Overview

overview

10

Static

static

3

a32db65f89...6b.exe

windows7-x64

10

a32db65f89...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a32db65f898af65bee774d19c326c7e7b8ffc1c9e8726fdf310920e2114d1d6b.exe

  • Size

    1.8MB

  • MD5

    542a3f9fafad90ab42a2ff42268c72e4

  • SHA1

    b2e59d80d83a2f230c4e9d246a649200dbf953c0

  • SHA256

    a32db65f898af65bee774d19c326c7e7b8ffc1c9e8726fdf310920e2114d1d6b

  • SHA512

    a059d864f08c4e44578ee229a227179b6d400fbcb7ddd27f3be3e09fa4584f0a04ebff4e69d0e5fbf2c49ee7bcb7b004e5d31f46e5fd44663c112233b91789be

  • SSDEEP

    49152:gc74vs/ZNV1djphaG5AiY+HEej4wwi8t4TcsMF7/mRWU86yk:gcbZNV79haaAiYPej4wwi8uTcsMF7uM+

Score
10/10
amadeyfed3aadiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a32db65f898af65bee774d19c326c7e7b8ffc1c9e8726fdf310920e2114d1d6b.exe
    "C:\Users\Admin\AppData\Local\Temp\a32db65f898af65bee774d19c326c7e7b8ffc1c9e8726fdf310920e2114d1d6b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Users\Admin\AppData\Local\Temp\1002753001\7c8776d5c0.exe
        "C:\Users\Admin\AppData\Local\Temp\1002753001\7c8776d5c0.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1372
      • C:\Users\Admin\AppData\Local\Temp\1002754001\baf9631a8f.exe
        "C:\Users\Admin\AppData\Local\Temp\1002754001\baf9631a8f.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2664
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4140
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3308
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3916
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1728
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2624
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d84034-1a81-4e44-a3f3-6f8b90e293fb} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" gpu
              6⤵
                PID:2996
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca984fa8-12c2-4434-ab09-c70c88c2c793} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" socket
                6⤵
                  PID:3148
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3108 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fccdb406-50ce-4e21-a8f0-b43db6b7e71c} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab
                  6⤵
                    PID:4028
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3512 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3008 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f5fffa9-7767-41e0-b1d9-1a6d9fb79142} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab
                    6⤵
                      PID:1288
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4716 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4620 -prefMapHandle 4700 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a080983-675a-43a0-9135-23c512f27dba} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5192
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5492 -prefMapHandle 5488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430e6679-2801-4a97-9800-4a46fed2c8dc} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab
                      6⤵
                        PID:5860
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 5600 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5134b55d-8366-4e08-9e49-57b8ae5c9bef} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab
                        6⤵
                          PID:5872
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5892 -childID 5 -isForBrowser -prefsHandle 5812 -prefMapHandle 5816 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1240 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0c792dc-2f83-4199-9b34-361b2d950e26} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" tab
                          6⤵
                            PID:5884
                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5036
                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5760

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
                  Filesize

                  24KB

                  MD5

                  ea7a0c090364555bf2a6f07cf956744d

                  SHA1

                  afe4c08845a4d84202f6a4e34900e664895b940b

                  SHA256

                  4a418da6072030db87353383422de99c762bc4f988be32e2ac7e9790263a6788

                  SHA512

                  58632e54ac809daea56fe618a617b9cb93bf05dc057903f0641c2e3e404a1818127f4b64cd636e1a859d9cee530a50a8e30587ac8c51e4568af23e2d6844823a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  9549f07fdecaedb9b5c29600a5733e53

                  SHA1

                  ac71d53a0e29ca68a3311574b917bd8ed5eebc4c

                  SHA256

                  8e17b8af6c156295bd0e9d06d92bb0f0171e5ddd25da2317b85dc69c6730e09a

                  SHA512

                  ae5268e6fb1c8655fd83f623f50c6da63ec04f553723085d9d6997a90a0e12e90e4d9f937671b491b43082b63ce1259e70c83666c222b45d2095838b69dd19c6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
                  Filesize

                  13KB

                  MD5

                  7b6c5d2f2b88b31c7fcd2f06ec59ad1a

                  SHA1

                  daa1fcde8cddf6b4dc132aed1489e68208c80318

                  SHA256

                  5bcae83009a005a4d967276bb8e44e7bdc374d1afa1bb87ff5e9bb538d2899d0

                  SHA512

                  ae08add9258d9aedbcfa050ecb90608b0b044dc3e6ebc0104486101de84d40afcd8578b0873a80f547e8566e6b35ea77629a038ddd128ef8667bb78eb8bf0e11

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1002753001\7c8776d5c0.exe
                  Filesize

