Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • submitted
    18-11-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    82c552689c8b7e3c6907b560c5e9d9e0

  • SHA1

    7fb72ecfa5c8dbe4e327cec22452164567174034

  • SHA256

    c3daaa185d4a752c3cf11b2c7d679273dc883d9b28bdfc07356221c24ccb497d

  • SHA512

    d7c1ebc4be70ffdd054f9b6080528cff99d8c59bea4c8675828fbb2330aeeb3378fd48eb148c539ebb574827dea8fdf7dc1c4e175d63d8baa11a421d43ab5ef1

  • SSDEEP

    49152:s2ZDC654mZ/BWgyhaKqsVOarqHi5HpdTL+PLMm0Oj3VZE53ZZq:Q65JBBWpIsn5TTSTrjFZE53Z

Score
10/10
amadeylummastealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

https://cook-rain.sbs

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://cook-rain.sbs/api

https://processhol.sbs/api

https://librari-night.sbs/api

https://befall-sm0ker.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://owner-vacat10n.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\1007189001\fdfee02f90.exe
        "C:\Users\Admin\AppData\Local\Temp\1007189001\fdfee02f90.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4844
      • C:\Users\Admin\AppData\Local\Temp\1007190001\2a548ad3ba.exe
        "C:\Users\Admin\AppData\Local\Temp\1007190001\2a548ad3ba.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3496
      • C:\Users\Admin\AppData\Local\Temp\1007191001\8ec1c48bb8.exe
        "C:\Users\Admin\AppData\Local\Temp\1007191001\8ec1c48bb8.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1140
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4592
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1708
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4748
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:960
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {714202b7-e6eb-4ef2-b8b7-68719e53e6e5} 960 "\\.\pipe\gecko-crash-server-pipe.960" gpu
              6⤵
                PID:4772
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66284cf1-7454-4f79-a6a4-efe47529820f} 960 "\\.\pipe\gecko-crash-server-pipe.960" socket
                6⤵
                  PID:2808
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 2948 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f007097-db9a-470e-89f9-055e737d1450} 960 "\\.\pipe\gecko-crash-server-pipe.960" tab
                  6⤵
                    PID:2316
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 3032 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e6b7d07-72a9-4151-9fee-3028116e0a3f} 960 "\\.\pipe\gecko-crash-server-pipe.960" tab
                    6⤵
                      PID:2716
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5060 -prefMapHandle 5056 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37825190-37fe-4951-8bb6-297e9e81dee1} 960 "\\.\pipe\gecko-crash-server-pipe.960" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5696
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5096 -childID 3 -isForBrowser -prefsHandle 4620 -prefMapHandle 5084 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc6bdd6c-9718-4908-a4a5-b50cffb4cc1f} 960 "\\.\pipe\gecko-crash-server-pipe.960" tab
                      6⤵
                        PID:5704
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1478f7d6-5f58-4755-9141-c2439e409209} 960 "\\.\pipe\gecko-crash-server-pipe.960" tab
                        6⤵
                          PID:5732
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 5556 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5b98f90-05b8-4df2-88b2-a8886976209b} 960 "\\.\pipe\gecko-crash-server-pipe.960" tab
                          6⤵
                            PID:5800
                    • C:\Users\Admin\AppData\Local\Temp\1007192001\327bb24657.exe
                      "C:\Users\Admin\AppData\Local\Temp\1007192001\327bb24657.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5944
                    • C:\Users\Admin\AppData\Local\Temp\1007193001\ec8ad383f3.exe
                      "C:\Users\Admin\AppData\Local\Temp\1007193001\ec8ad383f3.exe"
                      3⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5216
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4964
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5324

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  22KB

                  MD5

                  e2c42ea3a54ab36c674818b6ce0e49e0

                  SHA1

                  8a1d5ea20117816182be9b4f43031d14cce6ded6

                  SHA256

                  5eadf03ab4b53d3fa2a97fc611307b33bd8f1fbac741a4ac4b368f049f434bc3

                  SHA512

                  5e71d540d8fa5e1e3d763f9817b715b1413790380316a764ccee7d12e5f47dc8cc5a9ee1e520cdf7cea24163f7880bdd207d5dbe8fb53f0a20f66adea6ed7681

