Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 04:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    b58725b0a514974aae36a20730adc4b3

  • SHA1

    a99eb4395fc9a95cad952a7d4bd444fb3baa9103

  • SHA256

    a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76

  • SHA512

    21ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29

  • SSDEEP

    49152:ugpWvpPq4PRzgbjv65CIjyoNaA1bKGfBMK:usWvzgbkaA1TSK

Score
10/10
amadeyfed3aadiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\AppData\Local\Temp\1002741001\2a03c3811a.exe
        "C:\Users\Admin\AppData\Local\Temp\1002741001\2a03c3811a.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4432
      • C:\Users\Admin\AppData\Local\Temp\1002742001\a8d13bf5c0.exe
        "C:\Users\Admin\AppData\Local\Temp\1002742001\a8d13bf5c0.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2468
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3944
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1176
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2480
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3080
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4344
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4272
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8e5ac39-e430-438d-81ce-3dcc4db73135} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" gpu
              6⤵
                PID:1480
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {956843ba-ac72-4fb6-9a5f-71c50e52add2} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" socket
                6⤵
                  PID:2344
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 3064 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {543bb934-7623-4cc1-8c79-1dd1eec0613a} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab
                  6⤵
                    PID:2652
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3852 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 2756 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d77cd0e-ced6-4bb9-a146-6ef751bfb63e} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab
                    6⤵
                      PID:3156
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4644 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4668 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53cd8531-df0d-4ddf-85aa-7837a459a078} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" utility
                      6⤵
                      • Checks processor information in registry
                      PID:2392
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5300 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0686bc6e-1d03-48a6-a3e6-40c39f1d9d66} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab
                      6⤵
                        PID:5828
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a8015e0-58a3-4e2a-87f5-7f5a756bb339} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab
                        6⤵
                          PID:5840
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5720 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd5a30fc-2741-45b8-90b3-232951996b97} 4272 "\\.\pipe\gecko-crash-server-pipe.4272" tab
                          6⤵
                            PID:5856
                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:436
                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3948

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
                  Filesize

                  24KB

                  MD5

                  1b9bde747c53fbde24cfb55a3731b37d

                  SHA1

                  6bcf37e8b0acd2ba018788934b041570bb381d3d

                  SHA256

                  cf3153bd59e9968662ac28e409159aa6d4754c4d7aa0bcb5ac1d9085e000a962

                  SHA512

                  9bb9650ad07885a7ffbf7c18e3649564bfeb8f4df3a18cd7c8e5e910bdc80b32dd6cbdd2c2edcfcc8627a1ab52701054ac62b09ec815d389657c9a0ac0b2a729

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  fd062c4825cf390974d386cfcf0b5953

                  SHA1

                  ba9079edcf02db4222fa2bba9ebab92bc1029a6d

                  SHA256

                  34dd533976bb8fc61f4270ca5aa9435bfad7b9f12a6f3fb26508310abdfcce36

                  SHA512

                  eb1695554fe64f7dfdbbb3615b450f9fee6eb0989b118f37e312b94cdefa46622284620709ec84fea8f3212dd727fa7335cc3d37bd9db0656e17cdcdd3c35511

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                  Filesize

                  13KB

                  MD5

                  b1c2389d92097c5ce1e750d992915e67

                  SHA1

                  48ac63b5a88fba3c4dd980f195aa256786022fc7

                  SHA256

                  6c0be5ac0baf419fb29500da8a63beb6f550943ea43a534ff7d30aa0b7fef38d

                  SHA512

                  4c51cda02890be115cd7870c327da58affb96ee8dd2054823cf549bc4d9dbbe7deee2a9401c509f1b9be52bbf0566f62da10363d7042afe91de440b11f701cf8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1002741001\2a03c3811a.exe
                  Filesize

                  1.7MB

                  MD5

                  59b3273d9d5c8f80b5cfe9e160188073

                  SHA1

                  3dfe989cba1316ed1a4e82b8bf9e73301749e559

                  SHA256

                  101e5dd7863cc4cc10c084d7468f2bd81a77323f9fb49b4b5ebd6077a5552ba8

                  SHA512

                  7a5b0b3e6f368a8e34abbb9059d0399937373eccac17de9cbd9e911833ed48d369e97fc3fbf02ba73d66661a2b50926f0630f9923f679f771ca968506da1b128

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1002742001\a8d13bf5c0.exe
                  Filesize

