Overview

overview

10

Static

static

3

1ceab2ffb1...15.exe

windows7-x64

10

1ceab2ffb1...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe

  • Size

    1.8MB

  • MD5

    08d46090c22ff00bd53e843027e0dc26

  • SHA1

    ec4d86baa8a294a18daf44fcb61eca03c3116c23

  • SHA256

    1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215

  • SHA512

    c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed

  • SSDEEP

    24576:z2BoyWmAgwI0L6ul/urTQzxYtarKUKkpOb0A93R8S9D5pbgFqAKzeleH4W+:z2OFe0L6ugiKhxs6pqqAKzCeH

Score
10/10
amadeylummastealc9c9aa5drumdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 12 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
    "C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Local\Temp\1011126001\f8ed158748.exe
        "C:\Users\Admin\AppData\Local\Temp\1011126001\f8ed158748.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1992
      • C:\Users\Admin\AppData\Local\Temp\1011127001\2635e6d4d5.exe
        "C:\Users\Admin\AppData\Local\Temp\1011127001\2635e6d4d5.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2932
      • C:\Users\Admin\AppData\Local\Temp\1011128001\9f5610c26b.exe
        "C:\Users\Admin\AppData\Local\Temp\1011128001\9f5610c26b.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1548
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3000
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1944
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1972
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2356
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.0.1502639256\452993050" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {820a6039-89c9-4846-ba58-4fa5d54508f4} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 1284 110d9258 gpu
              6⤵
                PID:2824
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.1.536302363\806215227" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfb0a28e-ddab-4934-aeeb-3af5af179918} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 1488 e71b58 socket
                6⤵
                  PID:388
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.2.679210222\822939426" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2092 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc6b9fc3-b76b-4792-82cb-94480384e594} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 2108 1a4a9d58 tab
                  6⤵
                    PID:1660
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.3.1080911945\1246974596" -childID 2 -isForBrowser -prefsHandle 2660 -prefMapHandle 2440 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {087f4008-a963-46a2-8931-751fa375b08b} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 2724 1cc86b58 tab
                    6⤵
                      PID:844
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.4.1408811085\867882264" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3760 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2616411c-bca5-49c2-a9a2-ac9325a04dd7} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 3792 1a451458 tab
                      6⤵
                        PID:2448
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.5.1967131492\258618716" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5cd8031-97cf-4cb2-8c85-3f54d350e013} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 3900 1a453558 tab
                        6⤵
                          PID:1780
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.6.589361042\1156178323" -childID 5 -isForBrowser -prefsHandle 3368 -prefMapHandle 3376 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40e3718d-faa3-4f4a-afdf-6f820e2765a3} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 4072 2038e858 tab
                          6⤵
                            PID:684
                    • C:\Users\Admin\AppData\Local\Temp\1011129001\ee6f53dc88.exe
                      "C:\Users\Admin\AppData\Local\Temp\1011129001\ee6f53dc88.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2708
                    • C:\Users\Admin\AppData\Local\Temp\1011130001\6e6b82773d.exe
                      "C:\Users\Admin\AppData\Local\Temp\1011130001\6e6b82773d.exe"
                      3⤵
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Loads dropped DLL
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3252
                    • C:\Users\Admin\AppData\Local\Temp\1011131001\ee0d06b568.exe
                      "C:\Users\Admin\AppData\Local\Temp\1011131001\ee0d06b568.exe"
                      3⤵
                      • Enumerates VirtualBox registry keys
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3576

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\download[1].htm
                  Filesize

                  1B

                  MD5

                  cfcd208495d565ef66e7dff9f98764da

                  SHA1

                  b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                  SHA256

                  5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                  SHA512

                  31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  32KB

                  MD5

                  5013bb46cf23f74300e54384c5e45e8b

                  SHA1

                  fea4e3ed328be0b1752277f7e02a1a8c04589c38

                  SHA256

                  42dab0b49157501e6b0b64d7b6d28fcc796fbfc6ab62610578a4ea4dd5420213

                  SHA512

                  1fa64ada15f97d1d63432afa474e7113a5614254245d95bafce4d477303a0bd3d6cb3a5667fe1f08d105c03f5c2f465cdebd5fdb209065c6caf8d8eab4a7e849

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                  Filesize

                  13KB

                  MD5

                  f99b4984bd93547ff4ab09d35b9ed6d5

                  SHA1

                  73bf4d313cb094bb6ead04460da9547106794007

                  SHA256

                  402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

                  SHA512

                  cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1011126001\f8ed158748.exe
                  Filesize

