Overview

overview

10

Static

static

3

aae98807cb...0N.exe

windows7-x64

10

aae98807cb...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aae98807cbaacb1701fdf60dd28193633eaa0778cac14b2e36975128a419ac70N.exe

  • Size

    3.1MB

  • MD5

    3d87bbf35822dd96b85709f6d0983a60

  • SHA1

    7a47d58b8712a991c28985d4e4ec4e0bb34f8a34

  • SHA256

    aae98807cbaacb1701fdf60dd28193633eaa0778cac14b2e36975128a419ac70

  • SHA512

    f691b7c3f89dc30f69c89029ffdac0244b0623aec225e1b0e68b4070216fac4f7bb0654c47f575159c83fc3acaaca7dce2ac8668cf6af641a7044a9b6ffb8362

  • SSDEEP

    49152:4qzVZzHLrKS767ZXYQBYtJXuCFHtpnKqn9WbKJEWcJYgSE/49:42DLrKSslYQYXueHHnJoKJEW2Yg349

Score
10/10
amadeystealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\aae98807cbaacb1701fdf60dd28193633eaa0778cac14b2e36975128a419ac70N.exe
    "C:\Users\Admin\AppData\Local\Temp\aae98807cbaacb1701fdf60dd28193633eaa0778cac14b2e36975128a419ac70N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Users\Admin\AppData\Local\Temp\1008265001\english.exe
        "C:\Users\Admin\AppData\Local\Temp\1008265001\english.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4280
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3984
      • C:\Users\Admin\AppData\Local\Temp\1008266001\14b2e56854.exe
        "C:\Users\Admin\AppData\Local\Temp\1008266001\14b2e56854.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3704
      • C:\Users\Admin\AppData\Local\Temp\1008267001\370694329b.exe
        "C:\Users\Admin\AppData\Local\Temp\1008267001\370694329b.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3036
      • C:\Users\Admin\AppData\Local\Temp\1008268001\dcf2cbd396.exe
        "C:\Users\Admin\AppData\Local\Temp\1008268001\dcf2cbd396.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4428
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1008
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3984
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1540
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3228
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4508
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8701949-c63b-42de-a98c-082ea8ff8af9} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" gpu
              6⤵
                PID:4088
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1acfb829-f41e-4ef8-bd2b-7635d9ea6088} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" socket
                6⤵
                  PID:876
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3244 -childID 1 -isForBrowser -prefsHandle 3268 -prefMapHandle 3276 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {597076c0-6b83-4688-8185-dfcc8a70ee4f} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab
                  6⤵
                    PID:1768
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3140 -childID 2 -isForBrowser -prefsHandle 3788 -prefMapHandle 3296 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50d35764-3f41-450d-8501-2210d1fa4622} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab
                    6⤵
                      PID:2184
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4448 -prefMapHandle 4460 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c29a617-8b33-40da-bf74-b05070914ff8} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5248
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b03916b-06e5-4955-8852-594fa629455e} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab
                      6⤵
                        PID:4748
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e265ecd3-babb-4fd8-9ef4-64ab1b461a06} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab
                        6⤵
                          PID:4816
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5864 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ebb866d-061a-406f-9aa8-75b27ce36f3e} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" tab
                          6⤵
                            PID:800
                    • C:\Users\Admin\AppData\Local\Temp\1008269001\8d91fa4c1c.exe
                      "C:\Users\Admin\AppData\Local\Temp\1008269001\8d91fa4c1c.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1740
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5556
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2700

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Defense Evasion

                Impair Defenses

                2
                T1562

                Disable or Modify Tools

                2
                T1562.001

                Modify Registry

                3
                T1112

                Virtualization/Sandbox Evasion

                2
                T1497

                Credential Access

                Discovery

                Query Registry

                6
                T1012

                System Information Discovery

                4
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Virtualization/Sandbox Evasion

