Overview

overview

10

Static

static

3

c326252a47...fb.exe

windows7-x64

10

c326252a47...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c326252a4700a59f6250b3a8f090996a80a4912bdc5de66021c20091879c2cfb.exe

  • Size

    1.8MB

  • MD5

    96c1a1b70f47f88edff0fc615aae0c6b

  • SHA1

    d9676fea886264dae4c2164cf392da1a9ac38e3a

  • SHA256

    c326252a4700a59f6250b3a8f090996a80a4912bdc5de66021c20091879c2cfb

  • SHA512

    fb26db4bf804d8fedb40203c737afdfcf9f581c1e370195fb03ac36ff38643b3ca437396c6a1574759c86075ee41dbe2106a4e0f484123d6a902d454eff3666b

  • SSDEEP

    49152:BU3M/NF3eOV8d94fGPrYFOa0GW8V34+M:4M/eY8kfGzYFOa0GW8V

Score
10/10
amadeylummastealc9c9aa5drumdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c326252a4700a59f6250b3a8f090996a80a4912bdc5de66021c20091879c2cfb.exe
    "C:\Users\Admin\AppData\Local\Temp\c326252a4700a59f6250b3a8f090996a80a4912bdc5de66021c20091879c2cfb.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Users\Admin\AppData\Local\Temp\1010964001\fcc9ab8410.exe
        "C:\Users\Admin\AppData\Local\Temp\1010964001\fcc9ab8410.exe"
        3⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4856
      • C:\Users\Admin\AppData\Local\Temp\1010965001\44772b559c.exe
        "C:\Users\Admin\AppData\Local\Temp\1010965001\44772b559c.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4264
      • C:\Users\Admin\AppData\Local\Temp\1010966001\ef228bade1.exe
        "C:\Users\Admin\AppData\Local\Temp\1010966001\ef228bade1.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3632
      • C:\Users\Admin\AppData\Local\Temp\1010967001\9148ec6855.exe
        "C:\Users\Admin\AppData\Local\Temp\1010967001\9148ec6855.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:532
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:116
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:684
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2776
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:436
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4732
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3588
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dca9d3a-fe74-491c-8594-d712108ff7b1} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" gpu
              6⤵
                PID:1936
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05c2caab-d3c3-4f10-b2ec-8816e5deaeef} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" socket
                6⤵
                  PID:3240
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3036 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74735bbf-ad35-4f5c-9efb-b59b7c1c5461} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" tab
                  6⤵
                    PID:4476
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3348 -childID 2 -isForBrowser -prefsHandle 3352 -prefMapHandle 3484 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1b22a6e-63f2-40c4-8fc7-fe5ed686fd0f} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" tab
                    6⤵
                      PID:4884
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4896 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8488439c-e17e-48f8-8b41-836d4387b92e} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5484
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 3 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea57946d-3dbb-4e30-b9b4-900d7f9d87f7} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" tab
                      6⤵
                        PID:1800
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 4 -isForBrowser -prefsHandle 5888 -prefMapHandle 5884 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27ce324c-4111-4bb7-b71d-784f2032682c} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" tab
                        6⤵
                          PID:4928
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 6032 -prefMapHandle 6040 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41960a5d-c0b0-4260-b703-21c370f8c237} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" tab
                          6⤵
                            PID:4856
                    • C:\Users\Admin\AppData\Local\Temp\1010968001\f0d91c5fda.exe
                      "C:\Users\Admin\AppData\Local\Temp\1010968001\f0d91c5fda.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4112
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5436
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5636

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
                  Filesize

                  19KB

                  MD5

                  eaf90243fef0a0801cfd55644535352e

                  SHA1

                  a8e399561659ec447415aa1a0b10df5c581d230d

                  SHA256

                  bb78809f7186fcf9327b3fbe167556f500aa53823f7709b21275eb7da57af55a

                  SHA512

                  b75096e230204aa1189a9323862d36ae8afa8c5910230f00e5057f710f6d906c94f51de83fdc1b349ca1ac7a6b9a36601785b4211c49329112a6a30fee80905f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
                  Filesize

