Overview

overview

10

Static

static

3

a52032816d...1N.exe

windows7-x64

10

a52032816d...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a52032816d7f78f3d765e1f02d0582ad0c5059a3883ce8bb4183ed0dc999f4e1N.exe

  • Size

    3.1MB

  • MD5

    93466f88f4f2f8ea092bd09756760ce0

  • SHA1

    ef5cf2952ca01f1c9f48209527d450cae503800d

  • SHA256

    a52032816d7f78f3d765e1f02d0582ad0c5059a3883ce8bb4183ed0dc999f4e1

  • SHA512

    192e89465f65b3a0c32019ac1d3ef833752446c7a0665d83b5caf95057fb4781e89993da0a396df5fbb8d3d5a7e88f3679d6683dedaafa24e4987f937b8c56a9

  • SSDEEP

    49152:r+fUCjXJvougi8pQotNWj6LS1HWTB/ewzAXvvtDAlng5LO:rgvZgi8pfXWmLuA/ewzAXvvtug

Score
10/10
amadeylummastealc9c9aa5stokdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://atten-supporse.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a52032816d7f78f3d765e1f02d0582ad0c5059a3883ce8bb4183ed0dc999f4e1N.exe
    "C:\Users\Admin\AppData\Local\Temp\a52032816d7f78f3d765e1f02d0582ad0c5059a3883ce8bb4183ed0dc999f4e1N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\1013100001\13437fce89.exe
        "C:\Users\Admin\AppData\Local\Temp\1013100001\13437fce89.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2440
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1492
          4⤵
          • Program crash
          PID:4812
      • C:\Users\Admin\AppData\Local\Temp\1013101001\41dc2cfb23.exe
        "C:\Users\Admin\AppData\Local\Temp\1013101001\41dc2cfb23.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2736
      • C:\Users\Admin\AppData\Local\Temp\1013102001\9d179427c9.exe
        "C:\Users\Admin\AppData\Local\Temp\1013102001\9d179427c9.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1800
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1400
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2724
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3132
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3228
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:660
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da0a82f1-5482-4d52-9be1-f9090f800d93} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" gpu
              6⤵
                PID:2308
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05819734-027e-4baa-ae24-43d7be4bba00} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" socket
                6⤵
                  PID:4632
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2896 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52b43d73-f798-41f5-8952-37d570ad76ba} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" tab
                  6⤵
                    PID:1708
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 2 -isForBrowser -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67f11d0b-54e8-41cd-a3f9-f7e5851373c2} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" tab
                    6⤵
                      PID:1628
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4816 -prefMapHandle 4812 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c99baed-a377-4e71-b80c-586b38aa6a25} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5308
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4211d2dd-4742-4a50-abc1-88ebefded7d1} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" tab
                      6⤵
                        PID:3688
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4930822-99f1-4817-834b-7cf2e3367b14} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" tab
                        6⤵
                          PID:3664
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e14ae34e-9f1f-4590-a2be-9bc3cbf830e6} 3040 "\\.\pipe\gecko-crash-server-pipe.3040" tab
                          6⤵
                            PID:2724
                    • C:\Users\Admin\AppData\Local\Temp\1013103001\8bed0a0067.exe
                      "C:\Users\Admin\AppData\Local\Temp\1013103001\8bed0a0067.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5696
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2440 -ip 2440
                  1⤵
                    PID:1224
                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3092
                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:6080

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json
                    Filesize

                    27KB

                    MD5

                    38dae0bc9a0d302af66dee9266d1f846

                    SHA1

                    6f365814f4ea04defbe96ad6c18887a15589b78a

                    SHA256

                    d04222b35cf42917b7403ffb1972ae0376f2de73bfe0d4ec6ebb79696ba6482f

                    SHA512

                    7233ed4e490625e59bf4ab640b72e43ad2ff9930d76140219f5a2acdb631b8170d9f77daeef69a355eab0481a3b43036f1396b276e8aedc4280a47868a79029a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                    Filesize

                    13KB

                    MD5

                    02538ec8c8aff8d78580377574d17e82

                    SHA1

                    afc958ddcafce4e2fb7c7beb9d6dcad02bc8d3db

                    SHA256

                    c1b3789ff7baa92f4b3512dc3311f7db55963a22270008eb3395d4a2e8b2c5eb

                    SHA512

                    d50727136d18d2f0ee9cd29633959df9a37c860d242f52fd01802873756be319c06bb9af3595d0c87297068396b32c75c5040edc38a23c7970257de4b5fd8991

