Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    73897c497394d9f83b016e6377594c5d

  • SHA1

    0243a0aa886487a7e9911aaf1ed5ddb28d983b71

  • SHA256

    8ef6cd5928d602f0011ba38eaada3c2a5a8e26930c9064400f81e7e182bc7aaa

  • SHA512

    e809ebb44765c671c703a61bb28e20f0383c8405a543b94ad88778e5c14682d57c5ffe866e690032b3b85cc500c4270be8452c5ac4a7b8ecca90440b9d4a736e

  • SSDEEP

    24576:VdnKzvhEbF6tPhl1QLNquQR+hxt4Hpqv8EWFz47ev/1JVWcvtYOwbHKpOBJ9pQQr:v+yF65hl1Mx+q8EWh1J/WbEOLgQnun

Score
10/10
amadeylummastealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Users\Admin\AppData\Local\Temp\1007464001\419d98f22d.exe
        "C:\Users\Admin\AppData\Local\Temp\1007464001\419d98f22d.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4920
      • C:\Users\Admin\AppData\Local\Temp\1007465001\d07f5aa000.exe
        "C:\Users\Admin\AppData\Local\Temp\1007465001\d07f5aa000.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2296
      • C:\Users\Admin\AppData\Local\Temp\1007466001\9a56971f5c.exe
        "C:\Users\Admin\AppData\Local\Temp\1007466001\9a56971f5c.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2572
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3012
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2904
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:448
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4472
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1408
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2376
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56ca9eaf-3b42-4562-a63c-e8759e39256f} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" gpu
              6⤵
                PID:2976
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1b7186c-791b-42ab-8dca-a6295ccf7f19} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" socket
                6⤵
                  PID:2284
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fb254ca-3914-47f0-ae62-732f0a7d7419} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab
                  6⤵
                    PID:2092
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e96baa4-ee8a-48fb-bd3b-9af87692e017} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab
                    6⤵
                      PID:1252
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4612 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4632 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53e61f19-e863-4490-ad20-71c1506499ba} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5444
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5300 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de7522a-c899-4fa0-943a-9ea864fbc1cf} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab
                      6⤵
                        PID:448
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5332 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e15dbc-0052-4695-9e4e-8490d608f413} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab
                        6⤵
                          PID:5112
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a59a9e3a-d206-4a7f-8b31-4085f6ab9b19} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab
                          6⤵
                            PID:4072
                    • C:\Users\Admin\AppData\Local\Temp\1007467001\64f70b82b9.exe
                      "C:\Users\Admin\AppData\Local\Temp\1007467001\64f70b82b9.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3724
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5812
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:6020

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  3b75e1d872100abb3660e2a9e12eb255

                  SHA1

                  44d8e3ed6921f82c1117967c53bbe2595f6341c4

                  SHA256

                  21992468b1bf273133d65e9ea22fa3052e55f559c6e1dd2bf99ff49cc793a633

                  SHA512

                  bf509a970b7bf25579226ff151e521a21f2ab9d659bc76ee300868080a7d20be6ea2ee86513ead344d6a6123d00a6d31e84506a95c0a27098e1d415447ee864f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007464001\419d98f22d.exe
                  Filesize

                  1.7MB

                  MD5

                  888242c19537f0f114634d771ce4a9cd

                  SHA1

                  e0e86e160c2c465c3c49b31cdfbbb67ecd5a9366

                  SHA256

                  0ddd13cd233f81153d8d558297ba09317867797db7d87e7758a51e4131e587d6

                  SHA512

                  08d552edae0404a8d25af25ac86cdce98d6e59a32d99fae4e0be5b8085e838aced0c1bd464fc5f6f4c41dc0c5160452d35760ebf0bf702eefcb0c6b7b5560199

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007465001\d07f5aa000.exe
                  Filesize

                  1.7MB

                  MD5

                  e218c3b8301592ed017608e81df8c33f

                  SHA1

                  1c953abe9acf0e759116d61c32d14c2b70cd65fd

                  SHA256

                  d5bf9e1a3af167866dd104e9aaa4db76b172101abd31a893adf503032ebd80b9

                  SHA512

                  173646bf3063c6185527e3acf2ad78d0fde734101226cb50004b943d6417a5d842fd381bacf78021ae7dbf8fe1537a1ed8edfc07cd82d5a2da778807b56d3891

