Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.1MB

  • MD5

    d75b31ba6f3bebdb12b9c28a09d444f9

  • SHA1

    80f5231691ec242eb62324bdf2986c50ae9b2ac8

  • SHA256

    e951c2f841b3ca0b3bb4ba865ab40d102a6074a4b6f74c0c10d99f6ea125c2cf

  • SHA512

    24de73a3543d2474ce6c40ec11c814361f3200b752ff165c8283628504b7bba5090e48713314fddde076518060ca18fe7043113aeed24e36e29fb07c057d77ed

  • SSDEEP

    49152:NcyRqEl5yhyZfpyqcm8consSF1nWSKiYRl7Ea+iwFCrlxbuGLfd:ZRGhyZfpyzmVtAAJZJ9+iwFCnbB7d

Score
10/10
amadeygcleanerlummastealc9c9aa5stokdiscoveryevasionloaderpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://atten-supporse.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 13 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Users\Admin\AppData\Local\Temp\1013509001\8d7982f583.exe
        "C:\Users\Admin\AppData\Local\Temp\1013509001\8d7982f583.exe"
        3⤵
        • Executes dropped EXE
        PID:2828
      • C:\Users\Admin\AppData\Local\Temp\1013510001\db22f3bf8c.exe
        "C:\Users\Admin\AppData\Local\Temp\1013510001\db22f3bf8c.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:504
      • C:\Users\Admin\AppData\Local\Temp\1013511001\f84b79a306.exe
        "C:\Users\Admin\AppData\Local\Temp\1013511001\f84b79a306.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2068
      • C:\Users\Admin\AppData\Local\Temp\1013512001\11fa64c3be.exe
        "C:\Users\Admin\AppData\Local\Temp\1013512001\11fa64c3be.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:488
      • C:\Users\Admin\AppData\Local\Temp\1013513001\c32082fd90.exe
        "C:\Users\Admin\AppData\Local\Temp\1013513001\c32082fd90.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2880
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3064
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:332
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.0.1019120997\1203486434" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77ac1668-cd2f-43fd-b9d8-6917501471d4} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 1296 11fd6558 gpu
              6⤵
                PID:2060
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.1.2123302930\1083990043" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07c87776-26ec-4851-b87c-d6568a4e4b6d} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 1500 e72758 socket
                6⤵
                  PID:988
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.2.2040243020\1794992931" -childID 1 -isForBrowser -prefsHandle 2092 -prefMapHandle 2088 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08124cc9-3086-4837-aead-b8343f76522c} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 2104 1a1c7058 tab
                  6⤵
                    PID:904
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.3.1677882000\1172930625" -childID 2 -isForBrowser -prefsHandle 2540 -prefMapHandle 2552 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08371de2-17c7-496a-98ff-5a922813e638} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 2580 18ebe458 tab
                    6⤵
                      PID:2312
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.4.1514861220\1553210292" -childID 3 -isForBrowser -prefsHandle 3784 -prefMapHandle 3844 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68653f4f-e517-4b0b-addf-5384127c47a8} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 3856 20de9858 tab
                      6⤵
                        PID:2428
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.5.2009972106\381895884" -childID 4 -isForBrowser -prefsHandle 3968 -prefMapHandle 3972 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b53667c2-a198-481b-bf79-39ef7634e0c0} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 3960 20de9b58 tab
                        6⤵
                          PID:1468
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2796.6.1679132407\1326220791" -childID 5 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e908e41-82a8-4daf-84d6-252a0bb1146e} 2796 "\\.\pipe\gecko-crash-server-pipe.2796" 4140 20dea758 tab
                          6⤵
                            PID:2752
                    • C:\Users\Admin\AppData\Local\Temp\1013514001\489150765f.exe
                      "C:\Users\Admin\AppData\Local\Temp\1013514001\489150765f.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3532

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\download[1].htm
                  Filesize

