Overview

overview

10

Static

static

3

23adee701e...01.exe

windows7-x64

10

23adee701e...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23adee701ec78bc1dc86b8dd100fbfc7db396c1537895e44979b3e25b629cf01.exe

  • Size

    1.8MB

  • MD5

    f3958bb3d56a436df04963744914eac4

  • SHA1

    f56e35f986fc17641229f796053400ec62dc02fc

  • SHA256

    23adee701ec78bc1dc86b8dd100fbfc7db396c1537895e44979b3e25b629cf01

  • SHA512

    9e2247ddd2086423d2cf0ca382f20549d60aed15ca17779b35aa9c551d515f0b765ad1dafc77ee25cb284e0506d477048801a776dbefc33ebeee7b257e6d77d6

  • SSDEEP

    49152:0J7EvqnyFCcpfmv9/ex+bmU8bwpIpCz6w:G7EyyFbpf1xolTpD1

Score
10/10
amadeylummastealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://property-imper.sbs

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://blade-govern.sbs/api

https://story-tense-faz.sbs/api

https://disobey-curly.sbs/api

https://motion-treesz.sbs/api

https://powerful-avoids.sbs/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\23adee701ec78bc1dc86b8dd100fbfc7db396c1537895e44979b3e25b629cf01.exe
    "C:\Users\Admin\AppData\Local\Temp\23adee701ec78bc1dc86b8dd100fbfc7db396c1537895e44979b3e25b629cf01.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Users\Admin\AppData\Local\Temp\1009375001\a436afc410.exe
        "C:\Users\Admin\AppData\Local\Temp\1009375001\a436afc410.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3992
      • C:\Users\Admin\AppData\Local\Temp\1009376001\a675544673.exe
        "C:\Users\Admin\AppData\Local\Temp\1009376001\a675544673.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4976
      • C:\Users\Admin\AppData\Local\Temp\1009377001\1f7e34e18f.exe
        "C:\Users\Admin\AppData\Local\Temp\1009377001\1f7e34e18f.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1184
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:652
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2820
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4168
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4960
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1528
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:208
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c60148d7-3ede-46ac-86cb-88cd8c09f0bd} 208 "\\.\pipe\gecko-crash-server-pipe.208" gpu
              6⤵
                PID:2304
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27fcd556-c012-44f7-97d0-6c48e47ecb7b} 208 "\\.\pipe\gecko-crash-server-pipe.208" socket
                6⤵
                  PID:4668
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3144 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3032 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35d1f336-585e-4719-b443-4502452e4b7c} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab
                  6⤵
                    PID:1864
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 2 -isForBrowser -prefsHandle 3868 -prefMapHandle 2832 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dfee1ac-1ab5-4879-a24a-190134caf14b} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab
                    6⤵
                      PID:3576
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4560 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4552 -prefMapHandle 4548 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0e90488-ec6d-4f07-ae61-182e68afb90a} 208 "\\.\pipe\gecko-crash-server-pipe.208" utility
                      6⤵
                      • Checks processor information in registry
                      PID:1572
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 3 -isForBrowser -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {439d9ec8-ca0c-4dca-9a1d-fe30d6f14500} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab
                      6⤵
                        PID:2784
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57081df4-67c5-42c0-b9cf-5d4f8b51384f} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab
                        6⤵
                          PID:3708
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9174e8d3-494a-47fb-a538-c2992a3488e6} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab
                          6⤵
                            PID:4700
                    • C:\Users\Admin\AppData\Local\Temp\1009378001\7463c87676.exe
                      "C:\Users\Admin\AppData\Local\Temp\1009378001\7463c87676.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2100
                    • C:\Users\Admin\AppData\Local\Temp\1009383001\333.exe
                      "C:\Users\Admin\AppData\Local\Temp\1009383001\333.exe"
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3368
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2056
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4020
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1448

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json
                  Filesize

                  19KB

                  MD5

                  0cdc6b4f3ae6f1e5104086119e8f4e95

                  SHA1

                  189b07f8ccbc13867dd8cd06124cacb23e6e8e0f

                  SHA256

                  96cc7d3cfc0d5a6452d7f66bf7be2079e22d3944e216202760d86de4bf91a584

                  SHA512

                  5bc355745a5725a3ffcfdeeac5066a62615821af9d8b7a55ce871d2dca287dfb095fb86e1f4b8dbf26a6ba086ad95794dff60c83c7401b0330e34a68e2b5c669

