Overview

overview

10

Static

static

3

ac5169df44...c8.exe

windows7-x64

10

ac5169df44...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac5169df44566536bc577609929c41a792dc173cab200a053392648915efe5c8.exe

  • Size

    1.8MB

  • MD5

    1d38050f2e929378eea7f8b59bb52b64

  • SHA1

    1e553a68a08aba0fe2b467279118046d657785e5

  • SHA256

    ac5169df44566536bc577609929c41a792dc173cab200a053392648915efe5c8

  • SHA512

    0a8830df3e63dddb5b8c27c51653680f64230d7ad69d5af791ee04f07a6a62f4a1dc3968129ce1b76fa55b2b391951302bdf08de2d211c0ad923226027daa8ca

  • SSDEEP

    49152:sFEIzJcXeStlKy4hsBrGDtECqFGSLSRBcOT8ilnMuLgrGjV9:kEogee54h7tDqFGP+MuuLtV9

Score
10/10
amadeylummastealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://property-imper.sbs

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

https://disobey-curly.sbs/api

https://motion-treesz.sbs/api

https://powerful-avoids.sbs/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac5169df44566536bc577609929c41a792dc173cab200a053392648915efe5c8.exe
    "C:\Users\Admin\AppData\Local\Temp\ac5169df44566536bc577609929c41a792dc173cab200a053392648915efe5c8.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Users\Admin\AppData\Local\Temp\1009278001\DPQSEDd.exe
        "C:\Users\Admin\AppData\Local\Temp\1009278001\DPQSEDd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Users\Admin\AppData\Local\Temp\1009278001\DPQSEDd.exe
          "C:\Users\Admin\AppData\Local\Temp\1009278001\DPQSEDd.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3656
      • C:\Users\Admin\AppData\Local\Temp\1009330001\23df3ff1a6.exe
        "C:\Users\Admin\AppData\Local\Temp\1009330001\23df3ff1a6.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1844
      • C:\Users\Admin\AppData\Local\Temp\1009331001\e810c06bf6.exe
        "C:\Users\Admin\AppData\Local\Temp\1009331001\e810c06bf6.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4440
      • C:\Users\Admin\AppData\Local\Temp\1009332001\cdae7e9068.exe
        "C:\Users\Admin\AppData\Local\Temp\1009332001\cdae7e9068.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3400
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2012
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5044
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1628
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3108
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3244
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3afff89c-5fd6-4313-a822-cdaa6ed929c2} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" gpu
              6⤵
                PID:2400
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdbf69c8-f2f1-4297-bca2-1ed56d7c80c7} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" socket
                6⤵
                  PID:2060
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 3052 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7b2c694-87a9-4b74-baed-cd86947e1227} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
                  6⤵
                    PID:2384
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -childID 2 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8abafbbb-84a3-4e56-9fc5-89a196d4f3c2} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
                    6⤵
                      PID:2484
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4708 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50660040-b39a-40ab-86e1-86a5cae15e7d} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5240
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5260 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5232 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff37421f-0fd2-432e-8594-d71b3e418201} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
                      6⤵
                        PID:5976
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23fa7765-d2cf-4e28-96d8-153e5677e706} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
                        6⤵
                          PID:5988
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5efba368-b762-42cd-8a23-8c6158274245} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
                          6⤵
                            PID:6000
                    • C:\Users\Admin\AppData\Local\Temp\1009333001\08b68995b2.exe
                      "C:\Users\Admin\AppData\Local\Temp\1009333001\08b68995b2.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1756
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5540
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1584

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
                  Filesize

                  22KB

                  MD5

                  38301fa1d91a06abdf0276d6f8e1ac8d

                  SHA1

                  d1374abc482bbed5176fba59fae68a08b2768c0d

                  SHA256

                  e88490823ddacabf4323a9d4848ef1d7d1574eda8ed6a6852387e90ca8296ce1

                  SHA512

                  65ced1067083f78313218f2e28e63b936b3de19a2ef35f171e733fa764ec76a15ba8ec5e26e4caf827463f66325a75ea8ca1d0289710bc32c68842b3259dbbf3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  6c1bbe4b17df39fff016a34cb1b8b02d

