Overview

overview

10

Static

static

3

408570855f...4a.exe

windows7-x64

10

408570855f...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 08:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    408570855f8686662dd74ca774155ba23ce0d0d912344b4a3df0dcf49759bf4a.exe

  • Size

    1.8MB

  • MD5

    9219b0d1dd0e33ca434ffd0db8b3bdbe

  • SHA1

    6d6d6018ceda52dee9c733d4ced0ab997fddfd69

  • SHA256

    408570855f8686662dd74ca774155ba23ce0d0d912344b4a3df0dcf49759bf4a

  • SHA512

    e6f90d8f91980196ad3b9f444ef32a3ca8b7c7aceb5d25ea32bc208cb27faa1f88166311c4279b7d82e111d56dae9b7e62505f7054370cb4285008ad87b9ff8b

  • SSDEEP

    49152:UOnze/GCK6Kq/x82KumsTNEotIvahhl1NXuWRuWFRI:Rnq/G0KU84EgIiDj4WF

Score
10/10
amadeylumma9c9aa5discoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\408570855f8686662dd74ca774155ba23ce0d0d912344b4a3df0dcf49759bf4a.exe
    "C:\Users\Admin\AppData\Local\Temp\408570855f8686662dd74ca774155ba23ce0d0d912344b4a3df0dcf49759bf4a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Users\Admin\AppData\Local\Temp\1007109001\9359901799.exe
        "C:\Users\Admin\AppData\Local\Temp\1007109001\9359901799.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4344
      • C:\Users\Admin\AppData\Local\Temp\1007110001\da1b9a3d38.exe
        "C:\Users\Admin\AppData\Local\Temp\1007110001\da1b9a3d38.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3484
      • C:\Users\Admin\AppData\Local\Temp\1007111001\8a47b01daf.exe
        "C:\Users\Admin\AppData\Local\Temp\1007111001\8a47b01daf.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5048
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4952
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5056
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2256
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e08f49a9-131a-4156-a659-4f7246730fa6} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" gpu
              6⤵
                PID:1092
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43e0ac94-6ee3-4b93-9a8e-c6867fe89a01} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" socket
                6⤵
                  PID:4084
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 2968 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4e3712b-d04e-4080-85e7-21029ba947c0} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
                  6⤵
                    PID:2996
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3524 -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3200 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a59c5e4-674d-4f0f-ad8e-97af9e55c3ce} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
                    6⤵
                      PID:3980
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4228 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed34245d-cc42-4baa-8356-8f2f2cb2f14b} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5388
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5456 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03686152-e242-4307-a7bd-ac33117be27b} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
                      6⤵
                        PID:1884
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9866526-6844-43f1-8540-4c137abf548e} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
                        6⤵
                          PID:2656
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5852 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1200 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce4e2ca-ca11-4edf-bb91-d361a08756ed} 2256 "\\.\pipe\gecko-crash-server-pipe.2256" tab
                          6⤵
                            PID:5052
                    • C:\Users\Admin\AppData\Local\Temp\1007112001\90ac439cf1.exe
                      "C:\Users\Admin\AppData\Local\Temp\1007112001\90ac439cf1.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4508
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1688
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3120
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4432

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json
                  Filesize

                  19KB

                  MD5

                  454c396f63a1a81d6ffcdffef0e32f34

                  SHA1

                  f20c6899e515a2fd96a5d30e8317115389a01f3b

                  SHA256

                  1efd1ea7276b613ed388515ea343ae76167c52873b29e77c9d56a53801ee6d5e

                  SHA512

                  1b7f9a04b625d1938ed9024c5438798a1f8387d7b9d6dfe70fcb0848f66f30ff1b5c1d679e4a06b81f8808edf3351bc0eba268745a1581c868f3225db277c053

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  e872c0c61cb317bdeda71b9788923dfa