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  8aedeb05633eb07c41ff7c59b0c5c52b

                  SHA1

                  82d43245bc4b0424b1e4b99fce64c088989af904

                  SHA256

                  f695f174f6091ef5bf89d16106bec26f5a17317c9085e99074b99e23dc665537

                  SHA512

                  18569f01b6c1ab3bdb2835e88185aa7e026f06ae517ab5cf6992d375c1428259333579d20101780205bb2eda52cb486acb233dd0a804b4a3be94112abf71b0a0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009375001\a436afc410.exe
                  Filesize

                  1.8MB

                  MD5

                  152d2b0c276bde04f166eed03b955c41

                  SHA1

                  ce8f9cf1d522decd5976b935017b9af20444dbed

                  SHA256

                  e51a10dbcddfcbbba3c22802cb242b90d0c652a7c02b95b2160942a5619d576e

                  SHA512

                  d3fbbf72e6e9db728d122ec4201dbf5ad058ddaf9572ed440bf38b1390048cc9353defd37034a6fcdb3087e1fc1aaa95a9a3c2b270a5bf1e89f241a659d11386

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009376001\a675544673.exe
                  Filesize

                  1.7MB

                  MD5

                  1fd39ad38e07b9c0055e364c704d046e

                  SHA1

                  acb7851072be2d6b4ec531b6fdc534e05952dff0

                  SHA256

                  23c28e446e3cd3bd98a9973ed689ea052080ea26a1ea1292ddbfff75cc051faf

                  SHA512

                  64e84206242f11e11d1d890e061b36345471fec2bf82130191cadb4eee991da0a23b89712b15be83197477c16b628ece501400e2dae02bd2d20c087cbc21f7af

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009377001\1f7e34e18f.exe
                  Filesize

                  901KB

                  MD5

                  b14552016d4a0e1ced552484abddd6ac

                  SHA1

                  f1bc41839dfa15df8b5e03a4598d6e40751c352b

                  SHA256

                  f16f08a83223ee763f2b77189009796bfed2ba29dafdadeb6e908759bee80ad1

                  SHA512

                  d90d5537481bbb40fee4858f479f487d4d03fff891c20d38dc90edff5538e30185e67210d30f3e6d012f016c695259e9d876981cc760bf4c19f407e56286a1e1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009378001\7463c87676.exe
                  Filesize

                  2.7MB

                  MD5

                  856d5405040f6d21d7e30824008fba84

                  SHA1

                  4591f07be44112fe3d2cb6e6cb605ca0d50278cc

                  SHA256

                  3db615d6785ea6db64182797ab8ab58511fc9593a77cede4f61c13aafce46f43

                  SHA512

                  bcff5d208afc6efcc64a5c4b2ca91575d08655424d324566a2d80c11dd375eff4b0a5592e0465425636f9caae9c9917729874e6c353aa68a2488d54a7c82cc69

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1009383001\333.exe
                  Filesize

                  243KB

                  MD5

                  b73ecb016b35d5b7acb91125924525e5

                  SHA1

                  37fe45c0a85900d869a41f996dd19949f78c4ec4

                  SHA256

                  b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d

                  SHA512

                  0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  f3958bb3d56a436df04963744914eac4

                  SHA1

                  f56e35f986fc17641229f796053400ec62dc02fc

                  SHA256

                  23adee701ec78bc1dc86b8dd100fbfc7db396c1537895e44979b3e25b629cf01

                  SHA512

                  9e2247ddd2086423d2cf0ca382f20549d60aed15ca17779b35aa9c551d515f0b765ad1dafc77ee25cb284e0506d477048801a776dbefc33ebeee7b257e6d77d6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
                  Filesize

                  7KB

                  MD5

                  3bcea26b3d2ab72124f4e832c434becf

                  SHA1

                  ab93a91e7927c58cd3153d6c4eb4b0a20811bfc6

                  SHA256

                  1ccf4feccdefa6d6566300917c79965a2515a8dd7c1afeae22264e86d9ccb9c0

                  SHA512

                  4bbb4c7ce1b28a9d226eff338faa2798f759af77fc2db8f0acb8f453f07b2d1da8e0c0d90038def9644b3061fbb9067713741ac46478c0ea7dbb7665338b94f1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  89cfc3c2ba2f5f39a2e66897e613cb01