                  1B

                  MD5

                  cfcd208495d565ef66e7dff9f98764da

                  SHA1

                  b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                  SHA256

                  5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                  SHA512

                  31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  23KB

                  MD5

                  4c83ff0a2537b77bafbbdbd6591cdaf0

                  SHA1

                  43f64870149b4cae516b49cd509717d38dd82d5c

                  SHA256

                  074ae26ab9373e1890edee52447db89742d4a03300195cf008724597ff0509bf

                  SHA512

                  88fb23dfe7da18bd8dd1d9ec6404f4f90abff1b7f6d6cfbcb461c27c0b55c804c21a43c8d4b0d0f93674a2a339319b6c623a12a59004a5fcd9477344996e4904

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                  Filesize

                  15KB

                  MD5

                  96c542dec016d9ec1ecc4dddfcbaac66

                  SHA1

                  6199f7648bb744efa58acf7b96fee85d938389e4

                  SHA256

                  7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                  SHA512

                  cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1013509001\8d7982f583.exe
                  Filesize

                  809KB

                  MD5

                  9a2cc9d6c6282e7b2a0ff5649a70b0df

                  SHA1

                  99c7c3969c9ab39261b59f047514ff7de2bc4c07

                  SHA256

                  b08f2b65885b9ae1825d27ddf6dc9189641e0f8817999f4386da55ffcc548287

                  SHA512

                  b61aa465d601a75426129b2096e900c008faeee6d67b729bf3b2fdeef6957934e9bba7353ad55b499c2722f5381c9cc684f867e4c2b7958e743d1a459eae88d7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1013510001\db22f3bf8c.exe
                  Filesize

                  1.9MB

                  MD5

                  f7a47830f40cc4b6a06d777fab2f42f9

                  SHA1

                  5302227fbac3aea59d3aa18dc1e429ebe448c732

                  SHA256

                  8a331ca76c2b919f30406ff66a92db0e27ae6af9725749a80959b42656871536

                  SHA512

                  67251194db27bbb06cc3638c7fd453cc66f54b6e9aa1421cbd05ba5aa410f333b83f5587186bbd0b2026f05da1119eed68c8cfa64511b9c4d81d9a13d9634f1b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1013511001\f84b79a306.exe
                  Filesize

                  1.8MB

                  MD5

                  2b86aab9799fdb49d90e8d5c3f773c33

                  SHA1

                  73f675bfc40ae943545488f8279ff6969d47588b

                  SHA256

                  07a31ff1a605c2c322b555d4a0343f99fb780ab06b05dc6c0a8c0a426f5bd04a

                  SHA512

                  679f83173542bb3490685c53eec897b28676cf7f3f52714db5d9d37507d2998d2bfeed1125dadbed19809cd97d803f006944bcd0ead6e5838aadc01b3b0e8250

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1013512001\11fa64c3be.exe
                  Filesize

                  1.7MB

                  MD5

                  3a76ab70c01da0f818f89bfe4e904ee3

                  SHA1

                  c0ebf4afaae2542f315c72853aaaab84e1a59874

                  SHA256

                  31fa2d30829b1edde94cc00cac6af01bf9075cb7dba356301566624f586aa2c1

                  SHA512

                  06ad07e86e5a896768792c77197f0029489f81d55c71874d94f5f718a3cf55bc3f2740e0f43479deea3fae49ce1adf5baf5b03227162fb827303af2c14c0a867

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1013513001\c32082fd90.exe
                  Filesize

                  950KB

                  MD5

                  3f7ba360c993567431731dd9e8eb6a67

                  SHA1

                  86b020c1350c91ff191c66b7ef4482c444eee7de

                  SHA256

                  4c68695dbd51d87109946460adcb0cd159b3331d0ce13f6a26755e3c8d34e017

                  SHA512

                  dd8e2de9df549b0442e7f4669d061f8024aaa73b1e30915b99af5c98a9aeed7563b8312cd3cf62325a03cbb191ba75dfd94da5fd84e056d380303ae4cd4b1e13

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1013514001\489150765f.exe
                  Filesize