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  6a38f8a4df326038054ac537cadb55bd

                  SHA1

                  75d3b2f8da7628761177e40a91c31460acfd1d1b

                  SHA256

                  e4fc782c89a33235e25e6a1a9a5c505edf7cf7dfd9cb8f2719f56353b1e0b376

                  SHA512

                  c7b0cad98499af57d9d41ab023b5dae3ae3adb2507a1d5711ddba7ecf1420ebe526b5b1b515746a2fb3fb85f40be8587947c52a3acdfe2e0e003400a7eeda022

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007189001\fdfee02f90.exe
                  Filesize

                  1.7MB

                  MD5

                  57f67b4dd4e2eb450325b999139b9bc6

                  SHA1

                  6aada37bc4c211d6cd94447f12be3c97eedf60b2

                  SHA256

                  abc7c4eae6f3707ad561026c93e16e352c5a28d8eefe071d0ae4d44fc8c8aba4

                  SHA512

                  61e5469351cb42b3bd404dd4394eda961e64695e748299e5066ef785af7321ede06d71eb4990e5a747b074aee7d164dc95ee27b067735759b38e024b418f5872

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007190001\2a548ad3ba.exe
                  Filesize

                  1.7MB

                  MD5

                  a9c5e550b132f05425fe24675c954fc2

                  SHA1

                  80356ca69305ebfefc2da48baf07d23895689e9f

                  SHA256

                  4d8ed9e1af3aef3e956ae3031c8f70631cf6e1a26926dd06a1519d10647c5d9c

                  SHA512

                  69d0a397a4eaf063fae7ae6a4647b3c05e3401bef4e4c9a30ec8e88211eda8ee7cbab9dad30eae918a9792fb7489704c934d9f10dfd6290cc99fe55f1a2ba15c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007191001\8ec1c48bb8.exe
                  Filesize

                  901KB

                  MD5

                  fa2b397967bb122bd57be0528765abbd

                  SHA1

                  24d212abeec3723411175d4aceaf4ef634be000c

                  SHA256

                  a7635253f2c47262d9f46682f31c22195260310263524c75965fa1e68a554fbe

                  SHA512

                  bc84ebd2d013c46e5ace108774ce8caa5fa36ce7bcb08b831eaa063210de122710e8b786d33129bd3c916a68a765a5ca0259a425630d483ad64ab78e90966749

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007192001\327bb24657.exe
                  Filesize

                  2.7MB

                  MD5

                  399351f27f65211a8affaa3f1a83a4b5

                  SHA1

                  502ee3e510cc0777e6ac4da96e2b888f87819413

                  SHA256

                  924c3e5297db0b64091770de09886f650d3890083e0449d67e5b44da52f5195b

                  SHA512

                  8e953421361f8f339027d0db9140469593ff5a0bd68244d6f882e2d83a3a961cec2e1eb7659dd0781eeef6b8558d8e8184ec451119bb528c1b1ecef128815b88

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007193001\ec8ad383f3.exe
                  Filesize

                  4.2MB

                  MD5

                  1c5e5a8fc5722825d37fd6ccb7d04ae7

                  SHA1

                  8bdc0068e766d579f261f61a0bf557a8af523cae

                  SHA256

                  cef96aa440db935014442043e4c08198830f4bbed27df9243717244b87d51b62

                  SHA512

                  7e184e6cf6663504997739a3cfbe1eeb64c98ce0783f4d24764d7bbf1b8d03de6f009e175c0bf87fc66eea64fe42d3b2923d2bcc098a64058eedf19face68043

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  82c552689c8b7e3c6907b560c5e9d9e0

                  SHA1

                  7fb72ecfa5c8dbe4e327cec22452164567174034

                  SHA256

                  c3daaa185d4a752c3cf11b2c7d679273dc883d9b28bdfc07356221c24ccb497d

                  SHA512

                  d7c1ebc4be70ffdd054f9b6080528cff99d8c59bea4c8675828fbb2330aeeb3378fd48eb148c539ebb574827dea8fdf7dc1c4e175d63d8baa11a421d43ab5ef1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
                  Filesize

