Overview

overview

10

Static

static

3

0ca0a9dbd2...8N.exe

windows7-x64

10

0ca0a9dbd2...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ca0a9dbd2bba363813502ce883c1ebb9032f60adf611f4dcc482aaf6d662da8N.exe

  • Size

    1.8MB

  • MD5

    aaf15e98e2f30dba6a5e434b8bd12330

  • SHA1

    6a836fd033845e34b0f92b10ed29c07712644040

  • SHA256

    0ca0a9dbd2bba363813502ce883c1ebb9032f60adf611f4dcc482aaf6d662da8

  • SHA512

    ea10255b57837f2a012b6b258b96e5c6a52b67a48f1ab2f3d21d28c8f3b435c530faa0bb372f347ffbe2f82da74b1b1c2cafdbdaded2351d827ca3ece8592e52

  • SSDEEP

    49152:UTB6KzbULmqL+SfMMq7DQN9GwPasbxUrxdC51Me:UTcBKOJPhbSy51M

Score
10/10
amadeylummastealc9c9aa5drumdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ca0a9dbd2bba363813502ce883c1ebb9032f60adf611f4dcc482aaf6d662da8N.exe
    "C:\Users\Admin\AppData\Local\Temp\0ca0a9dbd2bba363813502ce883c1ebb9032f60adf611f4dcc482aaf6d662da8N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Users\Admin\AppData\Local\Temp\1010955001\e0aeaf00dc.exe
        "C:\Users\Admin\AppData\Local\Temp\1010955001\e0aeaf00dc.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:212
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1648
          4⤵
          • Program crash
          PID:5808
      • C:\Users\Admin\AppData\Local\Temp\1010956001\cb3838be7e.exe
        "C:\Users\Admin\AppData\Local\Temp\1010956001\cb3838be7e.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3124
      • C:\Users\Admin\AppData\Local\Temp\1010957001\1fc801f279.exe
        "C:\Users\Admin\AppData\Local\Temp\1010957001\1fc801f279.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3724
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1968
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3236
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4496
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1284
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4456
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4592
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3116
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cb8037b-7e9a-4231-9081-4b012bdde945} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" gpu
              6⤵
                PID:208
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d14a66e-3858-4bcf-b3bd-5f0d78231915} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" socket
                6⤵
                  PID:4872
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3272 -prefMapHandle 2996 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdac4893-34c1-48d0-88ea-5dc6a48a2cc5} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab
                  6⤵
                    PID:3520
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 856 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {336408cb-9ccb-4984-affa-343130beb3a0} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab
                    6⤵
                      PID:3092
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4824 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5763fbb-d51f-4579-a768-cd120a696bb7} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5672
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -childID 3 -isForBrowser -prefsHandle 4932 -prefMapHandle 4832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7b3ffd6-cc6f-4a65-8f40-0d8b4bbc1bfa} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab
                      6⤵
                        PID:5712
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5104 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b639b56-5336-4e57-8c88-c100af7d4c79} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab
                        6⤵
                          PID:5760
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 5 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93e11dfc-6b77-4fb7-89a0-1b74fc54b3ba} 3116 "\\.\pipe\gecko-crash-server-pipe.3116" tab
                          6⤵
                            PID:5784
                    • C:\Users\Admin\AppData\Local\Temp\1010958001\0c0db6a507.exe
                      "C:\Users\Admin\AppData\Local\Temp\1010958001\0c0db6a507.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4024
                    • C:\Users\Admin\AppData\Local\Temp\1010959001\6f60a0b4a2.exe
                      "C:\Users\Admin\AppData\Local\Temp\1010959001\6f60a0b4a2.exe"
                      3⤵
                      • Enumerates VirtualBox registry keys
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5284
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 212
                  1⤵
                    PID:5748
                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:6064
                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4584

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    19KB

                    MD5

                    77471c83e50f8517af82ae327d5305ff

                    SHA1

                    b5897d428479ef18c98f25bb1d28aed59f9e3390

                    SHA256

                    55c7ba6c4c79e7f8f6ceef7a13b2bc0353bcc7cb3da31ac2f7c5ea092ffcd35e

                    SHA512

                    976a9137742f31a633d9485943cf28df2f568deaa4937b35eb7c2ee307688934723be036c84ad79286f74c83a1c5000f29f333947b55bccf8652e14417f74556

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                    Filesize