                  SHA1

                  d2138dc767277988e4e399035fb9785665282c3a

                  SHA256

                  9d72eaeb263fb91696c8a08c347414412e1e3f72ded22face27f37e6d2ac26dc

                  SHA512

                  89c08cf3ebd9eb8ddeceb59fba9ccb65d4f0b6947001e96c13e171a381d16707cc2454b2fb07b7bcba5cded9edb47dc66fcaa74980425eb424e629cfdbd0c8f2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009278001\DPQSEDd.exe
                  Filesize

                  458KB

                  MD5

                  666df1d57e2a047b9edc5a7ad3525ea0

                  SHA1

                  92b4144346f873d5afc2e528f914afa6c7323fef

                  SHA256

                  fcff3ae0e71747322f9c628736788ceb419c9f04bdfa8a5bdb3a628e8d91af6e

                  SHA512

                  3a114e0c3412c8396f40191ebc24d44733f8ebf35b72ad3a4ed26691174de5292fe4213b72d1034262ff16616d5cf01703058a61c4a578773d16f728db082b1d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009330001\23df3ff1a6.exe
                  Filesize

                  1.8MB

                  MD5

                  cdd5f94d07f51880aac7820d436dbfb0

                  SHA1

                  1788017509acc93f8acc5be6c03bb0c05905d0ad

                  SHA256

                  59492c239987c11dac31153e0588926b4262589e19da4288915cc49a09a7b43e

                  SHA512

                  eeb077e5f834ce539240c5a778d00f7dcbfb01ef46784ccb370bdcd56266f1bb538beff359cd8cdd6bcaa04585378a827b103c5187ea3f6f4d851a8139d3e137

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009331001\e810c06bf6.exe
                  Filesize

                  1.7MB

                  MD5

                  f43db48ebbb2d24d306982493e1b1e37

                  SHA1

                  dd542a47ed05c36174441b94d9f5adf540a0b13e

                  SHA256

                  d83effe6c4258c6f20a3ea796d9595ed0fccfa1e3eb27cb549a193e2ccc284d0

                  SHA512

                  7121e4ab05a49666aabc4be3a0fe38f136727e8ac3bea0850810f3fc92255f5be08b4225e820a485800f1067396514f47618a37c641c0498ebcf772dd66b3bb6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009332001\cdae7e9068.exe
                  Filesize

                  901KB

                  MD5

                  71ba5683d7ca32e6f749128d64d09e0a

                  SHA1

                  8a3499f7d1733288d9bbb01938b118f27030a6f2

                  SHA256

                  5e1ce6da827cf06403a1c0cbaf519ab97a11fc1dc31d03cd4403959bbadfca13

                  SHA512

                  2d4cfa545f7ad1021ad9518e2686d7ad378eb23df833cf392bb6398b29c9eb100f186f537703ae69752753d7bb4852cb0f2b30ee32fd012fe532f54935360ad7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009333001\08b68995b2.exe
                  Filesize

                  2.7MB

                  MD5

                  51bf0eb329518b7c2bf58d495458257c

                  SHA1

                  6ff472f161e0cea1ea5b40796dad605175bfd422

                  SHA256

                  ed56b2dd50ee59f47cfd7337521d2fce0c7220bf1a85b4e39c8e65fd5f297f06

                  SHA512

                  45b322cbdd68d85417e13b0b471433ea037447de5dbbdb0b747d283756461a2678b88246bc59f222d4890fb1e97df3ce5ab3d96cf511cfd07a9323846d43613f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  1d38050f2e929378eea7f8b59bb52b64

                  SHA1

                  1e553a68a08aba0fe2b467279118046d657785e5

                  SHA256

                  ac5169df44566536bc577609929c41a792dc173cab200a053392648915efe5c8

                  SHA512

                  0a8830df3e63dddb5b8c27c51653680f64230d7ad69d5af791ee04f07a6a62f4a1dc3968129ce1b76fa55b2b391951302bdf08de2d211c0ad923226027daa8ca

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  4fc630bf0520fc3dd9410ed2d4f902a0

                  SHA1

                  452117ed97b1e9ce597bab3d5d01914126a0608f

                  SHA256

                  5cbbdc93c2953f5130ee5fb8978f33192c2e2f75a2dadeba93fb8b7b1dc30784

                  SHA512

                  5926826b0733a4cb36139c1c37a3c26ebf28fccea371bfd3836c6dcb5e568e81c220207cd71121cb645a2ee6eddd30587c7d02dcc15d94355c7069645693f3ba

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  d6680e5ca7abad14d8efb0c2083902a7

