a3a6112b30

                  SHA256

                  468ad154adaf82e7eabd8ea023bfe8ea160dc86e32c9cc47811674fe8afe91a9

                  SHA512

                  8ac71cbd178ba8aedc41ad2113d78ef9ec13e7c76ed298381863c97475472509d75f9d13c19f366534be0b642d5561a674e6a88dc24f31a5320846ee09e2d2ce

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
                  Filesize

                  11KB

                  MD5

                  97c6f7a20ef2185a082f8f3cd4c4de78

                  SHA1

                  c3c0a8b720d31afa56083f71c64d2b1bd59ef81f

                  SHA256

                  4b424fd37cca74deeadb7229df3596d0ff018913bba993c0c708d797d797622d

                  SHA512

                  313fbe8928478f4286a0ed758471542fa3411393eab11cc05939d09ae7d9a376e68cd8d0589416b6a06983c23924fc20e34cae429df1f28a8786b3aae6fc9fe3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  f479ad148f85fbb8ab3de0dc58ce8ad5

                  SHA1

                  6477920d1b6a16a4daf4faabf35667d1b54bd3a6

                  SHA256

                  4231954d5e22da99b011191a7ca1389057e3d237602a182e7e2987d2beb64ead

                  SHA512

                  d6d13bc4c46fd3b857ab6c486987896d401bf2822f4c111a77693457256506277f037d119044e3ba92723f0b610aafb232ab38ce0ff5926c60bab9dba3999ac4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  da95ed49ebe21f9c63a4a339d22735a0

                  SHA1

                  e8fdcc20fd6580a31a9c2a96711fcf57098d49a1

                  SHA256

                  2e5294a6d0b370ac5a3c71559c68d1be1aeb294e9d58f146075843ee2ec27554

                  SHA512

                  75434c114b2fcee9ff225be3793b72dff150745d3d89a0f5d6c42a0fafbf66bd9402f4c1b32a74db7f230717337ae6e9d47d523358b6c00dc9f76b018e744dfc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  a32fc7ff94bd077690da846b87ab8f44

                  SHA1

                  43730aa612faf5df5078a17a5065941b872c029f

                  SHA256

                  b9598fd795dd99ffbf76c651bb5be103a4ece4e6994a0df1f875a6fbda3416d9

                  SHA512

                  b0d68e367ccd2e54e753307db74f9e0a20de9299d77230251a1b0b6fd9850467e53768e84b0d240be6c3b4eeca2d5c42327266744265d68c70b32399db61b080

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  607598228821509ff69e845fb5add26e

                  SHA1

                  8b7586de24c858eb3c52012c818272997efe952c

                  SHA256

                  8ff65e1a2c4e00cab06a44c0b3dc84926dd026b31099d0745ea093808656c09a

                  SHA512

                  60242b0d8684d3f1741ab5560b93f3a63b27fd46725999e89090607ac01b7377f586a196454743c2ce5f2a8623f5cfa68f68338f4b706dd9c012c9da5750dd95

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\0834654f-6b7c-4687-b58d-6cb067f139c0
                  Filesize

                  28KB

                  MD5

                  af5926c9b9aa2b37e3681b47ac77d0a3

                  SHA1

                  77d34632d84d420dc78d5abe2dcaf3524c443ae9

                  SHA256

                  79a29e72d5b3f1c198b84ec02636f4e029da39850a293d3eca0e41654fb68d2a

                  SHA512

                  81cf12086cdb8d5f53d06d83335229c892fdd3021d0b7d7d8522327cf38bc7fbef5ca3eb3b14e889eaa9f0d390cfa8c2cabc0088520d263259be1c72bcbac5f7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\3600d20e-6f0c-413b-a64d-5ce51d1664fd
                  Filesize

                  982B

                  MD5

                  f984d5390fe718c571aa36c6739b8744

                  SHA1

                  214da33da09ac138bc308b1a0b21735646244d88

                  SHA256

                  bcf293da355fefdbb67a3a2552d793fb251a12866a94cac1aae1eb7ea22bc7e3

                  SHA512

                  28ac538de4cbb32ac23115019e320793900c741d8123dd9f068146d4ffbc553216dbf4eb29dcdd446be5763f006fd66d2b030abbda4930af11791edf023c8675

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\b3df6f0e-91d4-4274-b88b-f106c0185263
                  Filesize