                  898KB

                  MD5

                  530c8d510535e62fd422303538b7dcf4

                  SHA1

                  6287ff30b41766ae4a5a78541581ed683bba7a30

                  SHA256

                  ebac1e80d8da8f131c6264728c4e1b47091619499ea5f5cbb415736f4135aa95

                  SHA512

                  51d6e4edf9c38901b966feaa8e5e4c73662b95047f19c77d2640b3a7db83c18f74b09cdc5a025ea5a45b9fd58cf61d343f55945f77b0c1382baf4d94f9e255a6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  Filesize

                  1.8MB

                  MD5

                  b58725b0a514974aae36a20730adc4b3

                  SHA1

                  a99eb4395fc9a95cad952a7d4bd444fb3baa9103

                  SHA256

                  a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76

                  SHA512

                  21ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  4b339d2d3391a7b92084eda2c1992ae0

                  SHA1

                  93ac4f151f7a4bc8a79e5811e0a5b80e71109f65

                  SHA256

                  4b27c91b67cda95c389cdd4cb06fab23cee2e98a0fbe7f7a346575f9e021ea63

                  SHA512

                  face01c58f1e7a95ae2211c54ba0b82d0f497e0087da2c118db7f723287fb54e876d42c3aa3036bbcfcf2fc7087a7472719ab5eba1571671317a0a5fd25fad81

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
                  Filesize

                  13KB

                  MD5

                  66da15cea486e2c6f1ceada62518f551

                  SHA1

                  6d26568553b5ef22f2ef6d3a36dfff9d1f900937

                  SHA256

                  3f91699106841895febb551d2838443cd71db3334a3801632fa2926dfa4aeac7

                  SHA512

                  cab0e3cd5baca029d971dcdce014dc9193446a754ddb5a3a6d442b58ad132dcdaa97f78a3add7afb7926cf6e90d0f38bc7a60ac2e51e971b8f5fb232449f7dbb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  e260e40350e20bf6bd46d3b58374b7c5

                  SHA1

                  5a5b30a3c5d8f16b84fea708cabea9d935677bc1

                  SHA256

                  89044ab51bb140e0b4ef4cdf39f9ca6037058890b7742e753e9fef7117f03879

                  SHA512

                  be14b702f83d1cb12a9e95c911a467d0518cb60652332e05e42bf8287a471895cb5ec0cbe0892069fc552457e236d421df6a0e75ae732e0d076a4216f9a6457e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  9bc94ac7a6c247c84b48ca1cd6b2f083

                  SHA1

                  ca230840a8cb091806211d1c409dcaa00e7484a0

                  SHA256

                  c4f696f4aede3310ff100ce2702b33611ec52750d2e46e4e6f714a1b9d142407

                  SHA512

                  ae1b41e8fb8fe2b506e138e1a972a913d7bcd0331f6bd0a78327480ce719a8b113a6288582a8d95caae199eef114a39607b9769261ae204009cd3a77d7ab2fb5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  c011add4549648604707585b133595cd

                  SHA1

                  2135533534048758040282c8893cf8bae895fb23

                  SHA256

                  108d1794996b51b039906e322ce63435da99d1fbb5286ab232e6200d11a89a96

                  SHA512

                  54d8ec9c96378e15ef513166978de1b5abed16682f8e3856bb8e35347b901b77425979afe7c26aaa51f15ed1ac8063e30a30a3ed1c915d57e36015cf36044e2f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  f1058ed1078d3379d1555e1be5be2ce0

                  SHA1

                  da3b0e35e167dcafeb62ab61f58b1761e792a1fc

                  SHA256

                  c40779b54ed64344a8954ce1845b991ca477a1f56a86531ad6f76c9190409ea9

                  SHA512

                  a9151d1b3d2240358a357ee91e70cab98cbd8c47eb2a1f317cbfcacb6ddcfa59e9db502ec834f921974ee8a92e3773c4b35aef13fe77048fad39fab90d2eed4e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  d8a1a0e881a2876910347881e05b976f

                  SHA1

                  87112afeffdbe20eb75f87c08378484f6af05867

                  SHA256

                  9ba2d7637d41f2a5edd4c3085374677b771356d6d91e38f08af3dd5a8b7a2a83

                  SHA512

                  df33435395b81250476b2bcadb2f81241ce9f67a70e47d867463d496904c8d8e9b915df33e4165504b38336dfcd7342cbaff2ad2ec4126384105c377140965f0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\61c8b8f8-1496-4eeb-8057-059343b029ad
                  Filesize

                  982B

                  MD5

                  b06c63fd8e3841b0fba0164dc9b15af6

                  SHA1

                  7ce1c0d0a7db8673e68e0f6dff5ae41479dee0ab

                  SHA256

                  ebe10d5d034ae3a7a67f53c54113e712ce0efec4b9a4c10d85bff829224f6947

                  SHA512

                  51d38daf69aeb31cb924ff56d4aced69a046c3c90d75f15c57d052395a3c2089490142a52e901cc0e9bee3464ee324d7ad394976e96f0628f5a483e3e9ea1805

