Overview

overview

10

Static

static

3

394b16dc54...98.exe

windows7-x64

10

394b16dc54...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    394b16dc5413a40962c9520922ea279976b220c1c044610ae8e8746da50d6398.exe

  • Size

    1.8MB

  • MD5

    d1b29b0ff83aa7f8e807cc52766659eb

  • SHA1

    1f3b40f5a291a55ec205fac1263561eedf47cf08

  • SHA256

    394b16dc5413a40962c9520922ea279976b220c1c044610ae8e8746da50d6398

  • SHA512

    73f5440c328743face39aa0fb0ec3fa15c4395d52fbf6ccf514d10d49d682fafadc5147fca872ab7bb137e127bc9ac57af85513e6aa994773e39474348e57df7

  • SSDEEP

    49152:xdGVoo1d1jzZZ4BpzJXYZ4WdbshaY9VS4u:XwooBjzZZ4B3Xo4eY90

Score
10/10
amadeystealc9c9aa5drumdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\394b16dc5413a40962c9520922ea279976b220c1c044610ae8e8746da50d6398.exe
    "C:\Users\Admin\AppData\Local\Temp\394b16dc5413a40962c9520922ea279976b220c1c044610ae8e8746da50d6398.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5020
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Users\Admin\AppData\Local\Temp\1010894001\7a70e71e54.exe
        "C:\Users\Admin\AppData\Local\Temp\1010894001\7a70e71e54.exe"
        3⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2412
      • C:\Users\Admin\AppData\Local\Temp\1010895001\b1eb647b94.exe
        "C:\Users\Admin\AppData\Local\Temp\1010895001\b1eb647b94.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2404
      • C:\Users\Admin\AppData\Local\Temp\1010897001\1b71749101.exe
        "C:\Users\Admin\AppData\Local\Temp\1010897001\1b71749101.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1852
      • C:\Users\Admin\AppData\Local\Temp\1010898001\ae17be7d09.exe
        "C:\Users\Admin\AppData\Local\Temp\1010898001\ae17be7d09.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3144
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1088
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4604
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4160
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1252
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2f8739c-2b8e-4e76-872b-ea5d1a85bf1a} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" gpu
              6⤵
                PID:4540
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a948a13-a178-4d68-82db-6399d73065a3} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" socket
                6⤵
                  PID:2840
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3204 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4cb5fa8-2747-4ff9-9245-fd7a28af3045} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
                  6⤵
                    PID:4676
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3800 -childID 2 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab18cf4b-f354-4070-99e1-481044a71c54} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
                    6⤵
                      PID:1816
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4768 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f27400ea-4a2b-454a-a35e-978219523219} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5136
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa425910-850d-42b0-8ef6-ee18740bce3c} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
                      6⤵
                        PID:3400
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50fdb417-668a-4a61-a8bd-898972fdc666} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
                        6⤵
                          PID:4484
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5428 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {091d3e7d-f5da-4a3a-bbb6-f3d23794a3ff} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
                          6⤵
                            PID:1280
                    • C:\Users\Admin\AppData\Local\Temp\1010899001\ccf9ac063e.exe
                      "C:\Users\Admin\AppData\Local\Temp\1010899001\ccf9ac063e.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1292
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4220
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1752
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5936

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  24KB

                  MD5

                  d8659011738792e065b3f4dfe9364852

                  SHA1

                  8b9c0c167bb9413e37fd39c99083122203757c3a

                  SHA256

                  6db3a1e1d715d0fb38a096261e89474517ce5914ec9712ae4d184e768d260ee9

                  SHA512

                  1de8751d5b3b7db34d215ccf919e8e9123a0d093e20715b947244c514064e403931d0143b7e362377830a3375c52159149eabe82c5be9a9d3f07c1c6a1db5195

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  72380e53a22fd2493a88bffb7b328dde

                  SHA1

                  a2898f455034247062aceea59545d1e572c69822

                  SHA256

                  dd111080ff97e07b42de3492a9817be17dd45c135a1b472e3dc1c83fbf9ae1d3

                  SHA512

                  24b162710ab6a6cf24ca855c489eb63d8066573da153f3999253c934b6d66f327f885b965435c2abd2aed578fb1e59625b22e6caa5bc50f36dfbbd1a9e1ec3f9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                  Filesize