                  12KB

                  MD5

                  aabfdc3c631a68697b4726e252b5f9b0

                  SHA1

                  076656e8ec40586e01feb40788291773f9b3bea2

                  SHA256

                  57a0806cfe7b71a669de59cd51e782cd8c756f2558a705bc4a60a9228bc17a44

                  SHA512

                  e5979e91ad030e0644d202e77e8239ff269fd6e33b088ef7e57c49975b4a24665cd95cc7f5b4ff6733b84b2c578bbdc2f6f280d10da2a091d24fb724086c2c85

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  3b7ee97ce2f31911a5532a5045d43d78

                  SHA1

                  cb92eafd6072229bbef71faffd05507aad195ae5

                  SHA256

                  7c83644c4d55c559edd4de57caf0c70fd7ea227a331d617dc1c5bea1b7727e44

                  SHA512

                  a95711c857752b953b1e2062e36149e444b0e5c3dbd5dbe19c0b7f90e4e8b2f915b171b3ff55efacef7ac8780bda64e33067ef1379a2123d3282f8597b58c925

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  63ce514cab9d66ca9b8dc8fc4aa1f7c6

                  SHA1

                  b163062c4c814a27c0515cf0b98c4b16e7a7bf76

                  SHA256

                  2043c63ffc5bd72aea390971bd6993ef659bb500d51a77978840ba0ed7c96f93

                  SHA512

                  76de5e43bf6171321b4f9aaccb26b2ee84f9b17595ca237ceeb54edec9164b177aeb755bc487d6f29c2ffecaea69d899817a9bf29647effc7f8731c4aa494a67

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  e07a01b56a5ed3d7f7f8c6a0c2f9443c

                  SHA1

                  fa1ceec4aafb4ce5a3c6b0a325df5723c42de8af

                  SHA256

                  a8796ca2315b5b348250a17b75aa7a98fb0040d528538c51300fb72cca0bdf10

                  SHA512

                  6838b41e27ff638bb38705f2cc4f3eb924442e4f923b17d06dd2fe88d449c407068924934a767229905e6a0af6dc84044f55fafa80de6f876661cff8f7dd020e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\63a8cba4-c504-41ed-9520-178355fcd67d
                  Filesize

                  982B

                  MD5

                  e7e4f85215bf352ed769d8aee84009be

                  SHA1

                  ea8be2ac244bed49ed53884e740cc021addc3922

                  SHA256

                  980fe77557b023481ef82450de33a08898ac29c82d088605a5b8a22b4e67f0f9

                  SHA512

                  3f86df9320238bf9a5f83cc383da3d02f34eefea7ad7649e3a1355ec240ff66f23e589a17e46f55caabdd8228fe2cfa14f296e68c8ea693fa347dfd65e69e21b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\711f47e5-ee8c-4368-87ec-bf308e63ff9c
                  Filesize

                  26KB

                  MD5

                  4af066c34f856e23c4909dbb136c4ca6

                  SHA1

                  e8c338d7634042bae5b583584d6760717edd7846

                  SHA256

                  ed6e70994eb4f5befb19470db5456a4d830538b9207a964e1df964b5eb7f881c

                  SHA512

                  d371dae343d778aea21f8b0e06849877554a88bc73dc76887f57f60bf60aa89afeb2938cf0ebf08b03646c4c323d86ca779b30418cbaf4e73216b65e09bfa359

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\b0c2a7ac-783a-4c5b-8fb9-6f8e453246d8
                  Filesize

                  671B

                  MD5

                  85e040092a24f2145a1406ebe17bd3b4

                  SHA1

                  dca5ced9e934ba90be1fa52cd035a482a8e4f6f9

                  SHA256

                  c5422229de49989a537c578a6bc2a135aec928c962a3b29c16e0943f104c8ffd

                  SHA512

                  ec8f0dc75ec4592ff5ea2f22f29849fc75aede164fbf7b038f50cd25b8c0be73048dcc4900691d029fafe3cbdccb3f951201eab6818251a84fb751b4f9e94a72