                  1.8MB

                  MD5

                  eeefaaa894aa82d64174a8c41f8ab9b0

                  SHA1

                  c30ac06bee85663b7dbbc5eb4fe54832759f71d7

                  SHA256

                  b55a48f57d7e79e090e4ad42ce5d29f769ea489edf526631b7fd8bfd3fafdc4c

                  SHA512

                  528847d3842d7a7c43b4f23bf86539182c495e61be57762f69d2ab1d953a29fe605f3e1b3febf54c8a78bb8c4a0835209a31d92eb0c2c7f828abc7462062538a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1011127001\2635e6d4d5.exe
                  Filesize

                  1.7MB

                  MD5

                  4cedcb7c416db7284b663e6e1f136e0f

                  SHA1

                  fc9571cc5bb12358d4f7de84a545526cee192739

                  SHA256

                  5cc1a4dde4501a910faf8c7e78d175bb4cd49391660a30881cd718bdd2b59a12

                  SHA512

                  8c1d76de266cac03f24b70b59d66f0210cab464e93fcee54ba641843143ae5a86a490aff5d624224c5e346734a8150cd50e1ad58205c78afe6fa7434019e762a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1011128001\9f5610c26b.exe
                  Filesize

                  900KB

                  MD5

                  5f3ea7a51720a32aeace6b8421388abd

                  SHA1

                  886fb8f762ab9913c93f6334105d2b9fe9f1b333

                  SHA256

                  675820a9bc3354e1ab558f288eb1037a137bac7289686587ac8464b30c1c7521

                  SHA512

                  d9f60fefc7d8a69351ea597ad191fcfd2a54bfe8fe3aa12d0c58eba31dac63a8892fc0123a220bd8249d767378c448306f52d5f11d42b9a3a94d7ed6c34904bb

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1011129001\ee6f53dc88.exe
                  Filesize

                  2.7MB

                  MD5

                  c5aab82e08cc80d82267340709bbdd7e

                  SHA1

                  3c4cff8a0a41878cafec853ae9283e0bb9b4c1b0

                  SHA256

                  0b057aee49fcf8faabc5b28f0e1ba10d6e02eb2847bc7aa871a3a9856ec736ce

                  SHA512

                  2e331308e413fc76013c6237ccf16efd307c0c0bb65d51717429b4e2dcc666602ef61fbba5821177ecd7ff517a38ad95db6b8386b9f098b4ffdb251af1499b81

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1011130001\6e6b82773d.exe
                  Filesize

                  1.9MB

                  MD5

                  870c92cf89253baeaf80574aaad15adc

                  SHA1

                  feefb55fa434ceb4aa10997bedfccd5597852078

                  SHA256

                  65238eee07b00d608d030a601ebe0878656466084e1f55e9e41258bec1370b59

                  SHA512

                  fe1cf7efa897c4c4fada01ba67ef38e7491d96870ab32354b0acbf2bb0cfa32faf914d05037d6e813fcc9b1241466acdaa178adeacc2451ea371f1189e7923c6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1011131001\ee0d06b568.exe
                  Filesize

                  4.2MB

                  MD5

                  bd6d6662b11f947d8480c6e9815c3ef3

                  SHA1

                  b5ecc2be2f54b7849b8c948bbd91cef25028ce41

                  SHA256

                  7191093754402a6cc5ee460bafef859de07ac2bbf91ce56c6b56a91d3020c2e2

                  SHA512

                  242a995d3c3a123401d7776b1b5b373d7d117566a897e3e8ed2fe07faaff3dfda01daca76cc60012a6480412f6118b5185926677bb61678bdb3cca336a36e8fa

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\CabF9BC.tmp
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TarF9DE.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  1.8MB

                  MD5

                  08d46090c22ff00bd53e843027e0dc26

                  SHA1

                  ec4d86baa8a294a18daf44fcb61eca03c3116c23

                  SHA256

                  1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215

                  SHA512

                  c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  442KB

                  MD5

                  85430baed3398695717b0263807cf97c

                  SHA1

                  fffbee923cea216f50fce5d54219a188a5100f41

                  SHA256

                  a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                  SHA512

                  06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  8.0MB

                  MD5

                  a01c5ecd6108350ae23d2cddf0e77c17

                  SHA1

                  c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                  SHA256

                  345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                  SHA512

                  b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  9KB

                  MD5

                  dadd46fc714191b310112f771448a228

                  SHA1

                  c1b37ebba61f02f10dd0a70286d41e7552ab438a

                  SHA256

                  828d870e4f1e8aa3ce0c2558f4abfb5b6f4abef84d6337d2ef744ee3febec53b

                  SHA512

                  589afb7a42731800117783fc2f1b08e6682b2d2b6f21896d2bea12537566f63c102c33d6ebc82a1383ffcb7cf8991cf4e2838cec6fe0bbdda91a65cc7955c6d8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\b0cd91df-f699-480e-b9dd-92103df7bc97
                  Filesize