                2
                T1497

                Lateral Movement

                Collection

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  22KB

                  MD5

                  99243e111d609a32bf26fe1ca17136e4

                  SHA1

                  7050be0969ae42bfea1cd7c81c2b5251ac861e0a

                  SHA256

                  9d7e91b8366346ebe237655889e84b7e0bf999738bec94cab2c65fda7c44eb8c

                  SHA512

                  307306685e489e91833fd0b10a5013b76f764185ea41c67b34ddaee99dd59ffb694206a3412929b9882c4a4f58e17de4c505a7b64d60591274680e8092c5c278

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  4963c249c79715b220f5aabfb81192b6

                  SHA1

                  c3e135a978b937a2cb702962826f482af99cac5d

                  SHA256

                  e1bccc0cc46caab4999cb5131bb94a7192c7f785abb9f84d7f7494f0c0b369e9

                  SHA512

                  9f30ccec8e392a90e638acb3cf420501fa00356557a99fd5ee71afe8066a93c48fec6fcb15fd07316e14905bcf7d5a60276e05ceedb7ef6cfc54202a4b504cf7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008265001\english.exe
                  Filesize

                  1.6MB

                  MD5

                  5b771156f4181dded577deda8ce0f7d6

                  SHA1

                  7a3f0f13b3b56695d61da920ab33f91ad642adb0

                  SHA256

                  8ce6aac17b66d2d4b1e4b276f434cf253874a37dcbc941bd4f1b65f4e8e71380

                  SHA512

                  dc35f4f6429e19b77725e13847d81a47d0c502f832590b923c4e12d8d6ec84d4460f1593ec5d68fedb4be7f1580dcebcda00451e10a19c1b9746fa04697981c4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008266001\14b2e56854.exe
                  Filesize

                  1.8MB

                  MD5

                  562e5cefe1ac014e3616e7894db697f5

                  SHA1

                  dbb423b792caf6c8a729ea3c32795c9f9e353565

                  SHA256

                  8b182c445259e79c5e007446bbf64ab21542e2388bfd332cc448538ce87c1dba

                  SHA512

                  59c38beafd2d46ea0eca55110259de32d0b7f060382fec33ce37a9a909b56e98aaea1974ae65426f7a755cdce31a6881dada0283eba6ee3b88e28c6510891cd1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008267001\370694329b.exe
                  Filesize

                  1.7MB

                  MD5

                  95971c759ebca3d179ab9305188360cf

                  SHA1

                  8bfac4ee7175aa24dfa9e308840f4245efc0c3f9

                  SHA256

                  82c9c6fb94030e3955091fc37523491c98325ed84adf8a3116c3ab79efddb4ac

                  SHA512

                  da6669201c845626183cf6abb4f4b40c91f44bbac1115e856903317ee3febb62cf340acd77b27a1dbab0e9d6c74108b3ef0304728d6e46056cacd4a0da2c6dd6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008268001\dcf2cbd396.exe
                  Filesize

                  901KB

                  MD5

                  74e2b65a6c1445d5334d0deaf507bb4c

                  SHA1

                  93da4d948f8c58bd5bca27875f677073cb47c7b8

                  SHA256

                  40e380c877e6355706dfb50afecf1d8511cfaacbe678c285d68335dcc6077959

                  SHA512

                  49f56ffefa10988b96f53810cb254046a1823e01dd77947d92a34b5a3301a6b0252977ee0872b73ceff7b2456d135d3d1a5420d7bc54f3fc20fe7e6fb2bae21a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1008269001\8d91fa4c1c.exe
                  Filesize

                  2.6MB

                  MD5

                  ede66b0875e4ae1536abe9555bc53a2e

                  SHA1

                  8b386c0e8e0340d1e3e87325c917127612e32859

                  SHA256

                  974c7c3487a5eaaaab071889869129e5ae696d98e518bbc59db151f479c6d62c

                  SHA512

                  73bae215bc7f34f4f58bf5b8e96aa6b07d20ea54809de9285a2462cdcca5abe1215dcda2afc3c1c481475d3f0f89b3e268ca8ec6c04e65080b986b18f686dad8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  3.1MB