                  SHA1

                  60a25649f7f4a08e99229f8341077bfe3b002451

                  SHA256

                  9502a1a86afef153a0d6419f31ce712c18a8122160ed90c4ba0799e522e3290b

                  SHA512

                  d2c6cef16a1d54311201ddf1dbf6ad3819ff04751bdf13ff5ac0c274b019b0d722c874d4b148835d326d842a68d8d788da5ad5cf176a69741c395259512ed4b2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  664dbc9636844f55f14bd3958b08279e

                  SHA1

                  c913c56b0f1452a30fa0d339907982fcf7b2a9cd

                  SHA256

                  66f22e42faa7c3c3fb818e374fa59bcf0b457621c5fcd8b62220e61372650e31

                  SHA512

                  45f4989c1e12195d27891be483ec137613ceb8ca0907a5eef36e3432e6d394ce42103c07b99826739cff0ef04102ce82246d1872c2f2d0ae32d9d7b1a045fef1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  2b22378667c4ff4d9f511c3bc242891e

                  SHA1

                  cc1878c565a1b88e68b7a472e3a0f7193b1e15bf

                  SHA256

                  cf5d98d707fc0a8e67bf69daa70f056daeb53235893dc21570424b05c80834ef

                  SHA512

                  e799561c4d8ee07b07e9bee50b5e631806422896f499d6545667a634e50b5c63d87d484f6b23bcd973481c6fef6a38caf898a785bf04a902a553743681f67548

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  091f6c26553142cb1532919f05212f28

                  SHA1

                  b76823c8eca1bebdbe7085267154e5373e7abda9

                  SHA256

                  a19cabdc6c5e14f0990f48f8eecd90320c43c8590ad619d1cfc52209de9a7e5d

                  SHA512

                  b894c675196639aa235f88da7c0f792089500f8b658d614448403cfdbb93d319221fa55b9d31b295395282a46da5f0a2167d470ab909caeaf60f4a4cdd86ab63

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  1b941373d5ba68c9991bdf2a7aa040eb

                  SHA1

                  c6fcac9a52c25315715dbac74d8c98089be8b90a

                  SHA256

                  7a865c8fe503a5e3a04ade3523065272413008e503e79a244c5e3f66fe90cd11

                  SHA512

                  93a25587a92ad6892699c1497951d4914eddfdad18ff6755e7a770b4376ac66322c2f16e86f6a08af0c738f863e47bf205a5a5b52c24b15af8df1a07d87fa826

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  0bda08f320cb7cd260d5895f32ad79a6

                  SHA1

                  ab9c0843b0b3344871acd19a4f35f8c4b10619a9

                  SHA256

                  a110e46c62fbe9a46b95f16b4585c002352c6998738b371432ba0ee7d5c77dbc

                  SHA512

                  2ed1225542d3689f47d3bc740774febd64317af29765b59ae6403639360461b4f6012ee1a469ce61a7958faa60f37cdc60b8869ec9688426dad981757f824647

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\0339d41b-1380-4e61-b2c9-3b075a471f51
                  Filesize

                  982B

                  MD5

                  a3fae93c5398bbfbcee6a1218bbb3c34

                  SHA1

                  749c1f619c0ffca298c14469877999ace697b97c

                  SHA256

                  24010e471051987ba9bbaa3ce0120972ecf3f30e646f06ac9a2a9a5b640d3dee

                  SHA512

                  5f5f062bc0c360298c8fef7b2ba173007742bb730d6cb9f50109d4e6e68346d2ab4bbff723b33de42663e390db0a5a0072191e08b7a39721328b26e1e73d31cf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\2db23e78-e614-4ed1-8af0-6f8ce1f8ba83
                  Filesize

                  27KB

                  MD5

                  47299fa655246814eaa2086b6a3b1e4d

                  SHA1

                  d86aae4f9a333f16b37493b9118111a5a0fb36d5

                  SHA256

                  c82c2ef833b011d89c421e23277c05633e131ab116a80fbd2c1b24d13a1be9a5

                  SHA512

                  c165153d8d742e870b27134ca5ccefc60daae673e60cf975d7a9cca708a6d12489a396c16f97f45a53e3f19ae57ade505ebf713155424bbc2e1df7534079af4c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\59ecacff-1681-4822-aabf-9da50d5d76be
                  Filesize