                  2.7MB

                  MD5

                  bb21543a1e27325f9ea87bab89facf4b

                  SHA1

                  2dbdf71b803baf20bf11b1e0b1c9bd75fccb2c51

                  SHA256

                  6066601bd1264d08e87e2494c02ea6aea5eff0657f6b76ca33853c98f3544a45

                  SHA512

                  4ec5dfaa1ebccead38c4684840c5f95789f481fe12f7d34c00b79a181cf2b33e44b900119c389485d26329fb796c2d6b2a8c0558051f0198f062bd15c9d76bce

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  3.1MB

                  MD5

                  d75b31ba6f3bebdb12b9c28a09d444f9

                  SHA1

                  80f5231691ec242eb62324bdf2986c50ae9b2ac8

                  SHA256

                  e951c2f841b3ca0b3bb4ba865ab40d102a6074a4b6f74c0c10d99f6ea125c2cf

                  SHA512

                  24de73a3543d2474ce6c40ec11c814361f3200b752ff165c8283628504b7bba5090e48713314fddde076518060ca18fe7043113aeed24e36e29fb07c057d77ed

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  442KB

                  MD5

                  85430baed3398695717b0263807cf97c

                  SHA1

                  fffbee923cea216f50fce5d54219a188a5100f41

                  SHA256

                  a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                  SHA512

                  06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  8.0MB

                  MD5

                  a01c5ecd6108350ae23d2cddf0e77c17

                  SHA1

                  c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                  SHA256

                  345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                  SHA512

                  b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  ef07b1243005fb6f907f1e72e5cda79a

                  SHA1

                  2e7857b32c8bc367dbab91e8a3556e0e43ce71d1

                  SHA256

                  e714262d5caf28a3664df72bcce27e7fff1cd58f2b544cdb71827c077cf23aa1

                  SHA512

                  4d69667c4a2f84a50b4f905940b8b5888b801292d00b0b91f8e302275c411093e952d272756949b0feff1dcdf71bf42c617361b7bf009880fe7b0ae1b1198e23

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\33512300-e6af-4977-8a3a-346a742517d0
                  Filesize

                  12KB

                  MD5

                  8ffc00d22c12b0286a4d1c8f30596129

                  SHA1

                  d2743238969db2914a88099c8a2b9f6f939bec24

                  SHA256

                  7fced59df86660c01639eebece6aea3fabb8f925e0205c60350f336257834049

                  SHA512

                  6b81440eaf74a2557c29a4846b59116e0866a8330141bb1e13f7f72621a8aafc9ce76cfa07899cb2c22bff3e08c61336200ce52f363d70a31a003bccdf982cbb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\9935fc0d-bb60-4ad6-8f68-eb45bffeccd3
                  Filesize

                  745B

                  MD5

                  2af571ce1a814c1bd429eb58448e9862

                  SHA1

                  5b8e1e965832dd6866a6a3b28d0fe99782eeda6c

                  SHA256

                  6df6a60f50033456a4d438d60ca5f3e37c99e29645fb8467406356192b93ffca

                  SHA512

                  65a356866f6d61fe067c89421e2477854489cccc02eb4ca05b642029b04adf5a6718ceab26353b3856926ef098997e12e1a932204a7779dbd6a24d4097e43318

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                  Filesize

                  997KB

                  MD5

                  fe3355639648c417e8307c6d051e3e37

                  SHA1

                  f54602d4b4778da21bc97c7238fc66aa68c8ee34

                  SHA256

                  1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                  SHA512

                  8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  3d33cdc0b3d281e67dd52e14435dd04f

                  SHA1

                  4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                  SHA256

                  f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                  SHA512

                  a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                  Filesize

                  479B

                  MD5

                  49ddb419d96dceb9069018535fb2e2fc

                  SHA1

                  62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                  SHA256

                  2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                  SHA512

                  48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                  Filesize