                  SHA1

                  8a4d2b3667687d00cc4faf57f7efff58f3a742d7

                  SHA256

                  d010c1ca4fb56d6f8954c0b0395b545af19dbe1bdddb30d5623ee0bcec62ee6f

                  SHA512

                  66aacc2aead0f4d4af85455874d20fe095d15d292bc9178fc5ba2db823e58976ce12792b9d2adffd18732d6cf21916e46bbba8a4957f36815cc0151321ec9dbf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007109001\9359901799.exe
                  Filesize

                  1.8MB

                  MD5

                  1c9baba3863eb6e2cd1fcfcb0fb31d1f

                  SHA1

                  d3d44d8c18d93be08804bdc8a98d82c791d9487a

                  SHA256

                  8be06ad676b76e25164e3c83e1f5bc69c0cb5417bceeee1dc03799b9c7261653

                  SHA512

                  eb0a3e427cf28c5b41b6ecc63dd133290ab94cfed98f7774c02fd684b7f00633a847dadfe668680b7f6545d63e9a5073b51b4ce6bc820124dfcd5ede3db8097f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007110001\da1b9a3d38.exe
                  Filesize

                  1.7MB

                  MD5

                  bed918183c456251eb2def949e77e958

                  SHA1

                  18cd870f1fe9729e2ca7040c94ae96cb5a06d54f

                  SHA256

                  85765fad0f7110797e87c8765fdba37475435c1e1ac17096d58badc90c555acc

                  SHA512

                  9f544f637cc7aef92fdbee0775bc3eec6c763bbcea1800711f93eb781bd775726a060b45fe5fb931eb885e04a0abdebb7d31f1c4b4325d42e0de9b989991b3ba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007111001\8a47b01daf.exe
                  Filesize

                  900KB

                  MD5

                  b651212b079aaae7a41a35932178135f

                  SHA1

                  1aab44c321fb93bfdc8c46d2e51a5354bb8d2e08

                  SHA256

                  e4141cc09eb998a186001be4fc7fecba5e718476e6540ad9046cb99fe64fddac

                  SHA512

                  c75c57cbf0f9cc9103514938ef07b7d79aeebe3509cc6f0addec868f1993423102098b15993bee1741df71dcf48d142b2ce7501106d4e1f7101d00006541b10a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007112001\90ac439cf1.exe
                  Filesize

                  2.6MB

                  MD5

                  aba8b7461f83484c491609ed50a23ccb

                  SHA1

                  ff0cdc64aff545d168dec8508c1a7dc1c81a78a7

                  SHA256

                  f98d8e6aa8d6bdf79c13ce7408520431f23938f40d559cbcb41b2be0fe109057

                  SHA512

                  3e1cce23cf7720b9c6a157366470898b6261ef350bd3118a66f52a2e5c5c06307ab07b877cdf8233e96c90ddda24262806b8b38cba93197375a5cda9272156de

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  9219b0d1dd0e33ca434ffd0db8b3bdbe

                  SHA1

                  6d6d6018ceda52dee9c733d4ced0ab997fddfd69

                  SHA256

                  408570855f8686662dd74ca774155ba23ce0d0d912344b4a3df0dcf49759bf4a

                  SHA512

                  e6f90d8f91980196ad3b9f444ef32a3ca8b7c7aceb5d25ea32bc208cb27faa1f88166311c4279b7d82e111d56dae9b7e62505f7054370cb4285008ad87b9ff8b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  e7adb0e90825d2a5eb4ed3754c088047

                  SHA1

                  4899be66f2f0270042ac733b7c389cdbba2dc27e

                  SHA256

                  df4623f186f9258571eb0ffea69d10a1ed0b785c35e2e1adec70eeb6e4889e8c

                  SHA512

                  cc688357e4678c5569562544253e70c4bd14bc2ecb289ea37b0d6755cedd4b8672abcfc31a7c19e66fe8e107f6fa9347d3c482904ace71196392b04e00731e7e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  2bfdd32e8550f2bc2764f6870afca7b3

                  SHA1

                  81b51fd18c96b065a0a1b0ceefbb76fc3908a32f

                  SHA256

                  4168a5b3a468c4cb42f7b7730e3e4a3cbf30fccc579f0343789fb82f5f635edd

                  SHA512

                  9904c8de42abfb319efb25e626a5baf57c5820d354e1e8ecc38c692ed4d6ef6e7f958920599df623c3ac00bff896d15093a12237c6846cf18de87ee07bcbc793

