Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 21:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    6232a1aa692fe2b9f3f8e67d35c7dab7

  • SHA1

    87dc7bd254cac48669668a1833c10b8aab3775be

  • SHA256

    a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f

  • SHA512

    c29f2e3b76fe7c2ef81370990b02ee978b81f8ceebb191cc218672184ad7fd5046d8088bcc954f62b05f72255ce15d89c909c99ca3d2ab6d097725d13736300a

  • SSDEEP

    49152:P2VKHlPtXQxOpYkv5bhxX84iAMEoatUvyuCy9CIwD:P2mtg4+kvBNKzatUquL9CV

Score
10/10
amadeystealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Users\Admin\AppData\Local\Temp\1007496001\1d7889ff43.exe
        "C:\Users\Admin\AppData\Local\Temp\1007496001\1d7889ff43.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4480
      • C:\Users\Admin\AppData\Local\Temp\1007497001\a58e084ac2.exe
        "C:\Users\Admin\AppData\Local\Temp\1007497001\a58e084ac2.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4920
      • C:\Users\Admin\AppData\Local\Temp\1007498001\bc86c706e2.exe
        "C:\Users\Admin\AppData\Local\Temp\1007498001\bc86c706e2.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1936
      • C:\Users\Admin\AppData\Local\Temp\1007499001\4de317d0f9.exe
        "C:\Users\Admin\AppData\Local\Temp\1007499001\4de317d0f9.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1216
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1616
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3988
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4476
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:4028
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3460
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76ab04fb-b51b-4377-b55f-c6716a1447f6} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" gpu
              6⤵
                PID:768
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3ee9135-7dbf-4a63-af73-5cc8ba0d35d6} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" socket
                6⤵
                  PID:3172
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 1560 -prefMapHandle 3336 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0827326c-eb66-4893-af00-e4e68a1afc80} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" tab
                  6⤵
                    PID:416
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68dfe7b1-1d0f-40e3-a990-51a810c7b6d7} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" tab
                    6⤵
                      PID:4420
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4968 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {619e5135-a8b4-4cec-9d23-4f62914d8879} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5360
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5332 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bf75e83-cd3a-477c-b2b8-3704485a508d} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" tab
                      6⤵
                        PID:6096
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5552 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {920e394e-a96d-49e1-9ac3-786e6834c724} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" tab
                        6⤵
                          PID:6108
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5764 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a6c838e-eb2a-4d8d-b575-af2d8e900604} 3460 "\\.\pipe\gecko-crash-server-pipe.3460" tab
                          6⤵
                            PID:1968
                    • C:\Users\Admin\AppData\Local\Temp\1007500001\97e5d0cadd.exe
                      "C:\Users\Admin\AppData\Local\Temp\1007500001\97e5d0cadd.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3956
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5020
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5860

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  506e6368d639c38ca5c663a6a7be3e3e

                  SHA1

                  96e9c66afda0b0ced703628cc034e3fb6dbdee67

                  SHA256

                  e44e9c62e3880a526303dadd421230edaace14a1ff3c2ce3b507ecd0606234af

                  SHA512

                  e724c70601f753cc593c8122e849e2580fe3701aab4729efe064c049aaad7cab4e05c515a09ca0e9c85172735fa524dff56acc8d6cc6b4aa4258ea320a99567e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007496001\1d7889ff43.exe
                  Filesize

                  4.2MB

                  MD5

                  abf203dd0126ad56347d05e2c0f48322

                  SHA1

                  b6efee54668e99435319d65f634459eb561c1491

                  SHA256

                  987b2a963feaca33452ac5dda999e1447f2732014c71c3bc3f5ced7d3227886a

                  SHA512

                  9c0f42d430a1df1b6b87cb3414dc0ac72524958b4cb4c080bac083ffef4948c011d26c20291ae2e5e46b1dbd20eb325e8657c067fffc9094ff5c0adf12a4e4e1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007497001\a58e084ac2.exe
                  Filesize