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                    Filesize

                    15KB

                    MD5

                    96c542dec016d9ec1ecc4dddfcbaac66

                    SHA1

                    6199f7648bb744efa58acf7b96fee85d938389e4

                    SHA256

                    7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                    SHA512

                    cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1013100001\13437fce89.exe
                    Filesize

                    1.8MB

                    MD5

                    ae3d45c9e87392c2696c359cc7c76b36

                    SHA1

                    bc712f300ea25748028255e83a2c52dd9c814c78

                    SHA256

                    9a94dc4f3aa50a4730403c56d03e4b4a58cdc3a68d37548ea431f93010a6879a

                    SHA512

                    0ec5f292f2c73d894c7b66cd69653663d735c899a41ce02d5dc43b06cb3662b23b1c7ffb0a36bc2a29f6e10fc7309a94fac4bb25c3036b1e5487747ef12e78be

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1013101001\41dc2cfb23.exe
                    Filesize

                    1.7MB

                    MD5

                    4359e876386a8d8d35132404f6e2090f

                    SHA1

                    160801525ab37269a6ada9bc36991cd2f0f09112

                    SHA256

                    ee5647fd7e2f7c8de0a96833d057a28ca051ee67ef8d10b97196418d2b55c340

                    SHA512

                    c64038a5256bc95eadabdcce643135b2228efa1091009b53a62a5277090756f4872f47a39caf29ef99383a6f6c67d2f57b39fe33f0c231542eb5992d0487690e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1013102001\9d179427c9.exe
                    Filesize

                    947KB

                    MD5

                    7a102edcea7928fa9540e204419a27c3

                    SHA1

                    2283ef07f7ad3b97c55a2c18286196cfe20c39e5

                    SHA256

                    6c3a98e206d5c4ffa7ee6df0fe98808da4d45da7d5fbcbaddbf2d4417eb4aed4

                    SHA512

                    4e18edf420d155c14894fb6f3a41a42bb2920629d1ff1a832006de8c6254b7de7caebdb9b501cdc66e28ecc1c73a7ddbdf64bcaaf43b33f24b93894fe0f0aaf8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1013103001\8bed0a0067.exe
                    Filesize

                    2.6MB

                    MD5

                    c86f1f5cdd71da3c1553b05ad734681c

                    SHA1

                    ddc9672b2948584778e5ed65b7a286acd884c841

                    SHA256

                    981841af8c8073eb15b084cd48f2572ec44f72a2fc3a775b0cba574e26a97403

                    SHA512

                    8372f3e4b18a0110a798af9de37e90fa57c90ba05062172b3f4891ad8be5ee8d17dc820bbaff47749752d66284429d745afc8c92e5b54d793e176db1e7d2043e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Filesize

                    3.1MB

                    MD5

                    93466f88f4f2f8ea092bd09756760ce0

                    SHA1

                    ef5cf2952ca01f1c9f48209527d450cae503800d

                    SHA256

                    a52032816d7f78f3d765e1f02d0582ad0c5059a3883ce8bb4183ed0dc999f4e1

                    SHA512

                    192e89465f65b3a0c32019ac1d3ef833752446c7a0665d83b5caf95057fb4781e89993da0a396df5fbb8d3d5a7e88f3679d6683dedaafa24e4987f937b8c56a9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
                    Filesize

                    8KB

                    MD5

                    3782ce260de32d5dd2794b90398325ae

                    SHA1

                    1e9623a1d5ad57551e17058e889481e07afa71f5

                    SHA256

                    1761a34c9447457bb73518bcbaa939071cc9fd177bab3e7c9d232aa156636a00

                    SHA512

                    12857fe042b279382e806fde05a3afcfd14c77e92659ff1ef1df0b218818a0fcf04093960a32c0ad8ddd3f205ea9133fd124d973e9d5d43ffd04c3ff57ed2aa3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    15KB

                    MD5

                    dace3ad9527fb3adcf8daff60a249b98

                    SHA1

                    b147d5feac88c212d6d4b6ad4730a3db45264121

                    SHA256

                    3004b2dbfaf01b4c7bcebd4422a44ebb5b29ef191d99a4c64f8fb7e94ed60abb

                    SHA512

                    01f5d528101d747f3422947526015872b154db915ff17393443afc8ddf18fe5980c63a54684fff17197dcfc81248310d9b0341943b4907e8012d5e70a982a742