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\787950d7-21b2-4ffd-a8c1-1a061682bf0b
                  Filesize

                  671B

                  MD5

                  cdf974b0b1badc16a0351a077c22683c

                  SHA1

                  7d877d5d132ba2b8115e45e97063947a9d352cff

                  SHA256

                  57ac685dd366639b6c7fd6999bd8419f6e61bb69f57327b0e319e9586878e9c7

                  SHA512

                  33a6b574a2d2a6f4de0742fdc9ec3043711f1208f683847b16db832543bc5980af03fffbf5c9af05b3945bbf190a51b8e395ed1ee873f69c0ff455ae15adc576

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\f4d4e98f-c572-4535-aafc-3ccfa7ab97d7
                  Filesize

                  26KB

                  MD5

                  496439312f7a98d5cbfc11fa1659db3c

                  SHA1

                  e8e77e3d2e24641d06b707a8de846b632b6ea53d

                  SHA256

                  86fe64a8cd233bc9b26636478bd76ec9103781dd69b390d1f9f7cc06eab1bf0a

                  SHA512

                  fd0bc99ef7b117dd8796674e14305a2906aee0bdf7810391057e447a411ab5b0c97750e96f968cdab0b44a1ecb44d0b7d2bcdd997eed6abd42c1fd53992aa6e8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  6e622ef1d925e7ab9a93e60c443d6cc5

                  SHA1

                  3e05e1427c17017dffb74d189ead1f55112b9517

                  SHA256

                  2397262dc55a4fb8954f3d2a11f65ab7950e4c58385a721d2d8f3a09d1c04b4d

                  SHA512

                  cf1ac3e2642c1d8cdb00e2774a8c8102d697bde8f301727ab401c160169b598da7e698d01fe1da4c235fde07a6e2f1cb6637cedf2740401ed1e38984fa2b0203

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  f62c283ccfe700443d52b62370c6a866

                  SHA1

                  a9c7b1deb23cd0dff11538c7b1ad6186a95a5156

                  SHA256

                  d9863f3fdbc89f9d273dd570afd4f7708cb143c399c60381898934b216accdb2

                  SHA512

                  e21a1ec1eecd03a36e0958e95df76d41a71ee713a6cbee748e95a5fa799d95f9a0f5920b21742294b8d86937d8a595bcad7aa08dc77a7c3c988686a336e941f7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  9c2c0db23be50c0b25a43a3509676b6a

                  SHA1

                  0c891747bfa2cc4b3d5d2526df125e10d83a1029

                  SHA256

                  2eccb5a7ce9671814ce9eb944d9f93eacf3418d3bc524d23497d3903f4edef70

                  SHA512

                  d4f7f7a02145d3e79b0bb115c0a467519368188f783cc5f8b9839327af4161191a0304d31574ad652eecb3905919f8328fb7830e29da617365639b6bdb0750dd

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  1.8MB

                  MD5

                  481fc4e3fee6436632784bd98ad9b4a1

                  SHA1

                  8d43c3dc3bf6cac6f8162888a00a86ccb000b24c

                  SHA256

                  ad48024487b0184ee01babd406fdd88b13abe00f7b6d7f0bc909894b69a46d6c

                  SHA512

                  da79cd2eb2b59aa703a58f79241fb615d70b4c918ff6ba1b99202551e56f68cee79a08cfe52999bccd266071ec2988df9c6889e9498fd7e87e7aec1d0de1de55

                  Download Submit

                • memory/436-3155-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/436-3157-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1484-0-0x0000000000F10000-0x00000000013DC000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1484-18-0x0000000000F10000-0x00000000013DC000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1484-4-0x0000000000F10000-0x00000000013DC000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1484-3-0x0000000000F10000-0x00000000013DC000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1484-2-0x0000000000F11000-0x0000000000F3F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1484-1-0x00000000771F4000-0x00000000771F6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3948-3172-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3948-3173-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-2088-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3168-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-606-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-413-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-307-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-59-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3181-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3175-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3174-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-16-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3153-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-21-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-20-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3159-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3165-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3167-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-431-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3169-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-3171-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4012-19-0x0000000000D60000-0x000000000122C000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4432-37-0x0000000000440000-0x0000000000AEC000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/4432-38-0x0000000000441000-0x0000000000458000-memory.dmp

                  Filesize

                  92KB

                  Download

                • memory/4432-39-0x0000000000440000-0x0000000000AEC000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/4432-58-0x0000000000440000-0x0000000000AEC000-memory.dmp

                  Filesize

                  6.7MB

                  Download