                  1.8MB

                  MD5

                  39056519241048010fba1480bf5d5cd3

                  SHA1

                  f0283822716b9eedabcda608ed38bc5b0991b383

                  SHA256

                  b81816637b651ac1f6790a8ae19cbf952951a656df586960a4227e568901d55d

                  SHA512

                  d2b6d09560f28ca9ad1e5f04b175c769264058db53e1ef1f7a8909bb0374ad00bd4629e97ef1c3fa25b5d2728951afb0fa2f50a85527037e4f37b77457b2ad0b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007498001\bc86c706e2.exe
                  Filesize

                  1.7MB

                  MD5

                  b3cec29dfcc248bc4f4f33ff5ba14470

                  SHA1

                  389dc1f719b34841eaa55c8e81ce0f773fea3acf

                  SHA256

                  841e3ab686e632551e2229d68366490832987ab47d308c54f6817f3e13a5ff52

                  SHA512

                  85803678ee823025990a8377b0b51335be58365bc1fcabff37e4ed1330b93438bbbb94e40908f3ccaea4631ba5d155d0391198ee3639630bd981cfedfdc5828a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007499001\4de317d0f9.exe
                  Filesize

                  901KB

                  MD5

                  8952118cbd8aac309af40b7ba020ac8e

                  SHA1

                  9eb96e51892c77f644997905d5a7b680558e0aa0

                  SHA256

                  f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a

                  SHA512

                  4199640d12798c108f09d9007f29fd2f4f5a075986b5e257c5629dde340717d0199a92601262c020a55e6ab370c8f26e88c35d5a547fc02818244590502926c8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1007500001\97e5d0cadd.exe
                  Filesize

                  2.6MB

                  MD5

                  333b260426a661dcadd5c016ab149ecb

                  SHA1

                  0f87cec4227cf24cdea86a82b632d45488875e77

                  SHA256

                  afcc403016c3fbbb10e732010bbc93854c1e1be63df48c91901acd7e05aa0e2c

                  SHA512

                  9e53484a98183723e63359ea714dea7b48d0ef43ae26a426fb0889dc1320b3b57f3876546ed4c49284cc79ab52f0b240954eb16b8be3ca392570d7010872b458

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  6232a1aa692fe2b9f3f8e67d35c7dab7

                  SHA1

                  87dc7bd254cac48669668a1833c10b8aab3775be

                  SHA256

                  a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f

                  SHA512

                  c29f2e3b76fe7c2ef81370990b02ee978b81f8ceebb191cc218672184ad7fd5046d8088bcc954f62b05f72255ce15d89c909c99ca3d2ab6d097725d13736300a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  cac116e849e24bc1418c42715d7ac100

                  SHA1

                  c42d635a90b4e5bb0cd05c5122894c0a6c2f6472

                  SHA256

                  f5f7b459b17fb1f50b47bb6722bd3ce7f200ac2599b9610e18f5ead65f9fc054

                  SHA512

                  417f91f0dec1490d95031957127addf84c25e950d8b085808d16cfa969a53d50b0800237f70afd0b867f83034ec9db97422b98e6b10f7fc43ec3ab5d2bb83b84

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
                  Filesize

                  7KB

                  MD5

                  0c3d625acc6da00858d19230d7fe33c4

                  SHA1

                  dde0519141adc9a3a8c8fa146d2b9eeccb31496e

                  SHA256

                  da1d60edf0f7a8cfd604da4bcc3f1ee9bfb2ec96cafb7c63388b5d1c0b68a8b1

                  SHA512

                  b5c66820d0e6c44a57afcd6e904d78ab937d33e8d8d22863bc8c56a61786a08011095ed2ddd7d41b10e99b84e29197b859647c578b5f294187a757bcc975d63f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  3KB