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    f257e7d0bf0e403a636d6e24e12372e6

                    SHA1

                    6054e6b2649155a62144397c6436804406314764

                    SHA256

                    ec8fb302293d48f1df1f65023b9ec0db49f9e28283f3df9274a1e4a82b8723c1

                    SHA512

                    cb1c1c41e79c7b368672aa9390ca1bc9ef6230530823bf5143db4da056c177636115f7e0972a8094cd002862c88033957bebb43e55f4c4707153cb8bf7f553f3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    15KB

                    MD5

                    bc4c3d124480ed458ae25ec6302901f7

                    SHA1

                    65d9f5b3ab01762a1bfe9814c04f62687f0b247b

                    SHA256

                    53f61e7b7d108ae29cccdf7404bac4b18e9698a901cb3909a7fe0dbefeaa3100

                    SHA512

                    67ad70d925b7f7d47130cb51f11983cbe22366cfa4ee7bcb474046e40b02d746a0b6b077c5f65f81da4cd1861aed0767e29f60497f4e5cd55116f8d5324aa523

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    dec358ea5a6299c0f3cb4c7a2a44ea6f

                    SHA1

                    7b08f6e78ae599bc44d0a921aace186f88155c0e

                    SHA256

                    188faf32d5b9eb17b721b52d3271ed4b7525ec19cc89fcba804a79926897b2a7

                    SHA512

                    a40003a9c99d9d728975aa2624abc07be4a4daa80344b657cc717095fcbe3abf048cdae3d12cb5d044f70935293c97d15debe36024980ae4b1feead761b6a0b0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    bdbe25a8971d915acb44e7a9530ae971

                    SHA1

                    798f8cf6832ccaf7b4a5cb7b630f23f5c34ea3e1

                    SHA256

                    ed73f2fb093399dfd44609cab98164a650059f1bb91345663169a718dd952442

                    SHA512

                    49e68df4c5406b0b37b09cb6123af466a158112c92ed7d02a6b7b424d60b3506b83f1f533c3733bb5450d8546d3fdef9898b8207063d8470928665261bfee69b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\7acdfbbf-ead3-4f7d-8d99-04adb8ea9739
                    Filesize

                    982B

                    MD5

                    6c1c79c6d1ff4d45e776a85b188502f2

                    SHA1

                    9575b754a3af69507b2e4c1bd5c6ce628a8febd4

                    SHA256

                    618ea08294d3316b7b45308391ea683e495fb777aec247c0cb1fdcf91c7548b2

                    SHA512

                    c67ec53fb70bc3b3c2c8bbaecda1d69e615d3e4b99d09ad0b796047eaa40ae4a7167e94e39c91ab7634abfe628c74b2da3fc8f1c75c2c15220e0f84f93c744ea

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\8ff56831-623f-4436-83fb-8fa3c048a7d6
                    Filesize

                    27KB

                    MD5

                    66087ee53fd2969c1d9e833f323c7601

                    SHA1

                    3a6142286fc52d5f66c129f61babe752300601a3

                    SHA256

                    8ece149a84fc915322025480f1da83d1165bcd6dd2ad53482577a1bf74078ace

                    SHA512

                    0809e400a2dda0686998ff63506e6c35bca1a4e4a23122322f87c63d1a5e0ebb939fbd7140f298d9b86977127f99ffe641c1844ab04ad48befe92f10928b9427

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\e6dfc095-85c4-430b-a966-35b2b9f219d2
                    Filesize

                    671B

                    MD5

                    2f9365bdeb82b8fbd18487d5955559d3

                    SHA1

                    488341a011d70ef4cc24be9eafd62bcebaaccc59

                    SHA256

                    9b55f3ff656e9297124f74aa7175f850c8f6d7ce1c6dde5b2e95b6dad9477d45

                    SHA512

                    6e5872cba11d91c95998d83db361a2d85748294d01f46a3cbfbc949fefe34042091765c09667201ef245426942d0db05a7680b95f36f71e54829e49ea72ef2cb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js
                    Filesize