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007466001\9a56971f5c.exe
                  Filesize

                  900KB

                  MD5

                  c202b9fb5ed13afd406eb71e5cdc8570

                  SHA1

                  24620f327145a676c230e8b7a7096f9736f353c4

                  SHA256

                  64fe0184720def98b06de5cdb4289dbe9357670a973028de21645ada7934e52e

                  SHA512

                  c6d9e48c16d6b505c06cae84e83bbd9ca185a67dbddacda19de38ff4e0db5d00b8f18e7876050a45255ec4feb1d9558c221204d26cd4d04e837584f0687be4f0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007467001\64f70b82b9.exe
                  Filesize

                  2.7MB

                  MD5

                  b1428cca95bff0b76ab62397d02df9e3

                  SHA1

                  a5b0ead9e190ce4f64c8ab23ecc412ef8dd7a52b

                  SHA256

                  329ec550d7912b296ae2936bb392f56d16ac2dcde22a9101a1332e119a164c99

                  SHA512

                  34b3391f0a24e42c908f2497031096ad7174f2d9e54d155b128bc1fff2922d2fb1f0688393a4a59f3087186eea19f8dc5576e9bc1e8c001ecc3eb888b805b0e5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007468001\IObit.exe
                  Filesize

                  276B

                  MD5

                  480d39b72219dd9df2d8a550a984e63e

                  SHA1

                  088c7a3ace118aa32a97886a9d32209c6f73ed27

                  SHA256

                  5ee81713727d4717125bdbec2dbfb98bad90e9aa801308495b9ec0f0b9b47f39

                  SHA512

                  a78a8981b872495c88942f54a39648b494410109fd50b5d225af7b2c67395b8a4d10fd708a7f3c846bfd3963f608f1807a59d31a8e3f4c8ffc32f767b12e6ea0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  73897c497394d9f83b016e6377594c5d

                  SHA1

                  0243a0aa886487a7e9911aaf1ed5ddb28d983b71

                  SHA256

                  8ef6cd5928d602f0011ba38eaada3c2a5a8e26930c9064400f81e7e182bc7aaa

                  SHA512

                  e809ebb44765c671c703a61bb28e20f0383c8405a543b94ad88778e5c14682d57c5ffe866e690032b3b85cc500c4270be8452c5ac4a7b8ecca90440b9d4a736e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
                  Filesize

                  7KB

                  MD5

                  bf35575424d5dd678385b7fc925c0e5f

                  SHA1

                  25fbc34973dd6b606995df5d3bbaa382931e7a1c

                  SHA256

                  0016b68158b287bdf2a6e178729f8d1ff1d14d0f9e4c328244e185e2ac02f2fb

                  SHA512

                  4703010e21b906fd404c2db72369f606f5ca99ad57b37ee9617a00bb843b9b8497ece0cdc6c24551fd7ffe5556d7ae64669fb73eed25ce24cd58dfaead94ebda

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
                  Filesize

                  10KB

                  MD5

                  a55a2d91c4b19b7fc113ea3ebdba3e9c

                  SHA1

                  dfafe8f15db2d5291538d84c13e45c3e0ab63003

                  SHA256

                  179c2438165a752a27cbc060f706ea24501df2e33d9d497a80a4fe8d1fbcaff7

                  SHA512

                  ff6928f611ae7c3cc8b0b565e34e877f21c39a8c3cf4bc50593b6f729a0e6bc917bd380a3291e6a279eee02b9c4f67ff454d620537d0950f442fc900fcb95971

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  3111a2f975df039f2aa0bed6153e205d

                  SHA1

                  ccb4ca1ab1d8ce028670a339170ed9af72de89ab

                  SHA256

                  ee0faf3af28cb669f628127960bd99785c13882b1fa4012db016d01487476b89

                  SHA512

                  8810293b7aa3aa88b4bfe5744bb4e9c7de31fed8c48df95a6fbd5258c0d103e88320ad60a9bfe512584849a640ec874f649779f7fccf9e934f05c20d89c2fe40

