Overview

overview

10

Static

static

3

170bf287f9...2N.exe

windows7-x64

10

170bf287f9...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    170bf287f9ffa502dd8d1b2557841a3da058d1b394785ac5ed66e7c63ed4ad82N.exe

  • Size

    1.9MB

  • MD5

    163df58aeb771d10653bbfaed113ef10

  • SHA1

    e2635ae1bf6b630fc5227d73b8db861314127285

  • SHA256

    170bf287f9ffa502dd8d1b2557841a3da058d1b394785ac5ed66e7c63ed4ad82

  • SHA512

    36bf534ff47db4d0de0d5773d58f021c5fac3258444fc93532cb52e62aa35d1e7b79cf6ab85dcc36aa075877f33beb92cd07c13e57b0abbb61aafd175b27f844

  • SSDEEP

    49152:3KygiM3y1FI3hsQ9DEp1Q2GEFqw1WrFP:3KygdtsQl6QpEF3

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\170bf287f9ffa502dd8d1b2557841a3da058d1b394785ac5ed66e7c63ed4ad82N.exe
    "C:\Users\Admin\AppData\Local\Temp\170bf287f9ffa502dd8d1b2557841a3da058d1b394785ac5ed66e7c63ed4ad82N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\AppData\Local\Temp\1004071001\930454a5e7.exe
        "C:\Users\Admin\AppData\Local\Temp\1004071001\930454a5e7.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1620
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1468
          4⤵
          • Program crash
          PID:5112
      • C:\Users\Admin\AppData\Local\Temp\1004072001\26b5c8b62f.exe
        "C:\Users\Admin\AppData\Local\Temp\1004072001\26b5c8b62f.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2620
      • C:\Users\Admin\AppData\Local\Temp\1004073001\0ce6e30e04.exe
        "C:\Users\Admin\AppData\Local\Temp\1004073001\0ce6e30e04.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3240
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3212
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:852
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3896
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9731bb7-cac1-44a5-b3bf-761d5a93ab16} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" gpu
              6⤵
                PID:3476
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5411fb6-aee7-499c-a655-437db84f0a30} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" socket
                6⤵
                  PID:2524
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2696 -childID 1 -isForBrowser -prefsHandle 3200 -prefMapHandle 3220 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5915f9a9-c81e-4e33-bfb5-ddd16e2f34f1} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" tab
                  6⤵
                    PID:1236
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2912 -childID 2 -isForBrowser -prefsHandle 2844 -prefMapHandle 3008 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf5aceb-e57f-4a85-9496-a96526ffcf83} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" tab
                    6⤵
                      PID:1348
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4420 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4248 -prefMapHandle 4252 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26955237-1faa-4993-9d37-3f4992662d85} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5564
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5460 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b5d6ef3-4bf6-406d-a7a6-2080f119d500} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" tab
                      6⤵
                        PID:4712
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a2d0dcd-dc89-4329-9b85-ff66f3888065} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" tab
                        6⤵
                          PID:32
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5796 -prefMapHandle 5800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18b4111d-4b6e-4fce-9f39-0c9906a360a7} 3896 "\\.\pipe\gecko-crash-server-pipe.3896" tab
                          6⤵
                            PID:3908
                    • C:\Users\Admin\AppData\Local\Temp\1004074001\bb70217377.exe
                      "C:\Users\Admin\AppData\Local\Temp\1004074001\bb70217377.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1436
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1620 -ip 1620
                  1⤵
                    PID:5020
                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:6116
                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2792

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json
                    Filesize

                    18KB

                    MD5

                    f32fee6df5e6fa7dd1e3e86c178d87e7

                    SHA1

                    a162c39bd8793fa52976764ca543a6e04ef81522

                    SHA256

                    fc6c1ef0320a734b0713d924ee209b6c58938ebcdeaa476d0186bacb4e3d3631

                    SHA512

                    6603fef19627ef3fb1fefd73acb1eecc967ed7f369a49c939963627b31397919443e3b7ae9e52fe51468527f2d52c4a454866597218e029b50603538b7235d0f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                    Filesize