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  2838f30da5d3126c5876fc912cfc7d6b

                  SHA1

                  5aa4e38050e3f61a5a30ffe4a0e57e606916f96c

                  SHA256

                  0a1b2e92934bf5ff13b85fd81c4629b6592fba41c1c702f5a5cd28973425bd22

                  SHA512

                  155ee73a64216ef27959e14a10360307c7b0377f62e79ec57e22d6b525cc0db26668822c727470471e82d62e7598718ffdc938f8154a201a416106b332ea8766

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  274c46b0ce854c18b8459aef608b3558

                  SHA1

                  0c1f45786c7281e3404e4353e003ed2e7804dd27

                  SHA256

                  5613662701fa99edf56df8720191dcc7af918bf2736611ffab4fa4de54b85f4b

                  SHA512

                  340131294ed2cdd4db96513f7c210a8b1b154c98ebfbd3038182f3e9bcd8544e6bba7742066d936220abebb6417579aada3c80253336732acf8c3e7a340b8b42

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
                  Filesize

                  11KB

                  MD5

                  9dffb6ba130e3080c671a9197e409221

                  SHA1

                  4568449028c19d51d59856568059a8dc6cc959de

                  SHA256

                  149b48879886597e25bbcaee749baf37d420461154fb57a173b502c3bd2c2f15

                  SHA512

                  258c132fa47e58940885e106650990367289afa3a3a9646dae12396f67a1d8a1e4c436d55df38de3102bc8b2453cc1ce442f63d0a406162ee6213e869faa4f3f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
                  Filesize

                  16KB

                  MD5

                  e99e8e35888837c53c8ad1647e2e1f02

                  SHA1

                  e5bde561bf6ea50895f5adf3344abb0136998486

                  SHA256

                  0bc8fe36effa9ab287ef1707e6a6abdc31f50cf64b4267c179b290af73ceda00

                  SHA512

                  067d099dfa5459187d8893b867f2bcb7d3d02cf8d178a3145f317b17c75a173ffbf67b5d1072f7099070d3775cd9b670d816564af1a53a80edfc4a0adc2a7bdb

                  Download Submit

                • memory/2356-0-0x0000000000310000-0x00000000007CA000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2356-16-0x0000000000310000-0x00000000007CA000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2356-4-0x0000000000310000-0x00000000007CA000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2356-3-0x0000000000310000-0x00000000007CA000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2356-2-0x0000000000311000-0x000000000033F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/2356-1-0x00000000771D4000-0x00000000771D6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3380-3313-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-609-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3327-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3325-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-456-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-17-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3323-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3318-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3316-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-495-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-2224-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3306-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-60-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-20-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3303-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-42-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-19-0x0000000000A91000-0x0000000000ABF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/3380-22-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-39-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-3329-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3380-21-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3496-57-0x00000000003B0000-0x0000000000A43000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/3496-59-0x00000000003B0000-0x0000000000A43000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/4844-38-0x0000000000040000-0x00000000004C6000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4844-40-0x0000000000041000-0x0000000000069000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/4844-41-0x0000000000040000-0x00000000004C6000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4844-80-0x0000000000040000-0x00000000004C6000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4964-2273-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4964-2223-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5216-3335-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3317-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3305-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-500-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3309-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-501-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-1237-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3326-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3315-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3090-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3319-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3328-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-483-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5216-3324-0x0000000000690000-0x000000000121E000-memory.dmp

                  Filesize

                  11.6MB

                  Download

                • memory/5324-3322-0x0000000000A90000-0x0000000000F4A000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5944-491-0x0000000000D40000-0x0000000000FFC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5944-451-0x0000000000D40000-0x0000000000FFC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5944-452-0x0000000000D40000-0x0000000000FFC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5944-394-0x0000000000D40000-0x0000000000FFC000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/5944-494-0x0000000000D40000-0x0000000000FFC000-memory.dmp

                  Filesize

                  2.7MB

                  Download