                  MD5

                  68da3d1c7f66790f238d53d68aaa7a81

                  SHA1

                  7c542b5f409d238ec5e946d23acd3f30b64ce3f8

                  SHA256

                  16369ab8f8f2ea9cfe80f7f9bca81f0267528bee7a155cda98b3ec56cfd45995

                  SHA512

                  e11b48832d1171629af7956de5fa248c5c05d99e21300ff5e5566012c32409c2b540b174cb82791a1ea923254adcbe5dcb5f66346bbd7b5b9a75861a8c3583ea

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  d100ab412f94fd834909af7935fd0129

                  SHA1

                  dad9b3022ef738ff5b001b8b60ca9c2d216cbbb1

                  SHA256

                  3da08a944e8e05bb28e48c7830cb51aba2237254fd48606502e3031c5770d41e

                  SHA512

                  f4bd16d75738e1c9753a2bba5820710679f008637568a6655a6f6e7f4d9bca8961fbecdd801f7c581bd508ed1973d7725a82991b445365571e94bc433b2115ed

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  14KB

                  MD5

                  9c0bad8d1c45c71a7abc8ece6f3378ab

                  SHA1

                  702c09909c193d161f83718cf1b5fbe6e88ccfb6

                  SHA256

                  04f3183c75081b51f4e8bbd215eca1bf344955e6a658a8562afe378f6a65e51f

                  SHA512

                  88362a2f4e9df95e1a8452987fb531d6fb96e7cee88c8dfab4047504b6b4a8d5a0324cc320543a2a6d4ea1e6274e64a0032a76e265da74aacd10867b0cd22e40

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  14KB

                  MD5

                  c9bb3d003835cbf7f19f00ce29ddb2c1

                  SHA1

                  ca5cffb5b6711161e52e5119bc58edd9627a1843

                  SHA256

                  b4e8f7fede7fa34d00dd22de75c94c45c2a2cb4c6584e528f77b3f0fb11ccd6a

                  SHA512

                  b4ad5307e3d86544e6dcd92f10e06f15a2dba684060ef90a08f4fcd4366efbf9463bb1ebdf9c1d0e80cbde97ffea2d9a421cf7ed0d0b8dce5d7912d0fe1c2ec8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\a846a7ea-fd67-4e55-933f-1b2369d5c30b
                  Filesize

                  25KB

                  MD5

                  820bd42e6382a6d09e3d1184414e48f6

                  SHA1

                  acc8b1edf14923bae50809ffa22000c3cb10a101

                  SHA256

                  90631c071061fe8aa028663f883c7f753000dd228944e8b25df8efca748244ea

                  SHA512

                  6c62d3fb72703139a500c0f536a40dc2ec291ddd83e826260fdc3e5c1af93f85a858e1d89e1f6c71fcbe2feeb555af75d6529ed66c2bf0a29d86c0ffa9acb7e1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\a95015bc-3ff0-41d8-86a6-2a10c038b4da
                  Filesize

                  982B

                  MD5

                  8089a82fb39d420ab410e383a99786d8

                  SHA1

                  b22f78e864f0fa56c0bc74992d75c36e1242c6cb

                  SHA256

                  538ba27658cb56a211b7693c2d0b0737a9b01ce57ffa2693cb89a89c7c214dab

                  SHA512

                  09ac63d21030c4274fe164f983e99d2bd42fcd84aeb7758355518131676f92227a7874d746aa31b283c895b175b2913a4fab1be864de4df9ec6d54650136d8ad

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\e705ca02-177e-41c8-a60c-e379bd469127
                  Filesize

                  671B

                  MD5

                  5ec16b9c035a204b8f639a827bc84808

                  SHA1

                  acfebe4687e1949ada3e38bca1aef36537a09e08

                  SHA256

                  0b60591242bcc4a043119e50f8b0ab11ce61330879b0f745f423added8b3c21d

                  SHA512

                  1602d94299e9aea5a5dfb9a5725dca2c61a91a0a1315d4138d0ed6eb4cab78b6ebbc25db4d3a920d0994f0d99d5b968686c29786aaa4c9cbe81f6525af0bb484