                  671B

                  MD5

                  487e2373504507f2e30f45ba79caa634

                  SHA1

                  9782530ea6bef2be4f38b8f9fd937a0664d30145

                  SHA256

                  1f3a3d6b1e61ee5edb72b805ee69feb54240107be4261c76d9c2c36d04a0631e

                  SHA512

                  a16ff7b13bd3eade4fcf1db46dd8126f39cb29d04ef729620dcd4ad27e6909401f4ea0589270974a12246c4bd92efe2abfaea4c062c9bff4ea05b62d917d8d4b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  ebba77d9686a072f077b2b126578187d

                  SHA1

                  3fe74b37943e05c0bfd0682473fdf7d0a0ddfa7b

                  SHA256

                  1dee459a658a23c16dc302965cb25aeaaacb0c00431e0dc327930211045eaf13

                  SHA512

                  88dfdf54dbcbd5c87cb84a70f21b4c9f0e9c2b2d7a3892a868445284fd03f04b89d109eb2a64779ad889c61042c9a09c2e2a68c0f4b1fd20458e5fc9e45f14cc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  0cc333989145d9c0ba4015b1d2cc854e

                  SHA1

                  8b89e8cd4e5566d9e45889807482073f92b245b4

                  SHA256

                  5f2da5fe5ce29a1fe379d07a7705aa7025569a1520e61108c86ad385196ea57b

                  SHA512

                  2317f262a79151bd15eecec40eef17bc2646afecfe3ebfd081565a89c1ab90cd9276a0a717f22cf766163aecc842df14ec91f7d74adaa8cd484047dd6e811d07

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  6e89d6c0127daba828f9268c688803fb

                  SHA1

                  e136ee0345051f7736c7b8ac50f911a293d5ee8f

                  SHA256

                  197c12f14425ff6d4530c91417686cb750c22c44a5f1afa9e28887baac8f3a36

                  SHA512

                  1877bf7aba7016cf4ae7ae4a3efd19844c32eff28c49a97bfcb9900818789eaea5cddf2f8e6ace52ee68aff6d9b2cc0b970e6c7c124a0aed930e28161808ec0b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  19748a05d575eb9fe6b88e5875c512da

                  SHA1

                  63fa2337b290aef1cdd79a0f8884803eac669775

                  SHA256

                  7bb705366b0b8a3d719576dc300e1f7203efcfe40f30af2b9b84f1c9451e8532

                  SHA512

                  9d4b9feda38d9616ea263e544cb4df03f0b5f55ed31f28a0eb9a4407b1b7502f6bf55177f070bcd02c25bbea49e80d1404a56362e46f98ce537178aee61c7d6a

                  Download Submit

                • memory/956-63-0x0000000000D40000-0x0000000001464000-memory.dmp

                  Filesize

                  7.1MB

                  Download

                • memory/956-64-0x0000000000D40000-0x0000000001464000-memory.dmp

                  Filesize

                  7.1MB

                  Download

                • memory/2028-1391-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-60-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-3317-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-20-0x00000000009D1000-0x0000000000A39000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2028-62-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-21-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-44-0x00000000009D1000-0x0000000000A39000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2028-3315-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-42-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-3314-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-3313-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-39-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-386-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-3308-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-3306-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-3300-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-464-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-2867-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-22-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-19-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-3316-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2028-505-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2272-0-0x00000000002A0000-0x00000000005BE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2272-17-0x00000000002A0000-0x00000000005BE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2272-4-0x00000000002A0000-0x00000000005BE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2272-3-0x00000000002A0000-0x00000000005BE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2272-18-0x00000000002A1000-0x0000000000309000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2272-1-0x0000000077C94000-0x0000000077C96000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2272-2-0x00000000002A1000-0x0000000000309000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/3816-38-0x0000000000830000-0x0000000000B39000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3816-45-0x0000000000830000-0x0000000000B39000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3816-43-0x0000000000830000-0x0000000000B39000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3816-40-0x0000000000830000-0x0000000000B39000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3816-41-0x0000000000830000-0x0000000000B39000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4356-110-0x0000000000280000-0x0000000000544000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4356-454-0x0000000000280000-0x0000000000544000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4356-457-0x0000000000280000-0x0000000000544000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4356-111-0x0000000000280000-0x0000000000544000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4356-101-0x0000000000280000-0x0000000000544000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/5180-3310-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/5180-3312-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/5820-480-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/5820-470-0x00000000009D0000-0x0000000000CEE000-memory.dmp

                  Filesize

                  3.1MB

                  Download