                  13KB

                  MD5

                  a3fd1ca61d742473bbe6c704442cab95

                  SHA1

                  6c670edec68d1e89552c61ca01e26ff171233b4d

                  SHA256

                  0bb4b5e331abec8936fcef59d9e4a1229c30e27ca343bdc3f90a5c783e10e8d1

                  SHA512

                  64102b57abfa6844ffd7c65127adbedc0fb78e9a5c3ffa7ca02c6327ba918d47ceeedcb386ec7c143b11de86255497503f62b823eaedde28a522b61b2b900f0a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010894001\7a70e71e54.exe
                  Filesize

                  4.2MB

                  MD5

                  1b02a98e354a2d529fd81d9701859f40

                  SHA1

                  7b7f2324df7bd662e94d9ed90426d4dd3595f2a9

                  SHA256

                  eec0f8a8ad88b9d311cb716101e4a85f30354183af23ca6872aadd81425d636f

                  SHA512

                  0c1d657dd6524dffadbe1883278e1de7b3e5b2c30ea1ea8caf5a188cf5d9aebe6db339462cb2f12f56b77b820c1b245ec4db83519aec62ab565fbdad6dde23a4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010895001\b1eb647b94.exe
                  Filesize

                  4.2MB

                  MD5

                  42af26f80b61bd2b7b55d53244b2dcfa

                  SHA1

                  de2a9d72e0813bf44476c92c314819aa74b6b735

                  SHA256

                  020331b794615aff2393d3eb2307dd2b73e3a83ffc26f057e3bdcd28f15641b9

                  SHA512

                  b5d8031d27cc3ceb259bf14050a935ba55e01609798dc0bfb263b24f4a4d4c26a6ff0ef1422313a9a17410f29b13620e60c4e91d22fcdc3382eb154d6f9c0e62

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010897001\1b71749101.exe
                  Filesize

                  1.7MB

                  MD5

                  593f5a3fcba1c7432b115f9ee19bb38b

                  SHA1

                  2852ad10a4d10314744a5e90745c89434f8588aa

                  SHA256

                  d16280ff0c61238227084cf15ed98e3a9277ee451165b43cfdeb7f57301e25ab

                  SHA512

                  4cdfc93324f0585860d7542f78d12e794d30f604d0237e695bd70ec500960899795d7c473ffacb784c88d7e8fc6a417219cf03c6f9d5c1008abde2ac0164ac8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010898001\ae17be7d09.exe
                  Filesize

                  900KB

                  MD5

                  55f033e828bc78bc86bfcd3331417b8d

                  SHA1

                  fa8caf4486d5d9d461c1cb239cb47271a963f1d9

                  SHA256

                  61477c3ec5a8f73ef52b85ffabfe56e1d899f1d589daa8c713491f063ce3e42c

                  SHA512

                  d924aef82d41342cf334b5f0c27a3907e5248cce17504fdfc0098f72df51099bd517204bb935a6f4ed586aa927b589aec7e721e28b00f0b9a9414664929dc42b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010899001\ccf9ac063e.exe
                  Filesize

                  2.7MB

                  MD5

                  946d8d09cf59d09a279a0b6d31622734

                  SHA1

                  bba4cbbd9843075beffa8c5b6d3e5f9930b6ef05

                  SHA256

                  e3fc04478244104b8048573d3273a92557cb2204ee762dac2f689c0539555af3

                  SHA512

                  1c18461c3b960ffb7c24e5b895221ee80125d30c63351e94b1fdfb0bdb6280e1e28ca436fe8d0c50f56a04431bb29d1e2d273f66874a9c9a7df14e145f358694

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  d1b29b0ff83aa7f8e807cc52766659eb

                  SHA1

                  1f3b40f5a291a55ec205fac1263561eedf47cf08

                  SHA256

                  394b16dc5413a40962c9520922ea279976b220c1c044610ae8e8746da50d6398

                  SHA512

                  73f5440c328743face39aa0fb0ec3fa15c4395d52fbf6ccf514d10d49d682fafadc5147fca872ab7bb137e127bc9ac57af85513e6aa994773e39474348e57df7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  ff0bcebe0cd5f5e190a1046258507d52

                  SHA1

                  dbbe5a659cbb61bfdc8770b79a38cc1337dea020

                  SHA256

                  2972d04220356af4273033df94399ef0b9e122d2dc05b44eeb9b1ede6f6e7f14

                  SHA512

                  7045aab7bb4bdb9426403cc29d6c2b3aa4629a000534d76d051743b009ce6c9edae1678155af900a6baf2aeb7c8ed8d612d3227817a3fa306b208704d095bb46