                  SHA1

                  bd8d2c05f945ff6163b111bdf558bb502bc44083

                  SHA256

                  8ee84a317dba3e19769b521462544c92f2548a124af29f75b6d5bf3e48bacc57

                  SHA512

                  3aa0c03838534bb63940c10594bf5bcb9c42392517970e60af1e62963ac601cf729bb83500b5d450b49091ee912279d36e67781b490bce62cd6c87415d406fa6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  48b3238faf06bf9b43e94c75fc82a719

                  SHA1

                  c7910ec21ffa065fbb8e3359c9972cceda8a6485

                  SHA256

                  109e8aa9938c848ff7bf2f554a27cf82d2ad046e3edfb9c8036343d3bbbb6d56

                  SHA512

                  09cfc5d16d6f45f1dc1a4890a9b437e59a5569be5575cf48b3695147f3863ae1f7ac97d2a56d35bca060a11060087727c1ccee190e87c0419521c863c24457c6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  24ad128c4b238058e5f7dc12d7d0e0de

                  SHA1

                  1b2376d3ec166300c070403e4713f886a2903d0c

                  SHA256

                  89cca218b0274277d6f39ea55238defade001d15e92862af17f95ba27614413a

                  SHA512

                  266d5af1980cbf5299a0a16081e6b85be2493a2d11ac98a8dde2b4f73627194ebc9617b9fe2625fadcd8f7886bec21895e4f36e27073b7f4ab0e0c35b406d273

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  5d7f61efbd78d93ca2ae7a73ef9863a4

                  SHA1

                  24bd8d62eff1c10cfa6ad65b19e08841b9a4cafc

                  SHA256

                  798074762370835124f302794e4663f325ed2c74c73e231bd493ede23b3f0050

                  SHA512

                  ab5642570ccb52820ce3386d347ba8fcbc4b69694f53aa85fe1425bb5cd0008ac0425f4cfa8a94f33c30be81255023bec78d1cee214a714df1d13788c05dcbdf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\36cd47a2-aecb-4603-959d-a06e3e33819d
                  Filesize

                  671B

                  MD5

                  cc57f80820561a9f808797e0d3d467cb

                  SHA1

                  d50ccfc537ca6f9ee742863fb329b5dde555646f

                  SHA256

                  3380bd71972cbcc475260c8620ef91417e56059bd57291b54edaf0bcef0ba2de

                  SHA512

                  84105039af2e3d949f574f827fd6d3b8ca6a4caa389a195bc1f53af2a14bddfb4a6db94c99e7d224c8974c68e51afd27cd1303a1b45c29a08ba5cc935b4dfae9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\64c98937-5fea-41f2-a238-f9de12aa9189
                  Filesize

                  982B

                  MD5

                  c4396e03c5c1155e642648784d503ddc

                  SHA1

                  aed2d910b263c40b9d3668a0a8720dbb9674321e

                  SHA256

                  dfb26ba4ba4521862bd6ff1a2de1aade0c80739ad27d7450044f43032f3e56d4

                  SHA512

                  deede6b78a2e10de439fde7b17b1dff859a3272c0f453a372a578b5bd52686de8ea06d7c622a9f3d5f79bdc20f58be13aba4ab38357ca01ea4fe317688356963

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\7dc293a5-f601-4ec0-90be-a98ca023ab80
                  Filesize

                  25KB

                  MD5

                  66d0e1e3711139175fecc93a99ef9b20

                  SHA1

                  14f705a99039b1a08d970bdbc69b8015fa2825b4

                  SHA256

                  45abc9a3369042ef3d0dc81d2a0d162c903d0b32346198f9e1ae8d4b2c042dd8

                  SHA512

                  821aecd8e67d540c43226d8d40977440506bb0947216d33564c245e8c984f7e73e09006d10e5bfeee127a2a334ac17d39b65e254ac3269e1e2e49f9ebeb36d4f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  ae46ab6de6aa35ea77832266ea3a6456