                  1.7MB

                  MD5

                  52e869ea15d398a9a8aa12f683c51a07

                  SHA1

                  5f1bee8dab00786b73a241377c90452e4fde5323

                  SHA256

                  3ce5a202ecc315416a5e1ca141baf78597480e37567d26a4d7d6bf4edad671d5

                  SHA512

                  bc3002297bf0c6bce02764be684bd8739460f28a1bad3fa2c27d7be87206d2f2ce128c8433d4716fae4e0bac2cba2e70d0ed1d660f3ddbc93ce163409df9de9f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1002754001\baf9631a8f.exe
                  Filesize

                  898KB

                  MD5

                  4301ec107082808821ea7436ca3fb86d

                  SHA1

                  28a46e2d845f291a198b78496af3e818dd784e4f

                  SHA256

                  d341aa857c4e83e1cb7adf8ca843bb456f42c5d820fc7d1279b899618a2442f1

                  SHA512

                  24ac1d21df8904d672f7edbe5a8a2956c5d0fb0a352b68a7f12c9ae5d1ad6f283280b708e250b858f23f33729bbe997f4445ddab3e33b55be9f1c37044199d9c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                  Filesize

                  1.8MB

                  MD5

                  542a3f9fafad90ab42a2ff42268c72e4

                  SHA1

                  b2e59d80d83a2f230c4e9d246a649200dbf953c0

                  SHA256

                  a32db65f898af65bee774d19c326c7e7b8ffc1c9e8726fdf310920e2114d1d6b

                  SHA512

                  a059d864f08c4e44578ee229a227179b6d400fbcb7ddd27f3be3e09fa4584f0a04ebff4e69d0e5fbf2c49ee7bcb7b004e5d31f46e5fd44663c112233b91789be

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                  Filesize

                  7KB

                  MD5

                  42903ce235e6e0a649f414c2fb6208a1

                  SHA1

                  fb2049f4c2c370b5fb13f9485c1a8ab756e226c0

                  SHA256

                  2bf2b73edb779df6cb158ade3ad3911cbb3f6762b0b0960bfb5c04e884b23d68

                  SHA512

                  2ff10caa9f688e74764232a382cca2944ff8ee701be5627a5ea2320a89416fdccbd18e1683b0d268b6c645e8af03edede73b5caa27b924d451b0309bbe8eed8a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                  Filesize

                  13KB

                  MD5

                  4f67dbb7923240ff4522b2bc21da840d

                  SHA1

                  8911049b5d6402c2a8c5b4150724e1e6e03434c5

                  SHA256

                  44b9a0d20b65121f92a037bb06e2ffe62774ecc549fb73a5739010b379f5b2d8

                  SHA512

                  bd5461ff4fbb36a70cacbac36b9416c6c719a7381ca0671e1b56c4472b4960e3eb68ed0f7d7c59ec0f7e7efe26091bd54177b43571da0888e61f641b50619a53

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  7a5ef6c8c2092f3485bcf204255aa7af

                  SHA1

                  8f55cd659955b0341e7a78a53d20c3e12178d79d

                  SHA256

                  93d9c74fd8de72be5b116ade7fafccc30ce95890d5eafacea42acc3814edb2b5

                  SHA512

                  08c0d64461e6d3834fc0a051314f15b60ef1178e8c19873cf87e7ddfe60885edea9e4037f3aa97c9400f074002306f4e466c172922522388218b91cb152d9a30

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  14KB

                  MD5

                  4d4ccdaaa6f9a643407999198173ba83

                  SHA1

                  8cd5f2494220898d3b3336afa25ae5d5bbe597c1

                  SHA256

                  810f325b468d783d2a1d90b278c39d3d8723d7c908a913d2a98fde5da638c056

                  SHA512

                  d8df2a1ff70495307b7bd4ce15e77704687f413974813f0862a99568a42e25b8e6577f046ea647958f337978e734f9a09be7172d968eb1b04b2cd24b19058fc2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  cee77607b475e2d0d8bbf34414ebbaab

                  SHA1

                  a180f9ccdce047f49bd9020da3f0b7eeb941dec3

                  SHA256

                  1bdbe6ee836ed2ce1b41e24de5052b8b0d6a7a5c9fb6d67d2ac7b6abf6d3bd65

                  SHA512

                  84a5e33f056b98735bbe06d1d6f5c3bba6aef9e106b180a9b78ffcdd2b95f2b283daabfb8ac9d6baa2845fdc9c2c09a3c202775619c0b2d49227b1492e8086d8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  092ab0720e80386fe4451b6d168be010

                  SHA1

                  e09240ff6a19fe5e458842ecba19c10efd51ff5f

                  SHA256

                  d2a4df0d9627a39656c4db2b07f6af9e540e62e05b7036bfc713a36f8dd81ce9

                  SHA512

                  952dd69792511f8268b2de6a05dee46737623fb310622658dc4d182c06af1b6e4451c15f98e73f25fae9172461d75e8232ed485b543fae81292c288dbf2fe4bd

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\08bbbe65-3e8f-4dd0-8931-a51358d34cb0
                  Filesize