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  18KB

                  MD5

                  0a0081ef31cbbad26a486b7eaf4b684e

                  SHA1

                  2ff334693ebd7ffa34fd3e14c58812a9e0fbb29d

                  SHA256

                  95e68c2daffd9b0ba74be079e989d1145d5af3fe1091c276da05bb451fe9777a

                  SHA512

                  d96ae9afdd4b2633cdb0ebde15f3066c8c9e425f4a273f8f9d9a578fd01a58d26b732c984fc36a2ac00f9ea6713f8b14216208942bf403882781d92f92c63ce8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  7KB

                  MD5

                  0fe739de4549f9ab22755650adfb2412

                  SHA1

                  749db316944f8efc4f405464e74e03083710cdeb

                  SHA256

                  8079fa068f30a26f4157dd752a6778469897f9f583668933df5b815b39b6df5a

                  SHA512

                  2f72b946520e1921065f8a8d7ebefb7522c9f318392e0aaae729eae8ca0fea6d32c1f9b5ab5fd88918857534d453e9fa908db5cf884ea0b1311c2eb1512e6171

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  12KB

                  MD5

                  d993a56da3c7f150f45718db5c45cfed

                  SHA1

                  8f695a5282c52da77bee9a0b4b3d9b3b6a11f103

                  SHA256

                  4b820ff085547ff198f2608baa978ea658cec67d6e49041f084d58781edec3f2

                  SHA512

                  eb2e2920512fb46c1e6ed18e4c7d48b8785ad8e20ba9eba300ec49b102a7e957f00810ec65539a68e545fb561ad37da2519c9e6254cdaf93613283560862c949

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  4KB

                  MD5

                  ae2a53ab5b5b1b7667a08a619ae5f486

                  SHA1

                  35942c10dab235dfeeb81ac9462f29fa66d0ab3c

                  SHA256

                  5d4daa4353050a20ed48d4109a62266cc7747d5a0de3fb48b50c6ea31188d804

                  SHA512

                  bb15ad8cd225faf77e752ede9089a9e65b93446bf513c8d06cfd54c4497e96f68b5747ad4feeb58676ade60001ce3d0e749cfa8b75d316876882a8964c2192fc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  a3074d40ada15de7ccf6fe3d17f7c0a6

                  SHA1

                  77e1329bc3236e3d157c767e51ba57eb0ef69e1a

                  SHA256

                  36b99d0d37e3a6296294a9d11339db43a38fdf4816e03aa9eab6f5fc085aac0d

                  SHA512

                  ef98df0204c6497e350bf4bad840d60aced3ea9661c2856b87fa1d24a033eef64a318e06498caefbd77512bfeffe5483c4c16981bc6c5ba3391e384503cc0917

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  c9107367624f3c3f639eeae7f9e1ef6e

                  SHA1

                  80909420d59d6d138c2af892225f4bd6753e923d

                  SHA256

                  55a83ab70bcd4a13b013cab55383a80b17e085aec0e3fcc580f7bd3029243cfb

                  SHA512

                  7cbc49e4a11c3e42d0805ac3bc2828362f54195585cffea72ce757076bb3329d4a42df115c354c7b6d5e8b66dbcc02a00a8752454ac65447be4a1f4a717e3e0c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\4cd48e40-f81c-48d1-b7af-9336317ff507
                  Filesize

                  982B

                  MD5

                  89aa00f64960a6df81398e2caeb6bf15

                  SHA1

                  8355550f92692842dd84ba75e15a33e0809cdb23

                  SHA256

                  db548be2cd0ebf7f6b31fe04a178f08ea89060e96cdad9d22aac759f649540b4

                  SHA512

                  7eba3cd04c127720e8480dbf38545b5c318bd6a5641dfc4f9e673084651373d4346a6d68e09f2fccaba9567cfa9b476d456b2ac4dd87c21cd75c348a1afde173

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\67f1cbac-832c-4f3d-998e-451e2bfe2b8d
                  Filesize