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  fdfeb82c89287f1e12c33e775f747e6b

                  SHA1

                  dc4dfd056fda2be4aebcbd577dd70652c56145ec

                  SHA256

                  952fd7db492ff9a616090d5f1b67841e7fdce2e09f90d18a39ffdc4db33c22a9

                  SHA512

                  1997193173ebdec4dc3c58b3d33f040a2d70c150384bd330adfc44a3a00a43052f61ec5776ee1f8b860b4641d7f9f0c8f2f4ef6390df252e4fb56495e3293067

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  6c2fef0a770388f306d0cb8ccff0736a

                  SHA1

                  b367f4eb7e033180aab170c0f10442717da44811

                  SHA256

                  40b4b6c8ae98ee5b8c7f439be9ad5cf93b9da5b6e921d8d468d94b10cadc8db9

                  SHA512

                  31a9050f714f5b36f3e5c2a85e853995a520e52b9576d0c2a5a4ca16590b2f9a5e4840017d5d8a693a74dada42a992361693811ebf87cd94a968eeae4996afb2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  ad33c1c1091831254414e8bf3f02653d

                  SHA1

                  3c3c212b77448d294f63e65c19173e647be216df

                  SHA256

                  404e33f828a9b0a5b2cd939e0adb78120a0ba8a033b33b9522790e00d09a75cc

                  SHA512

                  66c3ca383c25691706158e1511bea7895187dce69966cadd84887e91b4011656c96330e0684b049acc2853d1c8b6e93d16a69b20325b2326c1c1ef5d6c45859b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  e033a152cc938654eeaaa019d89798a5

                  SHA1

                  93ad44ce0c43f48d58ccd9161353ae7b4e108e7e

                  SHA256

                  ebbeeb17f83cba12e6e83400f49ca0e99e1013959d554cc3757e8f476e717deb

                  SHA512

                  1c9bc32c2a301a3c4236773d943715d6a96fa66e961275a25dbc479b4945fb20aaf334b33f0702bf867d84c611c537fa0eb037e32ac8cd903f8cc6a968faa36b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  53fec06a1f615d60fac88f53b1942485

                  SHA1

                  58cea9300ae77a4390663a5667d52f5fbe0325ad

                  SHA256

                  a6b8e3314933a98e19482b892d10f85c99302b1cca9ff0f5a9d6e78e3fa90bb7

                  SHA512

                  6fc8c12b58e3c365a286c59cc94f28ec96336a0f2cb6ebc06cf55b74ff9fb90b8e054490493ed13ef7f10bbaba612ea2ee6ace1b173883e979264fec5e9263fd

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\93cf2ec8-7807-4627-b85a-602217c0ec23
                  Filesize

                  982B

                  MD5

                  4b4781048b480671aa5a0476f6c3dc4e

                  SHA1

                  f0c599bc4cdac7c3cfd730d7262a2db063165df0

                  SHA256

                  692b927f15579c9ea47a01350a92afbcd5f798ed719139e7553b229c2f2169cf

                  SHA512

                  7c702caa698a02e5d9f05849e96d39a0cc4fa6a10a10fd8c0d9bffc6a7b2bc7a175d85661efc2b1f3d9e1dbb3d744ce47c0f89dfec1c9319d87157d67b51e15a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\ba3182f9-32eb-49f6-a5dd-f9240098e91b
                  Filesize

                  25KB

                  MD5

                  e018d13365fab18c9745011c6e4d968c

                  SHA1

                  b54047aff8c1dea042c71a263430af56b14bb6f2

                  SHA256

                  1f5c5d447eabf9f8865bea23b660c3f919c0ce6ffcd73f8fd1519b65bbdd505c

                  SHA512

                  7940c6092361e5530df88a42df6481e79dea217ff115120db754012b4d303ae94630193b975793905ee7e8c1f91eb86d0e6f6b04e68c9b134d958a8b8420b65f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\f807ec1d-7c4b-4ba2-8d53-17fac219e31d
                  Filesize