                    13KB

                    MD5

                    f0785193e9daefd0e0e5e72c7de2c7ec

                    SHA1

                    f505b03b93bb06d120e7e3208b80d077145df5d7

                    SHA256

                    c26d8af527052d8a92061a34f134a8e3c43ad26eeda2f5f04eea81126713cea1

                    SHA512

                    fe7f28626f06a1a157d54ce3462f3fa81155f21eee6cfc496098d3654d15ef064a97f374c4fbf5bfb68bb068b7ecee3058c3276c078b82b05891f1d801a81f75

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1004071001\930454a5e7.exe
                    Filesize

                    2.9MB

                    MD5

                    16f1c8aa951e83b4ea794bf5b66291e6

                    SHA1

                    9a7310bc9b25759b2a3b98c199dc7eb56605516f

                    SHA256

                    a2ffee36f80aa7450c094f3d0340e9eda3ae58613b1f7ac19e57d0b91b8d3acd

                    SHA512

                    e763e14d2ad8e95755ea4834ed6dc9a081091edebcbec6472636ad44cf0d0a002ec07f696835045069435730b5a29ba4b64c1f04b9c5f1721e8f8abff208a077

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1004072001\26b5c8b62f.exe
                    Filesize

                    2.0MB

                    MD5

                    942d8839790190a0b7269d587425c3ef

                    SHA1

                    b61fb82d04980dc1453247536a95bb0f721eb59f

                    SHA256

                    df99583b876c169028a4e9817489d6c3fe65c391903a9bf2db295cbabc4cdf63

                    SHA512

                    1b8cb308198b9270637fc4d1cd65bcd4b685e93365b031af089730a67bc8e21d4bba143ef005c7f0294256b0bfec6ba0f8322f125cba5e5d65950cdc0336efa7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1004073001\0ce6e30e04.exe
                    Filesize

                    898KB

                    MD5

                    2edd0a55ddabfe03d1e524227e6865c5

                    SHA1

                    e3d6f4b661ebdc79054b4afb0c54a1392ad4c34e

                    SHA256

                    e0d64d8bfb6bcf0e1b9ee2989b919e7b6767288153338ed999cefb3b41cf07e4

                    SHA512

                    67f7c53aacfc8c5aa5e4d9bf84d5b0064b84d9e4ae66cd4e8d99adf559c1fd6103878c36679db836c4b358e967332ff2859b22f04fb5684c39ccffe5d36eed85

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1004074001\bb70217377.exe
                    Filesize

                    2.7MB

                    MD5

                    d98eca55b5386fba824026cadb1b94de

                    SHA1

                    2bfdf079f15f36db98d8524f090b49f6cca7b04f

                    SHA256

                    441147d44772362fe1d8efc3f8f36bbb55dcd165d50227b05320c5e5557d220c

                    SHA512

                    41299a884769a7df578b4ff04a59a56ae63717b504b558799d4fd728a0363e15e352a9351c9497b22e0626ba44cf44d18307a682d82526287c9ccbc747bb50d7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Filesize

                    1.9MB

                    MD5

                    163df58aeb771d10653bbfaed113ef10

                    SHA1

                    e2635ae1bf6b630fc5227d73b8db861314127285

                    SHA256

                    170bf287f9ffa502dd8d1b2557841a3da058d1b394785ac5ed66e7c63ed4ad82

                    SHA512

                    36bf534ff47db4d0de0d5773d58f021c5fac3258444fc93532cb52e62aa35d1e7b79cf6ab85dcc36aa075877f33beb92cd07c13e57b0abbb61aafd175b27f844

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
                    Filesize

                    10KB

                    MD5

                    51c4a36a02067af2cb91108f739d23e9

                    SHA1

                    363af8c83dd73bcfd1fc28930cc8822e09095fc8

                    SHA256

                    8c7433622522c96896202aa962a3c3edd6a47601c9b4b983c81aa50465ecec90

                    SHA512

                    f6279bbf2c1c6f0d92da3930c846d15d0ba169baa094620f32c8118c7c3858f594d79991f63a749676ccf746d14944025d1e43fcde4968af10b25b3ddf37b349