                  733B

                  MD5

                  6d720703d7aaa47aa4558149777dfcd4

                  SHA1

                  fc267152bc8d4c5d2b55a5ff047b740ca179da54

                  SHA256

                  fd8fb850dff6b10a1abfadc62d570490fb5ee4aa1a020f300bf0690bd3141019

                  SHA512

                  968cfe6ea56e29b2aba3a76d28c86e08938dab861ffc52d1fd82cfb49b115fbd6cbbabb6b62eca2f143692d1cc3016ad07dc9e9e168137021005983c9d5171db

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                  Filesize

                  997KB

                  MD5

                  fe3355639648c417e8307c6d051e3e37

                  SHA1

                  f54602d4b4778da21bc97c7238fc66aa68c8ee34

                  SHA256

                  1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                  SHA512

                  8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  3d33cdc0b3d281e67dd52e14435dd04f

                  SHA1

                  4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                  SHA256

                  f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                  SHA512

                  a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                  Filesize

                  479B

                  MD5

                  49ddb419d96dceb9069018535fb2e2fc

                  SHA1

                  62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                  SHA256

                  2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                  SHA512

                  48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                  Filesize

                  372B

                  MD5

                  8be33af717bb1b67fbd61c3f4b807e9e

                  SHA1

                  7cf17656d174d951957ff36810e874a134dd49e0

                  SHA256

                  e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                  SHA512

                  6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                  Filesize

                  11.8MB

                  MD5

                  33bf7b0439480effb9fb212efce87b13

                  SHA1

                  cee50f2745edc6dc291887b6075ca64d716f495a

                  SHA256

                  8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                  SHA512

                  d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                  Filesize

                  1KB

                  MD5

                  688bed3676d2104e7f17ae1cd2c59404

                  SHA1

                  952b2cdf783ac72fcb98338723e9afd38d47ad8e

                  SHA256

                  33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                  SHA512

                  7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                  Filesize

                  1KB

                  MD5

                  937326fead5fd401f6cca9118bd9ade9

                  SHA1

                  4526a57d4ae14ed29b37632c72aef3c408189d91

                  SHA256

                  68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                  SHA512

                  b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  c2caf87ec195dcf11dc083bb2e26140a

                  SHA1

                  73f461d844d434e0d8078a3cf54b68601af5ae14

                  SHA256

                  5fd949eae0fb1321c2e8349e6cc594d8eae76a01ee8162233ce40982a66fb43e

                  SHA512

                  e1e18e96ae399fa27db7a2efb14709c55848cda4721d906f89ad43430d10a532d0068705c3aa55dd1da2fb7276de817a35498a8b142a8c2ac15316c48e3eb095

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  cd4c522ae39d9a8ba2146f0d15defadb

                  SHA1

                  7e063dd8108fbee3faef3e63dd8bebd2f68600ad

                  SHA256

                  639bc25c40c4e1fbb02e191554766787f65260d5e3a7f59a3e0f6835def1ca3b

                  SHA512

                  e04aec4f63804ec84608099495bc84a2946be8c70b8a24c52b83809ce45163e072dcca6d00c79188fc2c8a12216bd2aa434db4d70ef5fe17cf3c1f44e0392c03

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  a58fb7738fae033356a3d4aa6e2e838c

                  SHA1

                  acff812c789c4aaf3567d32bccab91100a56f99b

                  SHA256

                  6d366bf1a569fb539ff427fb688dfb055de17697733845e526dda0ea7868f7dc

                  SHA512

                  9106cb923391e964ed0a00cd627c12098c1ac94a9228f89fc6302851ce7efedc93577ea7b7c654d6faa8c03753d6e7311276b10037167782681ad9be1070704a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  69389ef46bee36faa98eac3705db79c9