                    13KB

                    MD5

                    dfe99adca71de8d5bda25872a63a8eff

                    SHA1

                    5c16252e99cff6957a24ed4f4e8caa9b0811e543

                    SHA256

                    054fd877b5890b20a73bfffde61dd901416b90e9eeabbad3b27aa413d865b925

                    SHA512

                    f5b05a73dc537d367fc2be9120a60da976c859b6adeafcff59c26d3f8a8eaee82b1d33b97315d4ee2a1c3ba51038a412e9fffdeeff0c05ddbc7d1cbc6d1ae7a3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                    Filesize

                    13KB

                    MD5

                    527b3b2e491ce5ca2484d8b386c7457c

                    SHA1

                    3c3fc1150b81339b539a792793b01c96da0b07d6

                    SHA256

                    0cef7762c84c477c8b3989a6b934bf03c653cc0d1a876f9c8a9dbadcbe5c7867

                    SHA512

                    2b1584706746766446db6d403cf618ada1799d096f211eab74e0105e441b0116156712188738cb872114f720ad03fa89a8edc2a5d24a59e997553eeb1a556a57

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1010955001\e0aeaf00dc.exe
                    Filesize

                    1.8MB

                    MD5

                    1f9c292c772273758df546b122a6d037

                    SHA1

                    b12deb57679265b5b7f287ea8347dfb181730ca8

                    SHA256

                    69b1c668e9b9d60b5d927a7b50daa6fd958491bfbe1a053cfb19f3e7cdef5275

                    SHA512

                    c8492fc73ab2a53cfe99eea941dbab53877a7c17dbdf2c97b584eaaa690b3312d3aed392c272271bc4d22bc33e7b2462a370b06016dca7166e444e43ac5cdbee

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1010956001\cb3838be7e.exe
                    Filesize

                    1.7MB

                    MD5

                    35948213c9e3f42e14b94d52a17baac4

                    SHA1

                    5080ae7c778b224beb7f2d141a9a47c0cad51d6f

                    SHA256

                    2fe4bb80aee0786e5a2b4cbc5c97eeb413d1f44e29bbe491f5a5865efedc8744

                    SHA512

                    7706918f5a8a05cf18bec8b2768e80a0554819854776e2c78bc2e86861e819ffb2a326556474c959cd79f20e6ffaccce38533a951b5e772a77cd5406418ba532

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1010957001\1fc801f279.exe
                    Filesize

                    900KB

                    MD5

                    3a0407fd582eacaa79d560ea2f45ec75

                    SHA1

                    426208e380f80a3fcd74b158084680d724a04c34

                    SHA256

                    f43e1f643b1c609e8f2a06937c95cafaa24eb1067813f5607b078b509f2c5adf

                    SHA512

                    8cd92504a3c47079539aff2bb6bb0acb96acadd78b4c92db16a006d5a4d134625f7d7198c6a5ccb56602f23136357bef3f96a6f392a7b8050b0abdd3e66a8fa4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1010958001\0c0db6a507.exe
                    Filesize

                    2.7MB

                    MD5

                    75735d7efb0f66f4953c798145069aac

                    SHA1

                    78a376da0d0f2f168e1a1361852acb0c3500f0a0

                    SHA256

                    40f297c01a5db5342c9dfb4b4a536cf6a78dc4a55cb47b4c05df07a7ea58a19d

                    SHA512

                    c0688d8667933d7c9649b334be63e1b9b9b5ba249660abbd365426528a86d23ee40b544326eb29a927b15494f679688211a1fc067a8f4407767c99de31a18816

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1010959001\6f60a0b4a2.exe
                    Filesize

                    4.3MB

                    MD5

                    470f8e16431a79421e2ca70f354dba11

                    SHA1

                    3c091e5f699f2102248dc54d4813c56f511133cc

                    SHA256

                    96539cfa294ed1e637924acbf10ade9c22ca4fff9a28933a3197e788d7e03577

                    SHA512

                    a53d392eeeedac0f0d60c65524e646960051a2c286c1b8d27113a77483dcf181455730a4e0ecf540bb29e27c120c2fce35153bb6ee1bb9014380f31c5074af1a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Filesize

                    1.8MB

                    MD5

                    aaf15e98e2f30dba6a5e434b8bd12330

                    SHA1

                    6a836fd033845e34b0f92b10ed29c07712644040

                    SHA256

                    0ca0a9dbd2bba363813502ce883c1ebb9032f60adf611f4dcc482aaf6d662da8

                    SHA512

                    ea10255b57837f2a012b6b258b96e5c6a52b67a48f1ab2f3d21d28c8f3b435c530faa0bb372f347ffbe2f82da74b1b1c2cafdbdaded2351d827ca3ece8592e52

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
                    Filesize