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  13KB

                  MD5

                  f11cb6d1db2f663376f412006a817b62

                  SHA1

                  d646d7291bc14e07c54da4a1447962a1dd2e4536

                  SHA256

                  b4a09b161b9d4faf2bd64e4c3002062e458a4072e6cbf72595267c366d6200bc

                  SHA512

                  638652995dc84e0131fcbf7c532945fd9b85c5c5c7df7cb8dd76e5be2f3e2e760ed55813429e3410d07baa0e7fcd74cc23417d8aa6addb2d4ce3e3aa11454901

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  11KB

                  MD5

                  83740cc01e3fa33cf853703693030764

                  SHA1

                  a930097101ef951514f9b6dd34dd33dd4a9f195d

                  SHA256

                  d5517c24a08edf0d17bae8c9851274b1fe62d4a4c3a0f09adde19c7f23d554f5

                  SHA512

                  6d8ed8c806070a293eecb96d9146f77530853961701b16b1562c66879fe632ae50e1b84b2024414bafbb0813e383f09ac3099fbbef324bff7b95e4476e671b03

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  622229e1254d0d9012cf76efd06d31b8

                  SHA1

                  aa6df5836d429c2848bddf972ec1fa0b63b8e343

                  SHA256

                  6c9ec723ac4f944475202a34e5fa3fe5f0d522f6e604b2f3c04386e6b7604369

                  SHA512

                  37ab1c36a4da08a2f6802590716849607b8e0bdf8e949943f00647fd5854b748bed4b4f6a9fc8f6f4c392c8943555f3beffe0ae30525f1827fdc03e80d81a1db

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  1.5MB

                  MD5

                  dbb74a3ce6ee6e567e65262567d2f23c

                  SHA1

                  ed3b9d76f65c955f056fe1628caca6f98201ac54

                  SHA256

                  8554b5a7025b33d1e6e47e05c650b69b1eb80c8e61dbbf98dc3ce9a45cf43e82

                  SHA512

                  0eb52298f411975b3f09934dcc437e9cd0a100a9bfed645bbe57c2c7c1c41da513f560d1901a15055a6caa9cb09938d96fef2078f1735df0c3672340e1c6fd9d

                  Download Submit

                • memory/1936-75-0x0000000000610000-0x0000000000C9F000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1936-80-0x0000000000610000-0x0000000000C9F000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2384-439-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-40-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-2822-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-2819-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-2586-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-1740-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-43-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-1455-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-42-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-1267-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-1106-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-16-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-491-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-839-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-100-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-38-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-22-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-21-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-19-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-948-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-574-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2384-20-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3956-1078-0x0000000000BA0000-0x0000000000E4E000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3956-947-0x0000000000BA0000-0x0000000000E4E000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3956-1097-0x0000000000BA0000-0x0000000000E4E000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3956-946-0x0000000000BA0000-0x0000000000E4E000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3956-944-0x0000000000BA0000-0x0000000000E4E000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4480-1076-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-405-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-81-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-78-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-934-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-1480-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-819-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-1441-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-41-0x0000000000D81000-0x0000000000FF9000-memory.dmp

                  Filesize

                  2.5MB

                  Download

                • memory/4480-550-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-39-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-490-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4480-1246-0x0000000000D80000-0x00000000019D5000-memory.dmp

                  Filesize

                  12.3MB

                  Download

                • memory/4892-0-0x0000000000F90000-0x000000000144E000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4892-18-0x0000000000F90000-0x000000000144E000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4892-4-0x0000000000F90000-0x000000000144E000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4892-3-0x0000000000F90000-0x000000000144E000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4892-1-0x00000000772E4000-0x00000000772E6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4892-2-0x0000000000F91000-0x0000000000FBF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4920-59-0x0000000000F80000-0x000000000142F000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4920-77-0x0000000000F80000-0x000000000142F000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5020-558-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5860-1731-0x0000000000B30000-0x0000000000FEE000-memory.dmp

                  Filesize

                  4.7MB

                  Download