                  SHA1

                  fb5ff08f4b58d30036a41a1bace5012f431bd19f

                  SHA256

                  bd06517d4aa31f5fee5c68bfaaf5514a1ccf54de58801ec875c7560b0a48bc9c

                  SHA512

                  d3559d29d9993aa1b8512dd3becc098253f53561999d3c06f6ad745940e3a9c8e0a668683485ca0e57dae22f576d599956fe2ca766a45389cb7f3290d0feee21

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  4KB

                  MD5

                  9feed02aa1439fa4d46b5cf59ab720f4

                  SHA1

                  a6af7882c6b22c970f870028874fb21e781306df

                  SHA256

                  f7b4f55506a442afe1041aeb19e6468dc0a733c68aab388fd75b3b5ca1ac97a8

                  SHA512

                  e2ba9cd080596154345e0748d07740c127b3cfb20e3285d9d1c20b8402570b5860cee9753f6fc1b334fca248a17653ccf8a69bb3a8902b1a00f7fe11248fc43f

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\G0EtN7d5fKV\Y-Cleaner.exe
                  Filesize

                  1.4MB

                  MD5

                  a8cf5621811f7fac55cfe8cb3fa6b9f6

                  SHA1

                  121356839e8138a03141f5f5856936a85bd2a474

                  SHA256

                  614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

                  SHA512

                  4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

                  Download Submit

                • memory/1992-124-0x0000000001170000-0x000000000161B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1992-114-0x0000000001170000-0x000000000161B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1992-51-0x0000000001170000-0x000000000161B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2568-2-0x00000000001F1000-0x000000000021F000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/2568-5-0x00000000001F0000-0x0000000000693000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2568-1-0x0000000077620000-0x0000000077622000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2568-0-0x00000000001F0000-0x0000000000693000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2568-20-0x0000000006E70000-0x0000000007313000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2568-18-0x00000000001F0000-0x0000000000693000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2568-3-0x00000000001F0000-0x0000000000693000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2568-19-0x0000000006E70000-0x0000000007313000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2568-4-0x00000000001F0000-0x0000000000693000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2708-321-0x0000000000FE0000-0x0000000001298000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2708-248-0x0000000000FE0000-0x0000000001298000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2708-146-0x0000000000FE0000-0x0000000001298000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2708-352-0x0000000000FE0000-0x0000000001298000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2708-247-0x0000000000FE0000-0x0000000001298000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2860-69-0x00000000069A0000-0x0000000007044000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2860-68-0x00000000069A0000-0x0000000007044000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2860-145-0x0000000006280000-0x0000000006538000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2860-147-0x00000000069A0000-0x0000000007044000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2860-304-0x00000000069A0000-0x000000000720C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2860-498-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-306-0x00000000069A0000-0x000000000720C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2860-320-0x0000000006280000-0x0000000006538000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2860-95-0x00000000069A0000-0x0000000006E4B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2860-492-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-94-0x00000000069A0000-0x0000000006E4B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2860-340-0x00000000069A0000-0x0000000007611000-memory.dmp

                  Filesize

                  12.4MB

                  Download

                • memory/2860-342-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-350-0x00000000069A0000-0x000000000720C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2860-144-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-491-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-358-0x00000000069A0000-0x000000000720C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2860-490-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-489-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-460-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-488-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-368-0x00000000069A0000-0x0000000007611000-memory.dmp

                  Filesize

                  12.4MB

                  Download

                • memory/2860-370-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-52-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-50-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-47-0x00000000069A0000-0x0000000006E4B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2860-48-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-46-0x00000000069A0000-0x0000000006E4B000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/2860-44-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-28-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-27-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-25-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-24-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-22-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-473-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-23-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-456-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2860-463-0x00000000001C0000-0x0000000000663000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2932-72-0x0000000000820000-0x0000000000EC4000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2932-71-0x0000000000820000-0x0000000000EC4000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/3252-480-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-359-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-458-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-464-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-305-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-323-0x0000000010000000-0x000000001001C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3252-440-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-487-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-354-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3252-462-0x0000000000400000-0x0000000000C6C000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/3576-461-0x00000000009F0000-0x0000000001661000-memory.dmp

                  Filesize

                  12.4MB

                  Download

                • memory/3576-362-0x00000000009F0000-0x0000000001661000-memory.dmp

                  Filesize

                  12.4MB

                  Download

                • memory/3576-459-0x00000000009F0000-0x0000000001661000-memory.dmp

                  Filesize

                  12.4MB

                  Download

                • memory/3576-447-0x00000000009F0000-0x0000000001661000-memory.dmp

                  Filesize

                  12.4MB

                  Download