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  13KB

                  MD5

                  d9976b7b263736cb44739d8b908fccf6

                  SHA1

                  62376f79417d1b0e333a333dc68e79b8f1abf5b8

                  SHA256

                  881bf71b3243b1a84e5b57b8729cf30d4c06766e8e3a40242312ac32e7f5e3e9

                  SHA512

                  1d86ebc77055670d276d21437c6cc6fcb90513f399482a7c74915a13717404273a350217d2e185a5f2fbb0fc1b0b9b2d8f28e3adc64efa0702004af9373a9db8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  525512e51a8a297fdafc845e1fa47cee

                  SHA1

                  9ee88e5ce8e35f248a5e7dbefbd9d4755ce55185

                  SHA256

                  1f5d0576601d37ba276f77e0d93bc5f62e9b086862cee639ff8c59137345c183

                  SHA512

                  3a2f44491a234c26b77235ee1a75c297eec8a84de1fe7e7a565262aa36bced37db65b90080df485b161df35d64e01c45021569a990181f3c48dda1e96f3d193a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  7bc0437537256fb33ac083530a25394b

                  SHA1

                  4cc31c93c22e8839f4280b94ccf8bd80ee3a05e6

                  SHA256

                  3379a8719032a694dec60b92b35fee622de42f0e57e7ad07ff85f4b3e776cece

                  SHA512

                  3839dac7f1956ddea0ad47f8cdd6e68e987a774c7107dc3194a02924c80d03ee7ef1e2e7390165e7af643e27d96e774cc249f2606de56494b7e4105b1807ee8c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  8327999991e16b382661d806581b0fa7

                  SHA1

                  9addb71c89d67f3dee78e58b4140b72376deaff1

                  SHA256

                  d96007e4370dc5c8ef5b86235db1db971f3705c1f75b041c740a3f99eee0fc08

                  SHA512

                  e4b5213e3e2088fb34ab1bb3b1b4821f50bbd5d9af135c4fc0201c23896ecbc11fcb50fe80cf9f74831272b83f65f1aba5f1f5a8230f33127f4304adbd62131f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\3ba45d7b-c171-4048-b1c0-e58c2ac209d4
                  Filesize

                  671B

                  MD5

                  c888e1ef09dc72558a778c00d12dea34

                  SHA1

                  946bf1d8fdfe2d9cf6c2381afa3a8414d4a11fe3

                  SHA256

                  65c5ea31ff68e045757a295a5421eb27ef8aaed41ec044e6e47962eebfd37e91

                  SHA512

                  7f82d6763083f6a7b557b6e4acd623f590d1edfe0a9e04be43c2e9be3ca8d103fd7b40926fd3e2258b2d41cc1d74b45a86a9fdd846ca8124e36e862e4d73443b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\3fb6a057-6775-4a37-ad96-42536f3ed823
                  Filesize

                  982B

                  MD5

                  1244954f796ced96413cbaf30084836e

                  SHA1

                  7cc8991cdfe6281456089a021991d28c6bc1e4d5

                  SHA256

                  aede347b0e475133e6c019c111a180b1a80fb854a99a65c4766ec8715c4844de

                  SHA512

                  c1c2ab0c0c269c80fb348d8b64d8c14bcf14eba26b1dc95f2a2c4027a63d07a4b9889c032db93a2ad842658643e75544d618c89484076f1fa2de7767ab79be0f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\9f07acb5-2238-4a85-9edc-4ed380f8071f
                  Filesize

                  25KB

                  MD5

                  cd1eb2fee1e3504f6d74008f4b9c7d64

                  SHA1

                  92c09b4368d6c22678ca503f812ac57dcd364bc2

                  SHA256

                  295380fde94d3cc770433aeb438b3ecf6764691b3f6a01f3a8332b56c1953c03

                  SHA512

                  2c960c8d20c9045b271277d73d1bba0cc418d5bc0bcc8a1df97c5dba9d4365a8ec744cf9a1e41956ea0c91575c8a4cc49721651c63878c49faad688c1c27324d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                  Filesize