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    aab4fb6ed67a3790c888ea2035502532

                    SHA1

                    1779c0e5c151bcc2356a029f1a018306894d26d3

                    SHA256

                    7d5bee8960b6dc20f81ab8d4dbf015af326dc85b2f2b24bb9e3a052f2fa14767

                    SHA512

                    09254dd89da31f394352965ccc0e1464b359af327036709d228527852e5f4fcf9cdd9b1db224bcc193c9e0f2eb8d3dffc87965fbbc11ad0ba6e1ace04ef1528c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    15KB

                    MD5

                    37c84637588bb2cd189ddd33372674ee

                    SHA1

                    d685d8d284663750f9c4f2520fa1424b2fc0c3ca

                    SHA256

                    b1b33373e2e73e86f434c055646ce8017eb6809b81fed85526e678719876653d

                    SHA512

                    df2b002e74ccf6f96ae1a00f07680dd0759a459a281f5137fff5459d7f4e658481477d1058c58851d064ce187ebea455df087d90b1c24dc9b4184f100a657cf0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    14KB

                    MD5

                    f58815837230bb9342ee666b95948fb8

                    SHA1

                    e074c7710ebc190ee59184f2aef7b369a1c6bd5e

                    SHA256

                    70732a766b4d7c9a14653562d3a038347e14783c5aada21a37568692fb1ce17b

                    SHA512

                    d34287b7d7422de8380fe68456d580386dd5b9f060303c754a9b712ca78820fa6a12b3956ee1d73cf24903e85df10033ce73bf7ed6749fed4b6828c43f2440b2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\39ca7950-52ca-4546-a470-e5ff04701b5c
                    Filesize

                    24KB

                    MD5

                    6d4c917cb63d9ca4fab9f8ecb258988d

                    SHA1

                    1345b50d1423ca9e53553938def72941aee3c66f

                    SHA256

                    d758cab25d823750d7119d727608cac439b19fdd31621f2fe08d783e86889cdd

                    SHA512

                    6c969042ef80f70b1c66bce714167024614d4a6e279eab968958a17a905113448a24989b447aafe355d72043dfb47f5fe58dfdb5578252081bf757034d1ce8bc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\68546665-a5c9-47c6-94f8-91ff6d31d66d
                    Filesize

                    982B

                    MD5

                    3899671ecafdc305ab22963b27f28223

                    SHA1

                    9b1eda9b5ca0f72ab8dbdbc8306f0c3c1e46538c

                    SHA256

                    0a6a8432c4b26c3172123033eaf53b9576708f391dd8d9a6d2fd2ce72591f0ad

                    SHA512

                    dcd8e8559ca3041477cbba780a8e86fea77fa5456050897837ec0452bd5196b9daa55ac3f61f16049e2b53d99d79a60cec5c32ae3c40c24e17d12023444b4884

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\cf4b8371-5ecf-4758-98c7-0dae00c76b57
                    Filesize

                    671B

                    MD5

                    3b5c5117cd107e052564a8463ce52098

                    SHA1

                    db23b761040efd16d9313a102d5abd281a436d2a

                    SHA256

                    f0a56485edcb84ed6ca4417cab1e9771ae5973fa424c188e98636859fa0d5e4d

                    SHA512

                    5f1b5d23298e1147c518ae38dc4d0e31332497b8cf5ce3ea303cb6100ee741ea74c1ff324397e19c7970573f2c0ad06d3014ec84e6c6a30f2df7d2b059544ddb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                    Filesize

                    12KB

                    MD5

                    ea10c8c69c02b4c9f787cfd1af885bae

                    SHA1

                    8bd93647fe1b6ad3cade57ef0a214ee48adb1277

                    SHA256

                    a9d982a59bc1c1a80d97b86a5eb07a285841ce2dca979f8d9efc1dc87af56a6b

                    SHA512

                    9f78a92872ff4f6f1e74d38188c01c6f0f9fdec193176ab346c5925ef3bb7cdea3595ecf1d705475c58df60176bca59d77e0da58808333d619ca87a91e2dfa2c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                    Filesize