                  13KB

                  MD5

                  9cac2d4bc3d35285333512dbe24e11ad

                  SHA1

                  fb74396f65d7ea6986c6f1286191ea76352e7a65

                  SHA256

                  b7d1a63d205530f308c626b9a3f7190baa6b1775cb82a678cb82b7c728298cf1

                  SHA512

                  53d4d0f7326f190c9240c88d02257f089fb1a6aae135aa34743d03d1dc1e83de7c8cb7bb5cd78d0722ed7614eef2aebbc4a75332eab534cc8e904081d38c9a92

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                  Filesize

                  13KB

                  MD5

                  535997b4932fd4f1cf631848a79afdcc

                  SHA1

                  46c168d36e5083076681358452a176bea4771b64

                  SHA256

                  455857f67585246d68cffc1c0fd7205e583c93ffbe9a6141e7d93e93bb9670e1

                  SHA512

                  a98eee2dc16938ff7f29d536fdba6166639126fed5c1053dbe2ad97bf0bc53ccc5415943f8919f933b4900ed7e652d6be4e2ce5ee245972939236084946f3fab

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010964001\fcc9ab8410.exe
                  Filesize

                  4.2MB

                  MD5

                  973ec7d2140304f80324e9ddc61c2694

                  SHA1

                  d38659340bb512933d37b6fd42e60f32d289cc5c

                  SHA256

                  1c52fd102f3e37e7714fc3795c5d8f0c49a20f2731769cf1c20ccef184a6f715

                  SHA512

                  291e0a616e882fb8b9720f22eba8e24b9a1de331de4a3e0ac02a7231efc2ae08e11e75c68d472450340ca9a42725ce80fb87ce9e3c0085ccefbc063ec4cf9790

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010965001\44772b559c.exe
                  Filesize

                  1.7MB

                  MD5

                  ddb1e6eedac4fae06ad6f2a4070b990b

                  SHA1

                  764cd6e26b6cd84b62aeb5256f1c69095935bdb8

                  SHA256

                  cdc1b21a5727f74255913e1d1d27b302c4e00030bf26ff8363d98d48321812df

                  SHA512

                  a5709b5c07b26f5b9b015f7e8cccff745410ef353cd773616e7188f540625af2402547952673cf5777db74cfd03c7067f97fc241bc36fb9e312416edf810f21f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010966001\ef228bade1.exe
                  Filesize

                  1.7MB

                  MD5

                  25fc19b411595b71a8426cbebbdc5bca

                  SHA1

                  fc479fed25b9f8d7ddeabe7990d08466896e95e4

                  SHA256

                  388e5d586661e31ff884f0bbb928f0e00ffcfb094599c51250a9ac22529af992

                  SHA512

                  faac8c20af8b1a4c8d4f23d08cdb538dad1b86417736b3ffde79ab79b2eb6933cc67a25a5e96006f06b13a117f6c5fd8d98bcb6763f3e162e44380d60fff68ba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010967001\9148ec6855.exe
                  Filesize

                  900KB

                  MD5

                  73730e612111bb522a3676f31cc88e4e

                  SHA1

                  4a0b2e3ba26004c408bccd605c8f778679b9c111

                  SHA256

                  9bdf4f9055616d3b5b9dc43d54b151eb926571e3745967b1c01ab2e4bc856746

                  SHA512

                  bb1c952b5cef4b222e5090d947924e91383d23f5be190159ca6c76ea5f688e3c69b6a2a2022bc2e2fe3c85cd31a47730e966360ef1f4a529e8bda64938dd72c6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1010968001\f0d91c5fda.exe
                  Filesize

                  2.6MB

                  MD5

                  49cd7d9f6d9096e25cf5a95c17b17c8a

                  SHA1

                  a970a9e4fce2d614e83077a9a7571204655ca283

                  SHA256

                  d683b6185c77e6e223a377c7f2677ec182c144e0f219f221f994f2e4d172e8f3

                  SHA512

                  60c94f6b87d17ab145d4f9b852ca1ee9fa7ac977d03dd4f73bacb0dd6c99c6565d65b9a6415aaa7c3742cdc8ad8084b8f7b254039dd864f446039a14064b1b08

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  96c1a1b70f47f88edff0fc615aae0c6b