                  671B

                  MD5

                  f49e5dae33254a969929f3f5590b8440

                  SHA1

                  7a877f82d297f866edc4864397757d5784f1ebb8

                  SHA256

                  0dfdff0b150382001ffb207644dba3c19fe6e87bd6ae497f95295f37fa4550a6

                  SHA512

                  b53851c96e627fdb40c570224c90327cc08e263850f6f2738875107a556a1a35114429602aacbb5890db14387ed6554ce4ee4eac98c8069d95955fd945025980

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  10KB

                  MD5

                  aeeedf86bbcbbacc37a5fed3506b1352

                  SHA1

                  f97e7cf2acf3ddc3e841aea6f483a6e66a6b7c41

                  SHA256

                  bc20a6f230a8ffb40303c0abe1cb64e8197f1ebbad6134606c2f3a4ebd602b7e

                  SHA512

                  e8d0b2cd3fb3e22c4dbd5896bf96acd0520943b8bb7ea9762a84c76781495252fec834053e82b727de0585099a320a79eee105a0f828f37f3ee2f1f38f71424e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  11KB

                  MD5

                  6e5a7f976ef0a73196f7fd8f49196bf3

                  SHA1

                  6029b6d08dfd7e4fa2740865b5d9eb84f766ee4e

                  SHA256

                  3d694e065f3d08b90f75a6ff906ee65c0398a1b7efe1ad8a129f34a960b7985e

                  SHA512

                  7ef6fcf16f03712c9ab6c1264c6194d51d445f3c6683e107f6cd3298fdc9b016e1855199ed3184ab222ab809345ca9cb122777ec2f73ca7060243fe568d3e8cc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  8a6004c831a6004d1ac92db4e7f9346b

                  SHA1

                  4196822cc8e44c407e7f20d5c1e8cc808793a796

                  SHA256

                  5ebc19f8c8ea9c1a4a15a0f9511a8dbaa412dc9bb09cceacea2dc1374513b873

                  SHA512

                  bb6705f73c870470d7fabc0fe61a2a792864bc147decadf27108f83848255cd6a0b82e118e8be12ac4acca7ca49f09922f930b5eac814682b6fdba422106509a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  8e9b8dafc34237a6be2a18659eb6b520

                  SHA1

                  bf68d78b3e766d61b68f8d7329f81fa4f49c8db3

                  SHA256

                  d747aa629920949d3a556296007d259214b55c2b17e73977cdddf504c03ef6c2

                  SHA512

                  ada0b1070f533ccb82e0c968b851ee5d437b3e0eb2e6bb97401132d3b4e83f5087eeed604af10bcdd192761ce1324de13258d8349b25c3d919d0fea7605a60ff

                  Download Submit

                • memory/1400-43-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2715-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2722-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-1954-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2721-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-62-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-60-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2705-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-374-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-17-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-18-0x00000000004D1000-0x00000000004FF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1400-44-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2720-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-42-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2719-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2711-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-511-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-19-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-20-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-536-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-2716-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1400-1026-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1584-2718-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1756-125-0x0000000000530000-0x00000000007F4000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/1756-514-0x0000000000530000-0x00000000007F4000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/1756-504-0x0000000000530000-0x00000000007F4000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/1756-372-0x0000000000530000-0x00000000007F4000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/1756-373-0x0000000000530000-0x00000000007F4000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/1844-61-0x0000000000820000-0x0000000000CBD000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/1844-79-0x0000000000820000-0x0000000000CBD000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/3656-37-0x0000000000400000-0x000000000045C000-memory.dmp

                  Filesize

                  368KB

                  Download

                • memory/3656-40-0x0000000000400000-0x000000000045C000-memory.dmp

                  Filesize

                  368KB

                  Download

                • memory/3656-41-0x0000000000EC0000-0x0000000000F36000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/4432-36-0x0000000000EE2000-0x0000000000EE3000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4440-78-0x0000000000980000-0x000000000100E000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/4440-80-0x0000000000980000-0x000000000100E000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/4876-5-0x0000000000440000-0x00000000008F6000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4876-15-0x0000000000440000-0x00000000008F6000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4876-2-0x0000000000441000-0x000000000046F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4876-1-0x0000000077564000-0x0000000077566000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4876-3-0x0000000000440000-0x00000000008F6000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4876-0-0x0000000000440000-0x00000000008F6000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5540-581-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5540-540-0x00000000004D0000-0x0000000000986000-memory.dmp

                  Filesize

                  4.7MB

                  Download