                    10KB

                    MD5

                    ac0fe1c2b8c9b40a3dd6d337e5780ceb

                    SHA1

                    adbe6dfd7fdab922aa5678ae1d21bd9f11b32b78

                    SHA256

                    0fd4376617746cfaabf88e7e9702f1c04e567435de1aa6f7a0d0e5ebc75d49e7

                    SHA512

                    552891762eda9f84024f680f2a692de1f173bdb4b0d5c618c80f2ca3fb9a37d6c3d8fe388efdd933f47bea160d4f9b807c929a9e6d6074e29ee8d25d2420f67e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                    Filesize

                    15KB

                    MD5

                    9c6008ab89fe4d1db438c02b6e43503b

                    SHA1

                    9b876413a2d2bc3a5b9429ee2dd27bf490b82499

                    SHA256

                    ab9c84d352cc318f0091aeb514b2edf5d7d970af2970eb0da97c68454c1ead4c

                    SHA512

                    8ddec0d89b0a4e20b516b80aad8fd1f9a95a0f537e7a270dae97cb83e898a817064128065dcce9038367c942d5b722257df24252c36cad0ab4484f2cac0b4c96

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    d6cf7c81a644dd57b682b2f512bb446a

                    SHA1

                    f537cf3003e75caea618e555986d8ded09fc3c6c

                    SHA256

                    2ab8c490b65f146af82fcbe1e8bd2ce94f2acf617ccaf8c5f45c74e855588ee9

                    SHA512

                    9f2825b1d06f3f5700633f13ff26d5a819fc8b2fa40c5d12996518b244396c1e97d54efa804564f20c010cfc4272041b8c41fd2700ddd7400002270a3d18d3f5

                    Download Submit

                  • memory/1436-471-0x0000000000200000-0x00000000004C0000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1436-468-0x0000000000200000-0x00000000004C0000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1436-392-0x0000000000200000-0x00000000004C0000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1436-429-0x0000000000200000-0x00000000004C0000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1436-428-0x0000000000200000-0x00000000004C0000-memory.dmp

                    Filesize

                    2.8MB

                    Download

                  • memory/1620-36-0x0000000001000000-0x0000000001312000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/1620-61-0x0000000001000000-0x0000000001312000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/1620-39-0x0000000001001000-0x0000000001029000-memory.dmp

                    Filesize

                    160KB

                    Download

                  • memory/1620-40-0x0000000001000000-0x0000000001312000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/1620-42-0x0000000001000000-0x0000000001312000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/2620-59-0x00000000005B0000-0x0000000000CDE000-memory.dmp

                    Filesize

                    7.2MB

                    Download

                  • memory/2620-60-0x00000000005B0000-0x0000000000CDE000-memory.dmp

                    Filesize

                    7.2MB

                    Download

                  • memory/2792-4202-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/2848-5-0x0000000000610000-0x0000000000ADF000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/2848-3-0x0000000000610000-0x0000000000ADF000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/2848-1-0x0000000077A14000-0x0000000077A16000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/2848-2-0x0000000000611000-0x000000000063F000-memory.dmp

                    Filesize

                    184KB

                    Download

                  • memory/2848-0-0x0000000000610000-0x0000000000ADF000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/2848-17-0x0000000000610000-0x0000000000ADF000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-57-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-713-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-4204-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-4203-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-472-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-19-0x0000000000881000-0x00000000008AF000-memory.dmp

                    Filesize

                    184KB

                    Download

                  • memory/4028-449-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-18-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-20-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-38-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-41-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-3088-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-4191-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-4194-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-4198-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-4200-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/4028-21-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/6116-474-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download

                  • memory/6116-475-0x0000000000880000-0x0000000000D4F000-memory.dmp

                    Filesize

                    4.8MB

                    Download