                  24KB

                  MD5

                  089d6354cc5531c2981380274a1fd115

                  SHA1

                  b10691ec9c4ad8003de437c8f78d61b81e6d8c57

                  SHA256

                  113d1711444d8da3f15eca25417a58acacd93be71ed9676240d00f7cfdbba9bb

                  SHA512

                  3dfd558e941bdfbb411bdcc0bb613b12d4cf3a175fc50b4e4e52d9fe2355440f25c35d9074aa9a51bd4d855024c0541ab3e2cd16e3c7fb5d36edc58d2b9955c2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\bc684b83-f965-43b8-a079-d00cee1d14c7
                  Filesize

                  671B

                  MD5

                  a90cebdc1f5dc33ab877533a9285c75d

                  SHA1

                  0c16fce2cca23fd5968681daea3e4a810023cc7d

                  SHA256

                  808852a1b6ed08b785a6bc1fdaea69e1b7e140ec3be69610a928415443823a1e

                  SHA512

                  6d50a62aaa7d5cafdd1102410a6015ffdb213aed10f24b8382cf8f15527c8f33c689a575ca7b831d42e24e3b474277bced5858512f26c465a9daa6216ba8d243

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  3c2e5b50e636e09880b0f467273ec7ef

                  SHA1

                  906fa168d1224d79614719c67d710e6b679cbb4c

                  SHA256

                  20ef8f319e5764246b4f891fe4f60fbef2296e1a8c484a58a155b90eb45453ce

                  SHA512

                  4ef45882a38b95c1f59dd170b5b3ce709698649ecdec68da48cc9b01789e639718c7c3ac92f3ae79c465a1fb32a889fb4e7bff9dc90df1a4bb44284913aa5f34

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  992c53dbae74cc5cf89a3a1121b14e9d

                  SHA1

                  4690f5b1b905cc19ed0c1e184983a6f308f71820

                  SHA256

                  973b6dfaa9da7ac992f1bbd94110a7d4b4cb01f795b9a8229ec7d1840a98d30d

                  SHA512

                  7111b81878f6e163ed2b756f7aea7b5bda8bdc0103374f36285dc7c40a2fdf1d01cf82243022d4f1b01b44f5cd84ac6cf53751873d341b31047db96a7db4cf58

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  b77d5935f242712e9782ac4a9aef3f12

                  SHA1

                  9f0aa4776930f1d1b2bde2daca0298990e940133

                  SHA256

                  b4c1b3fa882e1bb48638d1d00bbeae8ea01da3a0bd4a495356062619df6b6599

                  SHA512

                  e9a1a35849ef559a4765b57b9677184b3bf2c8094635923fac7b639c54c899d0637500ff5376fabe77977a9f5703616203108435576416c1e80e97bac09a9473

                  Download Submit

                • memory/1292-343-0x0000000000920000-0x0000000000BD4000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1292-342-0x0000000000920000-0x0000000000BD4000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1292-131-0x0000000000920000-0x0000000000BD4000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1292-500-0x0000000000920000-0x0000000000BD4000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1292-491-0x0000000000920000-0x0000000000BD4000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/1752-2987-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1752-2983-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1852-86-0x00000000004C0000-0x0000000000B51000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1852-87-0x00000000004C0000-0x0000000000B51000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/1896-22-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-2993-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-3002-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-3000-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-2999-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-42-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-41-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-2998-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-489-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-2997-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-65-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-505-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-39-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-106-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-2982-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-21-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-19-0x0000000000EA1000-0x0000000000ECF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1896-20-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-2423-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-18-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/1896-995-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/2404-58-0x0000000000C50000-0x00000000018C4000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/2404-60-0x0000000000C50000-0x00000000018C4000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/2412-70-0x00000000006B0000-0x0000000001337000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/2412-40-0x00000000006B0000-0x0000000001337000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/2412-62-0x00000000006B0000-0x0000000001337000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/2412-38-0x00000000006B0000-0x0000000001337000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/4220-68-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/4220-66-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5020-0-0x00000000002A0000-0x0000000000764000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5020-17-0x00000000002A0000-0x0000000000764000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5020-1-0x0000000077554000-0x0000000077556000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/5020-2-0x00000000002A1000-0x00000000002CF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/5020-4-0x00000000002A0000-0x0000000000764000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5020-3-0x00000000002A0000-0x0000000000764000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5936-3003-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download

                • memory/5936-3004-0x0000000000EA0000-0x0000000001364000-memory.dmp

                  Filesize

                  4.8MB

                  Download