                  27KB

                  MD5

                  d65ea786cbc2e92648a2174b19fbcb56

                  SHA1

                  41a336e390f2894e941edc6fdb8a8a35911d8c2f

                  SHA256

                  deedc626e888e46b88eb9dd4997e13bcb55ba96487b57a9da5db299cbe4db703

                  SHA512

                  2d9cdbe6731559f1169e8b21b3ab84c639183dcace035046c93b1db1eac7f4622cd9dbcc60ad4bc269ca644f47a1d8c6d27541f45b979d5e9d39959069f9a0fc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\826d8a83-ffa2-4d00-a2f3-b5d9881c7b81
                  Filesize

                  671B

                  MD5

                  facfe3f61ae4831ec868c6018a2bc634

                  SHA1

                  0d9e281ff2037104233305f33adae8c09190cdbc

                  SHA256

                  343b6fc16596a7efb6345791da471474eca1c647a1f83fc9dcc1572aba95bae9

                  SHA512

                  ac95d1a98bd7b537b2c04e95fc6e43c5dda56a744c40b68e56b61c6efbcebbd0f9997a88e5f8729bee5ed221c4847f628aa16224e41ac99889b39ef170ab1c06

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\c0472b72-4cfc-40f2-ace8-b52a63c19b71
                  Filesize

                  982B

                  MD5

                  39f8dd0dfe557f564c5cf3eef8160948

                  SHA1

                  63f5e56b5f41319d26fd4e670a0c514c8d9332c5

                  SHA256

                  70d26f8b9e842674c9bfef3b3937f196382b176cfa2360f1955499066f405114

                  SHA512

                  9baf1a0221a4774f529023bb51ed13bcc41c707823a33eac1e1166f9331add1649887648a4b7649ea5c8d0df3aa7fc64470c9bd410557a68a4fde20fbd7e593a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  00b69c398d7116655c444ef1b6ebec20

                  SHA1

                  4759216072dfeadf94e63aa5d3b9df398517600b

                  SHA256

                  9e2940a5d33fdd0d79736d650b1534b2a3c018c0035cf6ab9f3acf1ccffeb999

                  SHA512

                  69a3e8949d64b8e0676e2e6c62dbf26c3c3446b069aedf830aa9184e57666e16933d6a52c0c538d16768dc39fd1120e8805234b80921459caa959dab82156f73

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  b31b813f3054b1e7ed2c9d94fc4272ae

                  SHA1

                  b3bff924e569c2c9ae5aed746c63d1f7c0031121

                  SHA256

                  92b2814997c3fa28bf7865bbd9f11be2ed742d4f07b5c8f218a86cb63a7a1c98

                  SHA512

                  d1fd8c589065680154b218cd500ec01a12a55852a2b6a2b9ffbc6e812951dc132a15410ea940dd8381a6a412510475c905e0e88b81af3880efb37322085cfea1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  1.8MB

                  MD5

                  9dbc581c19b608d078c8a6a1433d56e3

                  SHA1

                  d89412afa4815aab520e2cab348de38df973f7fa

                  SHA256

                  97209912a47e6fa294709821e0c5146ac35d1100712664f7dda12d269470fc50

                  SHA512

                  f1fc185e3fdae62a9506719e7597f28fc77f57546354ecd2f8e147ca60182a7c69a415132f7e29c4c25e32fa4b5d488e512b041435b02118e8f8f3d4942eb14d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  2.4MB

                  MD5

                  47ae8a467407d4addab79240fd9361ad

                  SHA1

                  5677c30688525a9a872e408521a1324c3a2e7efc

                  SHA256

                  0bcb81de6409f3953e998983a4ab914eb00f772e3ac58def81b8bdb1d8a13374

                  SHA512

                  64fbce1a41250c92adae0956b9de639d7ecf3d9e274347e7245c89bb2a8a3a7e5767ae7ac024df10f5b6c704300c72fbfb810a500a231922e5ffca2caf6650ac

                  Download Submit

                • memory/1304-18-0x0000000000A10000-0x0000000000ED1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1304-0-0x0000000000A10000-0x0000000000ED1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1304-4-0x0000000000A10000-0x0000000000ED1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1304-3-0x0000000000A10000-0x0000000000ED1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1304-2-0x0000000000A11000-0x0000000000A3F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1304-1-0x0000000077704000-0x0000000077706000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1372-39-0x0000000000DE0000-0x0000000001478000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1372-60-0x0000000000DE0000-0x0000000001478000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1372-37-0x0000000000DE0000-0x0000000001478000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1372-38-0x0000000000DE1000-0x0000000000DF8000-memory.dmp

                  Filesize

                  92KB

                  Download

                • memory/1604-16-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3076-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-40-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-583-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-77-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-403-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-21-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-19-0x0000000000031000-0x000000000005F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1604-20-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-421-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-2231-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-61-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3101-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3100-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3082-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3086-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3088-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3089-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3090-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3091-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1604-3094-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5036-3079-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5036-3078-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5760-3093-0x0000000000030000-0x00000000004F1000-memory.dmp

                  Filesize

                  4.8MB

                  Download