                  SHA1

                  d9676fea886264dae4c2164cf392da1a9ac38e3a

                  SHA256

                  c326252a4700a59f6250b3a8f090996a80a4912bdc5de66021c20091879c2cfb

                  SHA512

                  fb26db4bf804d8fedb40203c737afdfcf9f581c1e370195fb03ac36ff38643b3ca437396c6a1574759c86075ee41dbe2106a4e0f484123d6a902d454eff3666b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  c1b444d4e4810dbcdeb5135b1094afa6

                  SHA1

                  d3950d3fc327eeda527789829cf9e6ce990cf6f6

                  SHA256

                  b30839c52466c83e197dcfecec246ce9d5ad76bbeb31f89bbe44cdc45fb78d25

                  SHA512

                  2b45b96e6eed6dae36f8a63c059ed89a0dabb92b7cedd12ab7412c210c04b7b75a69a3d564c7f6a5a53b4784ac5013445624ccd273109b19d2b626014d3d8fa2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  6f514329acbc8cd7c16cd3a7962e0295

                  SHA1

                  5027a9b4ef123f3afe3b5391f1bda9d6fde8fa01

                  SHA256

                  40931a222b935500290a4d02aa3f0362b43e3f958a56b5a2f047f71d8e632692

                  SHA512

                  ac1da3b1a59892cf26939896e362a362a62ffefd0c366bea5d80624edc228b53736e31fe1a4ea28a9c8725b27c55651490e098691dd8df4344e7cc4d24f6f28c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  52ee71bee2f64848cdf03102f167be6e

                  SHA1

                  04a667910c44bf98da17790fcfa6a02e851e4dc1

                  SHA256

                  1819f9c65182706f9129f9cab423e3bcae0d5653484f8c151f8c60eb0bbb14be

                  SHA512

                  77de0920a51a4294275c02e1a305e2486a2859eb2ada4738a7f1b6382bd7e08b76a708687dc923a44c9f1430dc9567f7a5b52efcf08cfd144458f0a765c0d98c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  4a9285eb5b3efd1adf010ad05134d7a6

                  SHA1

                  4e93bfd86828bd269c6154c127e8b39b6c497f3e

                  SHA256

                  19a44dac41253a832dd9fd93f29ba5463a4e0052197eb68eae9bac18ded03da9

                  SHA512

                  5f981de5ea50cfdb719a1fdb7e78900579e919643682b0fd4ad186b669d400b717183172e485e866c55fa5483fb9353d5e913fc57e7c02463425a41540638b5d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  b21f0bb0f8546b306ec38debad8d97e4

                  SHA1

                  138bd76d12c38c10f3b0c502534cf56bde302a4a

                  SHA256

                  f87b920d303cc5b64b786b0c08e73440cf02c84350ad36f2616460780a35ee09

                  SHA512

                  aaf7abba237c6ce492b7d1631dc38672d5a222dd05fa214a1a378c6f88d155e628ce19bbfa5af52c643112dd5b5896e30c7477195f2751e7563bf125e5213a5e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  3891579169c1512debacf007fd318050

                  SHA1

                  aa2ca0c8544c003ebdcaf648fab160e9703f3ba7

                  SHA256

                  975c341da23e87e0cbe8eb9bbea528c623ba23d9979b530c914584ec96ce217c

                  SHA512

                  2bf8a561bdde0088fd8f8f368ea271c54b5f8db1a295881d27ecdba77d34b291707abe94d7c8cab2fb05ff487d139d50be4bf4e3f5c71d36579dc7dc0b9ee010

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\0694da73-42ff-447a-a517-d1c4a63b79cf
                  Filesize

                  27KB

                  MD5

                  c100fe59431c0fae1fa9a83afdbcd490

                  SHA1

                  df53c910aad97592d6322ea2eb18c32cb07e90ca

                  SHA256

                  283bbe33ff6a8d8f35e3a5702a2d53924a4625515b13e5c491862b776ede9088

                  SHA512

                  a1d35b579ec8204befd15624722ac7116fc60df0764387215573f16e3da77b15c5c0805aac5309c42a94d502eb6d7e8a13f9de455c19eb8c03a50098da3404f1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\af3b79a2-42fa-4e45-b60a-65a201d44513
                  Filesize