                    15KB

                    MD5

                    18db21e23741860422d1e8689e04cb0c

                    SHA1

                    b8faed44b049cc7c12a87ae8b76bccd4beeb7bad

                    SHA256

                    8924bfa4cfe5eff5b8ba409c5abb124309ed023caeb939bb87b8f166b0bbfbd6

                    SHA512

                    21fed144a7a2ba377e2ec2b51caf65f65bbeb3a8010996e9c40d00d38a7b62874ecb36726b201e82cece8c9e7c47ea9dbf4008e09b354c0401996ee8fedd07fa

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js
                    Filesize

                    12KB

                    MD5

                    b6e13869fc91b314adfb206a98a90fc2

                    SHA1

                    88e744e569243b48e16e7e3f2ecec80bc52a8e99

                    SHA256

                    f8373e35969870666d312adb45e45c901fec19500fc42652ecfece4e0f81302c

                    SHA512

                    64ef22d05058802d734ecc012d3d2ac3c097e61f973046e55c2e3498294e6e25df474a615fae99813eba6ee53e12cabfff380159cd984cf4b40edaaecc5cd7d5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    c22fb85a231038bf86ba2823aed51df4

                    SHA1

                    df1056b158fb17bb5ad9f64d4a99c96cc4f02002

                    SHA256

                    7f5bdc31fddec28d85b192a56f997b398626e40c3fb76a90fa487ddd2ca2095b

                    SHA512

                    d4a4d31f7cefacf2d853d70721c52d9a1cb9c53779f059c528116e87a1b127af8ec7778f397e59f3ce588ad6f4bd4bc3c0cc5e093e8e26c2a3ba3d421f2c9554

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js
                    Filesize

                    10KB

                    MD5

                    4dcf6b7f2fed22452e8c700a63c94ea3

                    SHA1

                    0638dcb0de49795f4e74a4d0ab11bd150589b28a

                    SHA256

                    8a08dbadfa31af46a7acd38130845abccd2c7c92b6dafbd76974acfaca8cd610

                    SHA512

                    a63fe0a0109680b7ea9ae3a13a6cb0bc28e66258c9e9ce068e84e61d34c94de2776205eb3462d5de0691c686cee24649d24b26070cc752c661ee9b42a8dd30d2

                    Download Submit

                  • memory/872-18-0x0000000000F80000-0x000000000129E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/872-3-0x0000000000F80000-0x000000000129E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/872-19-0x0000000000F81000-0x0000000000FE9000-memory.dmp

                    Filesize

                    416KB

                    Download

                  • memory/872-0-0x0000000000F80000-0x000000000129E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/872-1-0x00000000777B4000-0x00000000777B6000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/872-4-0x0000000000F80000-0x000000000129E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/872-2-0x0000000000F81000-0x0000000000FE9000-memory.dmp

                    Filesize

                    416KB

                    Download

                  • memory/2440-81-0x0000000000AF0000-0x0000000000F8B000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/2440-42-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2440-43-0x0000000000AF1000-0x0000000000B15000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/2440-39-0x0000000000AF0000-0x0000000000F8B000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/2440-44-0x0000000000AF0000-0x0000000000F8B000-memory.dmp

                    Filesize

                    4.6MB

                    Download

                  • memory/2736-62-0x00000000002F0000-0x0000000000967000-memory.dmp

                    Filesize

                    6.5MB

                    Download

                  • memory/2736-59-0x00000000002F0000-0x0000000000967000-memory.dmp

                    Filesize

                    6.5MB

                    Download

                  • memory/3092-468-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/3092-473-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-22-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-3318-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-492-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-16-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-3813-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-466-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-3812-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-3811-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-3807-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-20-0x0000000000641000-0x00000000006A9000-memory.dmp

                    Filesize

                    416KB

                    Download

                  • memory/4160-21-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-35-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-40-0x0000000000641000-0x00000000006A9000-memory.dmp

                    Filesize

                    416KB

                    Download

                  • memory/4160-41-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-759-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-61-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-3803-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/4160-3800-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download

                  • memory/5696-491-0x00000000006B0000-0x0000000000960000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/5696-391-0x00000000006B0000-0x0000000000960000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/5696-445-0x00000000006B0000-0x0000000000960000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/5696-443-0x00000000006B0000-0x0000000000960000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/5696-487-0x00000000006B0000-0x0000000000960000-memory.dmp

                    Filesize

                    2.7MB

                    Download

                  • memory/6080-3810-0x0000000000640000-0x000000000095E000-memory.dmp

                    Filesize

                    3.1MB

                    Download