                  671B

                  MD5

                  8c81c18b77a5418f8fe9c681e137c254

                  SHA1

                  66bcf68269232a2d65fe77d41f17b55bb9b04e3a

                  SHA256

                  ee6fed6740bf6d702b4c92cda2a97331127f7fbb57ea8763665d97a5ef3d5b90

                  SHA512

                  abec96f28e81d3180b2266160062e5fe8e4edff9474ebf2b4a5909be56a091d467070c28bab7fb4c23130afcdbb71aa32848e1c83f85899fab7ef263ceff6f61

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  a1e59c8e47956b3f5d80d1e934d3d7f9

                  SHA1

                  dad5894b5998541c50a111fad3e12ccdf4aca3dc

                  SHA256

                  324f489c8ff7e81e78aa7390b64e6df211d0cd9bd3dc18f93e3e979a2db81fdd

                  SHA512

                  7ac6723158594454f60159837e0022376367a2d922aec3200ec3ac4602467d64f25ccea147a0b5e00a719640325067755d09f3f776d2193ca3d0467cc2d7b185

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  55995db9edd5b8757584eafc5db7ccc7

                  SHA1

                  22e3da762d0f8f4406320a88ee072e650d5bb258

                  SHA256

                  34298fb479e5cebe3244c579b5e6ca165217453ae53f987de3fcd11fd7c6b1b8

                  SHA512

                  0b35919266565b1b4bc1ebededa918ea9f015f3ddbdc8d1e3dc19b837a7cd516a2207497a240f16c2791ad3ab2cb29a6cd7bc46da3c95b223e105efa411d22b9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  f621fe8c6f32fc75a00ed9b4a0b2d8b2

                  SHA1

                  abd0e8e854761ad491dd0001774e0d2dc8dc5937

                  SHA256

                  a5077c0b73bacc1527c189abdb52195533c8b8b2ac8eb139185090092ba92544

                  SHA512

                  2f8b368c610681969276fc87612b9784e4ebd1d11e5fb0ab01a4cf0eed0d7d90dae8e1dff0c35c57900a029c90a005b844e19478aaf064a1e84b632d4dbb0c6b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  4768402d508c2a735aa1eed1c3223ceb

                  SHA1

                  885635dd415b3bf7ca8549b035264a24e6dba88b

                  SHA256

                  16a812dd3337a171a58332bcf6cb93e8ed2cd853bedbfbca30f1471a9a1c011e

                  SHA512

                  c10ad4d84e2d15582c9ba5b1df97e79a200cf8fb25e5d7ea36ed7c75232e83588e7123de646c970252b84d7b001268007a4d739c916399ebd8f32e069d46097c

                  Download Submit

                • memory/1004-1-0x0000000077B14000-0x0000000077B16000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1004-2-0x0000000000AE1000-0x0000000000B0F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1004-3-0x0000000000AE0000-0x0000000000FA6000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1004-4-0x0000000000AE0000-0x0000000000FA6000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1004-0-0x0000000000AE0000-0x0000000000FA6000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1004-18-0x0000000000AE0000-0x0000000000FA6000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/2296-58-0x0000000000380000-0x0000000000A1F000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2296-56-0x0000000000380000-0x0000000000A1F000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/3144-1929-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-57-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3155-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3149-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-495-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3148-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3147-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3146-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-20-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-19-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3142-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-39-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-615-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-17-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-55-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-413-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3140-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3134-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3144-3112-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/3724-110-0x0000000000570000-0x0000000000826000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3724-106-0x0000000000570000-0x0000000000826000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3724-101-0x0000000000570000-0x0000000000826000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3724-488-0x0000000000570000-0x0000000000826000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3724-485-0x0000000000570000-0x0000000000826000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4920-59-0x0000000000960000-0x0000000000DF4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4920-38-0x0000000000960000-0x0000000000DF4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4920-36-0x0000000000960000-0x0000000000DF4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4920-37-0x0000000000960000-0x0000000000DF4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/5812-497-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/6020-3144-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/6020-3145-0x0000000000A60000-0x0000000000F26000-memory.dmp

                  Filesize

                  4.8MB

                  Download