                    18KB

                    MD5

                    a15677f18a48afd480ee904ca87a1353

                    SHA1

                    b23905a348c7e48cee884e4ead1328477a709018

                    SHA256

                    869bc5619a69057e921c880867ae11a4797f2fbe2d49a1370bc2b8297084634b

                    SHA512

                    bcdbab23f296a477f3d05e17f4577205b8c53909c7edc6be1051640c8a7abfb6172355923d6776e4a0bfe1491e38527bdd2401a0b6fd87bcd591c5ac1609e10f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
                    Filesize

                    8KB

                    MD5

                    3b7e556632bd2daeadd06f55cb3108b2

                    SHA1

                    306a4125ea4a243d5a8e4d13c33c46db37a39f2d

                    SHA256

                    fdb1c676ee5fa05d3b4595f990c1135599ae314bc9a0dad2351becbb8d4c3016

                    SHA512

                    260d04e447b412d72f24fb237657adab70dfa692d9e119b3c4892714c4e73476eb036b685a2d8b0852c2f67d41d4db62682589f81f1a9b486949da5e9d3ea888

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    0a520607516473f31a65888585cc6743

                    SHA1

                    2d7368978640e324bf8c48b20f0a2eb10fb48c26

                    SHA256

                    65db58e9042fdf5a9f69aed73439054354c2d4a7fb05e82ac68b8be7185c4d5d

                    SHA512

                    796d1e81db751f0bbcf50ea78658a7f575ccb191fea413843f445bd6baf5446cdd15061d312361b0904c75ca4940b08c1c39f2f819a0e06cb13f68c915b81e8c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    15KB

                    MD5

                    0ed447e925b47b777202b5c7912215c1

                    SHA1

                    2bb02282c26b3a38527f2ca8b330bbbdfcdf4433

                    SHA256

                    563e8da25fd0a842fdb7931f1249e032dfea4f39851c63882e6495d018c6abb1

                    SHA512

                    a90697d7d412fa74a90706ed2fa3fcf502b87d1254bf4f477ddde2b12706a5bf6b4bba25b3dde20f6415f3934982986bb278a81faed54f62972a6e23ba069ac0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    15KB

                    MD5

                    efe3e8f343e2d5bf79056b7be002f99e

                    SHA1

                    35ea4d357509ed2efc9515eea6f993bb2900f519

                    SHA256

                    b8fc46a76646d940cd74a5bd07239ce0d43fa607cf472229d947ac799a4a2cea

                    SHA512

                    5adc1f9eb10f30ec4bb75650bc177e1ba5355b8cfb0d5d916b048cc232c2fd135a8b7ccb03e05d419b23071cd440df7832a1cd79ee32b16cc1ef7d69b936939f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\2574d4f2-d843-449b-935c-d7a765f6a7e9
                    Filesize

                    982B

                    MD5

                    1c1bada109070306415b45a5e2a86294

                    SHA1

                    7223b4621919a1dbade4bc9129ca81e5184cf09d

                    SHA256

                    2f34427c9d854f23ad7fec5ca84795431b234b1c224a71c16ae72762efbee4fa

                    SHA512

                    172935dca43e254d27e254514d3c496f9464344d89a9207808b11fffe548d6e679098e32f5091b4a0630c002c73d64ccfdbdf6056b1f9b1a63933ab912793728

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\41f78dce-4f8f-468c-b440-6eeebbb9514c
                    Filesize

                    24KB

                    MD5

                    eb8081f5c00c7364f1cdfe6eb94f5f44

                    SHA1

                    24310979f783ff4568282fe1e88f3c403c477f9e

                    SHA256

                    4fc23abfbdfe13062d351d9e402bde902d124b4f6a67aab1188fd8cea8f8c9cb

                    SHA512

                    fbbcde367d36cb159a31b61e2e448b73fe86ffd2d10cf052dc60763db3f29fb5d15c7ee248d4f1cbceccd50f01dbae5323a4d60fe2170fac241b6afe076c7946

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\88d856e4-fbf1-4a37-9736-a95cb1ddcc47
                    Filesize

                    671B

                    MD5

                    06935cb02492f34866f61c98a443591e

                    SHA1

                    08dfa8f48f1a1d9d252657237a9b554e0ead2b06

                    SHA256

                    f49039d7d217c130bd28f4a7d10964a58693466913b434d165ff60e25022709a

                    SHA512

                    eee238f46348ef9b905c31fe11276ade1c15d06836ece57f3c8eaee4fae1b58e70501eff0b64453331f93c1820ffb0dc3511471ed182428323a16b95f74a2db0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                    Filesize