                  SHA1

                  80d8075d87a2ee0a56c17c2dde7ecab9f9b0f2f6

                  SHA256

                  70494e9384c4087f5d097c01d623f79e5a79e7e11dcb8aeb4480c74d6a46f54a

                  SHA512

                  f672ba3703e4f2cf9e174d26bd0b26f82fe46e017ff7cd4d3ec8a17dd9d3c729e1606dc781b8db6f9769c970cc18a856d95734124099f085a97aeba61fe14baa

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  10de392ee3c9164ef3fe8f394baf516a

                  SHA1

                  f5b2dcc3a44fdbd3a68fa7b64277be583e12534a

                  SHA256

                  48ae67c42cb24a2404e438e71ceeeba894ed315af2d9d229d32ddc582002ea18

                  SHA512

                  5c388a73af421336e77156a8cb5c543b3bb0ebe9e97f9b2762e18a6c7d2ebe875a33cfb524085b3e5ef1e211af7496a2df4e05e8622ef4081acae34bd7c9b736

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  f8e878f1669d08fa59439a0ea8a8b47f

                  SHA1

                  bb377e5b7c6f774fe83efcaa29034657af6cc90b

                  SHA256

                  7bc1aa5eb7f27c9a9d532b7fd3e4b30640a0db1bafc47405b7bc6f241cb9a1df

                  SHA512

                  ca1588ef464e3c5c6b23f7815f80e2e6f8716bd4a0f0fdc544f422933d7c97a15f3f0077c81fc4bcea822dd29842a285a90f7af661465bfb7e7e99b132628c53

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  840e13bd6235a09d2a5d895a1bfa84fc

                  SHA1

                  0fd1f403fb109746d74431eb6442bcbe657b377c

                  SHA256

                  58eedc8c5c7f1ea0235dad801987afbba132dfbe7a9b5891f270d503133b8f23

                  SHA512

                  0d4d49c65bb189cfdbbf33a3b396ec03e7c56f04173b6f5f67eb30d4cdb98df11fae71d9f1ea4f734341231c4d94c8bbf7a104edf7659a158c6aa5b43fee4939

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                  Filesize

                  12KB

                  MD5

                  5ab6fefcd521e9b77dd7ab07c1d5ba11

                  SHA1

                  d026a42ba51bb046e13f26c647669d2a816628ef

                  SHA256

                  c38ee77ef3cd7919708d852b441f235d32689f2d8684a77cfc91183b9504d93b

                  SHA512

                  dbd5e7728137a77d1a6d2274df4c1025b5c5da545864bc7868d6798049737f23c9e938685a37d82e506e6d1c198fbdd78329c11c453c9b8c2abc4362ff6d1a48

                  Download Submit

                • memory/640-0-0x00000000005C0000-0x0000000000A7B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/640-17-0x00000000005C0000-0x0000000000A7B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/640-1-0x0000000077344000-0x0000000077346000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/640-2-0x00000000005C1000-0x00000000005EF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/640-3-0x00000000005C0000-0x0000000000A7B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/640-4-0x00000000005C0000-0x0000000000A7B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1448-1566-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1448-1538-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2056-48-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2056-51-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2100-868-0x0000000000440000-0x00000000006F2000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2100-814-0x0000000000440000-0x00000000006F2000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2100-867-0x0000000000440000-0x00000000006F2000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2100-1343-0x0000000000440000-0x00000000006F2000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2100-1337-0x0000000000440000-0x00000000006F2000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3368-1628-0x0000000035F80000-0x0000000035F90000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3804-78-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-53-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-18-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-74-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-459-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-478-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-73-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-19-0x0000000000D61000-0x0000000000D8F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/3804-20-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-55-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-54-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-1330-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-52-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-21-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-47-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-636-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-1537-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-22-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-43-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-38-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3804-41-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3992-39-0x00000000009A0000-0x0000000000E55000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3992-40-0x00000000009A0000-0x0000000000E55000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3992-42-0x00000000009A0000-0x0000000000E55000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3992-44-0x00000000009A0000-0x0000000000E55000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3992-45-0x00000000009A0000-0x0000000000E55000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3992-50-0x00000000009A0000-0x0000000000E55000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4020-77-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4020-76-0x0000000000D60000-0x000000000121B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4976-71-0x0000000000670000-0x0000000000D11000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/4976-72-0x0000000000670000-0x0000000000D11000-memory.dmp

                  Filesize

                  6.6MB

                  Download