                  11KB

                  MD5

                  8ceb02192651db1f080f370cb7657504

                  SHA1

                  d86f29ef789b638e4289bd615a4fb2516242abe9

                  SHA256

                  e863be1419b3d1bb933ac4dcbcaaa362c44a3759e8301d9183fa5a2d12c2ace6

                  SHA512

                  87f508baaa57f77195bb0bce89f093955d24a692787b2fbbd2ff3d4c58b0f5969248018e55f12a26b6ab4476a6cd2bc13a5632c193bfa0c8749a25bccce3d713

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                  Filesize

                  11KB

                  MD5

                  354bec3ffc36f8ac3a93c11f882ec2eb

                  SHA1

                  5276a18bf159756bb3d2f738d7ef29622a287f89

                  SHA256

                  5496d7f689d4a926090528206b5f0d6342e752fafbf74e3d3794903a12776145

                  SHA512

                  f4a0a5a36f21f8cbcb30522938d7413eaede97a62fb6c31d8198719187e12875d11d138e806311da7ef59ef4778b464260ff051b518ffb32925784ecb8d409fa

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                  Filesize

                  16KB

                  MD5

                  e4c8936507b2d16026d172a784ca6b67

                  SHA1

                  168acba908f17973d9da9e84329c341c80e1b87e

                  SHA256

                  7bbf05dccc7dcc6e9cbc754c7a71ea88e8ca5b9b6b1564903b79e411a01df028

                  SHA512

                  e4244c550037c2e5d8e1158c34725e833f3fa1a1652b55722feca95f456dc1dd462dd200ebb978504d90992e0cf744482e6f6532f5bd412cf39c456c4aba17fa

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  29809f330e19421c04d08a319e329ffa

                  SHA1

                  e33fceee40b40895c3af6c7d9c44698bd58972f5

                  SHA256

                  ea0cb2c28287f7cb6c8d713de12d52fcc67e3ed4cb2aef19ace1e9c7b009da52

                  SHA512

                  263273914fd5c7e6737bbd5e4643d116ec6e03572dd4fa897df305c7fc51b52569383d9303d524ac47640f939379ba6430d52e93938177a53aea59d16d7190cd

                  Download Submit

                • memory/1688-62-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1688-61-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3120-2659-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3120-2657-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3484-63-0x0000000000A80000-0x000000000112C000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/3484-58-0x0000000000A80000-0x000000000112C000-memory.dmp

                  Filesize

                  6.7MB

                  Download

                • memory/4040-17-0x0000000000040000-0x00000000004EC000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4040-3-0x0000000000040000-0x00000000004EC000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4040-0-0x0000000000040000-0x00000000004EC000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4040-5-0x0000000000040000-0x00000000004EC000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4040-1-0x0000000077064000-0x0000000077066000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4040-2-0x0000000000041000-0x000000000006F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4344-82-0x00000000008F0000-0x0000000000DA8000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4344-37-0x00000000008F0000-0x0000000000DA8000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4344-39-0x00000000008F1000-0x0000000000919000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/4344-40-0x00000000008F0000-0x0000000000DA8000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4344-84-0x00000000008F0000-0x0000000000DA8000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4344-42-0x00000000008F0000-0x0000000000DA8000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4432-2675-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4508-480-0x0000000000610000-0x00000000008BC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4508-116-0x0000000000610000-0x00000000008BC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4508-107-0x0000000000610000-0x00000000008BC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4508-117-0x0000000000610000-0x00000000008BC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4508-490-0x0000000000610000-0x00000000008BC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5092-1830-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2655-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-19-0x00000000001B1000-0x00000000001DF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/5092-20-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-21-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-393-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-38-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-989-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-55-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-18-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-41-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-482-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2665-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2669-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2670-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2671-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2672-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2673-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-506-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5092-2681-0x00000000001B0000-0x000000000065C000-memory.dmp

                  Filesize

                  4.7MB

                  Download