                  MD5

                  3d87bbf35822dd96b85709f6d0983a60

                  SHA1

                  7a47d58b8712a991c28985d4e4ec4e0bb34f8a34

                  SHA256

                  aae98807cbaacb1701fdf60dd28193633eaa0778cac14b2e36975128a419ac70

                  SHA512

                  f691b7c3f89dc30f69c89029ffdac0244b0623aec225e1b0e68b4070216fac4f7bb0654c47f575159c83fc3acaaca7dce2ac8668cf6af641a7044a9b6ffb8362

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  dcc9969c2de693b63641c061dec48516

                  SHA1

                  bdf7b8824f3c771f692676c086bc7e8b4cddeae8

                  SHA256

                  1563b7c243e2d5179f7ea73ddf86b8d6fc13e152fe0720c5b9f46322c67ba33f

                  SHA512

                  82faf9210a13bf7a94ed8e23f4caf9aa6dd4ef9d16d9eceddca0f06163a8b8852aa24be211035966c4670043961195cb3d112fe992bad66d350038868dcd9cbb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  501b247d140fb8ee8016f3af160b7287

                  SHA1

                  206bbe424da70d05ebcb4ceda831833458f2a14a

                  SHA256

                  7b2a708371544a0e2a040ed72e431b4661243c1865d9fe20c41f2cf34cd10132

                  SHA512

                  80df506ac981d44bb86ce412ddb2a043cce281bcb0a7127da9409a92fbe0612035d8494a0e5175992c58d36d4d446b73a2c21d9db5c66e955c4dd166438b27f2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  6ed4bd9d149c2711001d1041365419c9

                  SHA1

                  8b1d0c6ee4e3bb81446ac9cebd6124e671b7ec8d

                  SHA256

                  49bf13b2c7933f30415b246b4c99a214014cb5a11582366eeafb99df27616d70

                  SHA512

                  30d8e9d50cb216b340e3373dbe23d1204fe6f8fe38e9da3d5434576edea462c05832d093ebfed0d083ab868ab7a44a03325880e5d18e67b53a90cc7e6799070f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  97b4a6d8dd0704f6155a4a47c12449cc

                  SHA1

                  a157a2b48066f7a14f630d0c7529284888132762

                  SHA256

                  f5bfab1fdd5b8d18444987790514c6c3457c49851851cff7f5d16c7a6226597d

                  SHA512

                  9b3f823590720c72066d29b43d1ffcc8afd7dd623b45703e04c63d45effefd430a3eb050072793131885b0e7820b999ad73bc844e59bd84555cbb8ad86bc6909

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\2c3db4ae-0592-4455-889e-e47b63493e3e
                  Filesize

                  25KB

                  MD5

                  539eceedc77bb2db5a900e164073433b

                  SHA1

                  7db4d53510ea44a45809cf548d2b40ea0548d972

                  SHA256

                  ab4d8b3dd1223b64a746925430e7f93f55364b0f94710446f59af0662a67b43b

                  SHA512

                  6ebcdf7422139595fcc6f11982be36ffeecfd068984d5177d252d851f205841a69f711cfa65c1d4abc3f3d6eeca1b6de67bad70ffe6fbb7207dd42bd70221732

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\8bd24ec7-22e7-4cd1-9747-5775f74f850b
                  Filesize

                  982B

                  MD5

                  f1eb33f31f02ae3a0365574964452ad6

                  SHA1

                  bb03225fe1574e67603041abe18cf55e6ff4a583

                  SHA256

                  11d1c88259ba3b800ffe00817a2a1be424f77c779172abce7f644ac6cff0936c

                  SHA512

                  2e5b925133e91e67ac5f70ff04b206f9956f7ff47d340761ac7949227e768c11597f3aebcc1302c9362498ccc2d21799948acff1d082c34b99d4ff06ec1e0589

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\8c002741-8ae9-4c3e-97b3-2ba7e6eb8419
                  Filesize