                  982B

                  MD5

                  60903fbf77f5419a4de2b7a935d549b3

                  SHA1

                  9c8028cf1e5b2356bd9f162e20352f188c7f30d8

                  SHA256

                  1b495fa5920fed2cd91f56fb13fdc0f47cd5e373063b66a7222c730b73e250b2

                  SHA512

                  0bd63af188b2424462feb6d201629394c0f2cfb6867eb49368ead44e60d132bcc5bb9c1df4d7cb89fe2c0ef7a6d1485649bf925443c722af2b5e7ce9e33448a5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\cd103c8c-c037-4994-8868-2ec220786942
                  Filesize

                  671B

                  MD5

                  9dd62477d1a4b93bd441514a2ddafd7d

                  SHA1

                  76e3cd47e87bf47637eb3d522c2d5ad3192f92ee

                  SHA256

                  03fcf563cafbcd52e5193d0ecad6cbd6d9adcbccb15c30e2b6eaea36c0d4a9f5

                  SHA512

                  1a854704a6843340e3f90153111a1410dc2448212754e01cef449ffbe9944d61668cbc965fb60b03192aad49a8bd558c9c5e80e22242cdf2ad37aaa45b42b5d8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  12KB

                  MD5

                  684e6e9761309efd26329e96fd0c2942

                  SHA1

                  2808e866e27aaffa0f4021563f7712c496a38879

                  SHA256

                  0bc2f8324fdcf1a2d23a4cdd43abe7e17f82bb679f8b06d64fc901319144a3d2

                  SHA512

                  85b54c225391897a6816296baf3a9a685113c9e494fad45329bcf1d28ab5e1b24e9e98fa006d7cfaf0d04ffcd6126c952c78019e1a8e3fec3964d65e69beb7f9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js
                  Filesize

                  15KB

                  MD5

                  3dcbc72b71ad0de755724b195ccdd701

                  SHA1

                  af01d1d19c3329764d918480f0a9b4951a8db72d

                  SHA256

                  9214a9537e3accf3f52b58c75ed7f1f4bede3d280d324a743f10e34ae7d230dc

                  SHA512

                  06908d2b0cb617a9769bc25fda882cb50070915e2b3357409d9511a4b31a1a0b6e28d214fb203c46e3b5c4fe16a8a2fd9867a2186ce353bf7294a2b6ecc7b6a8

                  Download Submit

                • memory/1556-97-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-21-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-48-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2810-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2799-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-1852-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-39-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-18-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2818-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-766-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-22-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2817-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-19-0x0000000000621000-0x000000000064F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/1556-20-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-481-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-49-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2821-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2822-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2823-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-495-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1556-2824-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3304-1-0x00000000779F4000-0x00000000779F6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3304-0-0x0000000000E20000-0x00000000012D3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3304-4-0x0000000000E20000-0x00000000012D3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3304-3-0x0000000000E20000-0x00000000012D3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3304-2-0x0000000000E21000-0x0000000000E4F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/3304-17-0x0000000000E20000-0x00000000012D3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3632-73-0x0000000000980000-0x000000000101B000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/3632-75-0x0000000000980000-0x000000000101B000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/4112-118-0x0000000000170000-0x000000000041C000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4112-127-0x0000000000170000-0x000000000041C000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4112-488-0x0000000000170000-0x000000000041C000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4112-484-0x0000000000170000-0x000000000041C000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4112-128-0x0000000000170000-0x000000000041C000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4264-482-0x0000000000790000-0x0000000000C22000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4264-57-0x0000000000790000-0x0000000000C22000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4264-99-0x0000000000790000-0x0000000000C22000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4264-98-0x0000000000790000-0x0000000000C22000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4264-485-0x0000000000790000-0x0000000000C22000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/4856-38-0x0000000000750000-0x00000000013CE000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/4856-78-0x0000000000750000-0x00000000013CE000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/4856-76-0x0000000000750000-0x00000000013CE000-memory.dmp

                  Filesize

                  12.5MB

                  Download

                • memory/5436-729-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5436-742-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/5636-2820-0x0000000000620000-0x0000000000AD3000-memory.dmp

                  Filesize

                  4.7MB

                  Download