                    12KB

                    MD5

                    83c1eba1eb8bb893e0c7b57cf1948d56

                    SHA1

                    6afea35d581ae056570bc7837f6d8f48c682f97c

                    SHA256

                    d2fb72981a6e06982fee084e73e11036993c8fb1fb76d8ac0a0d7dbff88f87ec

                    SHA512

                    5f69135f90b34e47a55efb6b9e851d617d950ad74b6fb55473f64337959c659a0e28ad16f94bb2a7debc7dc24b33bc4da3c6f3ebf167b39ee4d35be7145e35fa

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                    Filesize

                    15KB

                    MD5

                    c7f6354a4e20cd127941076d2f0c13e0

                    SHA1

                    713bdb4bba1cf924fff1cf3f04618cba8ad2ed4d

                    SHA256

                    cc972c2f0e63076dbe94dc7d5474c135ec96d403a5a8822733abb76155b21013

                    SHA512

                    e4a9a1415d3d8fd89091bcf06b8757c4cd5a4a4ee7ebcd17417dcb72965dbc7591da3568cb31908e03be1b001827b9d2112ae8fc7433b1f18addec0c9ca40875

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    a28c9d70f69f8903afccc60998e67188

                    SHA1

                    635f521626a5cbf90dfa8bb02bc17eaadfa8c74d

                    SHA256

                    685e82eaf57668cf85f09091e42531e049bb661ca839be7ba1a3ea38a98c329e

                    SHA512

                    ced0550aa56b7c742b5e2860b962ce70934f90ef2759d71e936ae0f8189148ee787f05848a4e7d433d5117863d41b515d5e6e7f9356aed3694c630d4564f8bcb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    7341d8a4b4d5ad7b43eebd49a260e9ad

                    SHA1

                    6501d2c4b22c32cf1d7c4f9424d0a9b18560d41b

                    SHA256

                    50eda8cccc188c78ce94463615970c76fe6f5b2932d4e2b2c6ebe90fc2a5304d

                    SHA512

                    17cba2cbe37db674f2f870a21030ec0815c300c7780b00c93246a3eaac77309f23b29c3cbc8dc1eb9a007f4a9391a6f6a28bc95a0d7041165d1fbfa1bff4edd5

                    Download Submit

                  • memory/212-38-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/212-81-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/212-41-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/212-40-0x0000000000FF1000-0x0000000001016000-memory.dmp

                    Filesize

                    148KB

                    Download

                  • memory/212-78-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/212-497-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/212-80-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/212-490-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/212-79-0x0000000000FF0000-0x0000000001484000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/808-5-0x0000000000520000-0x00000000009D4000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/808-3-0x0000000000520000-0x00000000009D4000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/808-15-0x0000000000520000-0x00000000009D4000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/808-2-0x0000000000521000-0x000000000054F000-memory.dmp

                    Filesize

                    184KB

                    Download

                  • memory/808-1-0x0000000077804000-0x0000000077806000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/808-0-0x0000000000520000-0x00000000009D4000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3124-58-0x00000000002F0000-0x0000000000982000-memory.dmp

                    Filesize

                    6.6MB

                    Download

                  • memory/3124-59-0x00000000002F0000-0x0000000000982000-memory.dmp

                    Filesize

                    6.6MB

                    Download

                  • memory/3148-1021-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-2785-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-39-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-2800-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-20-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-2799-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-2796-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-17-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-2790-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-19-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-394-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-21-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-57-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-575-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-1634-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-18-0x00000000005B1000-0x00000000005DF000-memory.dmp

                    Filesize

                    184KB

                    Download

                  • memory/3148-498-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/3148-22-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/4024-461-0x0000000000150000-0x0000000000406000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/4024-499-0x0000000000150000-0x0000000000406000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/4024-456-0x0000000000150000-0x0000000000406000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/4024-503-0x0000000000150000-0x0000000000406000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/4024-462-0x0000000000150000-0x0000000000406000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/4584-2798-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/5284-507-0x0000000000640000-0x00000000012C7000-memory.dmp

                    Filesize

                    12.5MB

                    Download

                  • memory/5284-505-0x0000000000640000-0x00000000012C7000-memory.dmp

                    Filesize

                    12.5MB

                    Download

                  • memory/5284-481-0x0000000000640000-0x00000000012C7000-memory.dmp

                    Filesize

                    12.5MB

                    Download

                  • memory/6064-509-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/6064-506-0x00000000005B0000-0x0000000000A64000-memory.dmp

                    Filesize

                    4.7MB

                    Download