                  671B

                  MD5

                  d15d8b3decdf590de29843d60958ffb7

                  SHA1

                  5a23fb60ba444afbaabd5450699b1d62d4a3fe3f

                  SHA256

                  94c1fe51bffb049e0a2796edbfc645ec5abba1a8f01415b9d233a670cb0b93a3

                  SHA512

                  11c18b0041a3ee6d9661a6dc3e4741b563c034780cfd641fe46337d02ada4813d467b2c4ed723c8ec7378e4c07fcf9ee6aa89f85413063f0f050b698d58c874c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  867957a53baa142b6fe914e848f6fd4b

                  SHA1

                  db842e1aa63db5af1d9b2aaa06783ce9a7936454

                  SHA256

                  f9f505300dfc6d795f5642ad5c81d579be869da01d96ca770a5101203a8fb0fa

                  SHA512

                  b72945020f48a6b16e5d7cffb9f29d08a25dd715a2b22b906b99bc017e3ce959180a81512aac105ab6e338f994953d047e90d4d0c5c2266483803e4a77f1a26d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  e37907479f849bb3fc0c27b4d0735733

                  SHA1

                  5aace967511a312a01ec53593cb5701a7d4d5c78

                  SHA256

                  4f2c0402450b7213c671ea51c9f5856fae7cae32e71820b78b9dfa3e54ee1bbb

                  SHA512

                  70cbf0f0fc2af94b72624e23b3dfbaac4ee32a1d3fdd03cd29f409b0f37f251628a0ffa00678c34f4ebb2c4d6e805fc3be04477b2625f92eb87c6b722bfc2ae2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  a4f487502aa2ce5f090649ecdd1f4c65

                  SHA1

                  99eb59811b67910b81fa5ca7ff5a2caa2864cfda

                  SHA256

                  376643ad70e26ec7b5b7b568e6c1df46a6aab01e60612f4fa6ae31602fbf3866

                  SHA512

                  90f80cdf8b60165fb39bb364a36caedb0c48da9366ad4e2398b6fbfb3fa34a54b9a07e3363327decea2646dc4f8ac4dc747d678362ccd56741c0f6f503ce9775

                  Download Submit

                • memory/1740-517-0x0000000000860000-0x0000000000B10000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1740-504-0x0000000000860000-0x0000000000B10000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1740-352-0x0000000000860000-0x0000000000B10000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1740-353-0x0000000000860000-0x0000000000B10000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1740-139-0x0000000000860000-0x0000000000B10000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2672-113-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-3097-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-913-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-20-0x00000000003A1000-0x0000000000409000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2672-3098-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-57-0x00000000003A1000-0x0000000000409000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2672-19-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-2617-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-58-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-526-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-21-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-22-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-502-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-74-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-3086-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-53-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-73-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-3092-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2672-3094-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2700-3096-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/3036-92-0x0000000000E10000-0x00000000014A3000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/3036-93-0x0000000000E10000-0x00000000014A3000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/3704-75-0x00000000005D0000-0x0000000000A6B000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/3704-94-0x00000000005D0000-0x0000000000A6B000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/3984-522-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/3984-520-0x0000000000400000-0x000000000045A000-memory.dmp

                  Filesize

                  360KB

                  Download

                • memory/4280-519-0x0000000005080000-0x00000000050A2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/4280-518-0x00000000053C0000-0x0000000005514000-memory.dmp

                  Filesize

                  1.3MB

                  Download

                • memory/4280-55-0x00000000005D0000-0x0000000000770000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/4280-56-0x00000000050B0000-0x000000000514C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/4280-54-0x000000007343E000-0x000000007343F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4592-4-0x0000000000C10000-0x0000000000F2F000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/4592-1-0x0000000077BB4000-0x0000000077BB6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4592-2-0x0000000000C11000-0x0000000000C79000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/4592-3-0x0000000000C10000-0x0000000000F2F000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/4592-0-0x0000000000C10000-0x0000000000F2F000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/4592-16-0x0000000000C10000-0x0000000000F2F000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/4592-17-0x0000000000C11000-0x0000000000C79000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/5556-525-0x00000000003A0000-0x00000000006BF000-memory.dmp

                  Filesize

                  3.1MB

                  Download