                  372B

                  MD5

                  8be33af717bb1b67fbd61c3f4b807e9e

                  SHA1

                  7cf17656d174d951957ff36810e874a134dd49e0

                  SHA256

                  e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                  SHA512

                  6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                  Filesize

                  11.8MB

                  MD5

                  33bf7b0439480effb9fb212efce87b13

                  SHA1

                  cee50f2745edc6dc291887b6075ca64d716f495a

                  SHA256

                  8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                  SHA512

                  d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                  Filesize

                  1KB

                  MD5

                  688bed3676d2104e7f17ae1cd2c59404

                  SHA1

                  952b2cdf783ac72fcb98338723e9afd38d47ad8e

                  SHA256

                  33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                  SHA512

                  7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                  Filesize

                  1KB

                  MD5

                  937326fead5fd401f6cca9118bd9ade9

                  SHA1

                  4526a57d4ae14ed29b37632c72aef3c408189d91

                  SHA256

                  68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                  SHA512

                  b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  39773f12a073b3d422f4c95f781e6e26

                  SHA1

                  a6dc42b65765ab91bba3f4f72d6dfb6a1e64c48a

                  SHA256

                  56c5858727d664ab7809debac4c33e48b4f2eabc17aa2a7be7152587e733ffe4

                  SHA512

                  8ef974d164d7a42537d7e89ed86d344a46d8331dab44edbd9e96aebc41806c5ab8cea75290ca92c6ddbd3737c6977f23858e59388f4ac9d63efaa7ab4d9c1a1d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
                  Filesize

                  7KB

                  MD5

                  fea8834a7e645872f303b64c9ada045a

                  SHA1

                  71be23d5b6c5ad683b74a24d3a69711f852a7dc6

                  SHA256

                  4855f00c577a71cf7e693fd8ae1c25b423d9ba7a169836bd9d536787e54eaeaf

                  SHA512

                  b427b50b981405e124ece7af20013d7517103722d703f2e718efa317ff4b44b70b3677f30737b159342b7483e686ade320f084e1e2deb0a145b7f3de02cd9324

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  2e2991abd17b3b7fd9c0ec2c2884b201

                  SHA1

                  33e2c9d08bc6fa499efff9f8daaab77ec80baadb

                  SHA256

                  d6841a6806d7ca82cb1d34a39b32c699037296061ac62ef52f7bd0d54d2155d6

                  SHA512

                  d32feb6d3bb52a7cf292fdbe4eff3be365d2cd46af377a8921459a0a6072ef1eab87cfc5ea6e38b199f40512e14aef197675ecbb41547ae9d18e094107b04bbf

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  9ec34b47e442300a31cbd884b6c6ff0a

                  SHA1

                  0d6d27ae3d7d26070e79cef7ef84672a3d131fac

                  SHA256

                  7d62510771a1535d6b9e556f96aadf8064dd3bee668dd6737af4753ad6bb67d2

                  SHA512

                  e29b86fca601ebc6bd0f122f3528a3a510d347ff1eed3c84cb459c8dcc15bd80d32806c00e22c4a6f807b41358b770f0c15e4f6818544d3e0e74f1e10846eb4b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  4KB

                  MD5

                  989557af82493a91352c4d17c11e17f2

                  SHA1

                  cf6aa119eb2b02f5165776df5d5c2558a315f03e

                  SHA256

                  9fd23f25db3733cee3cc6e4e7ca56d33e7f563d3f843eaafc6d5203b33c77b9e

                  SHA512

                  748510b8d4ad18b031d3391dcae22f702bb27031e0349688102856bb89af83322c569143b3b9d467a5427d9cf6ebb7d0e97446d90ef4e7c8df9111492c41794e

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\DAW5wfGRFeDRNZfW2Af\Y-Cleaner.exe
                  Filesize

                  1.4MB

                  MD5

                  a8cf5621811f7fac55cfe8cb3fa6b9f6

                  SHA1

                  121356839e8138a03141f5f5856936a85bd2a474

                  SHA256

                  614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

                  SHA512

                  4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

                  Download Submit

                • memory/488-118-0x00000000001F0000-0x0000000000896000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/488-116-0x00000000001F0000-0x0000000000896000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/504-141-0x0000000000400000-0x0000000000C68000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/504-304-0x0000000000400000-0x0000000000C68000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/504-66-0x0000000000400000-0x0000000000C68000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/504-112-0x0000000000400000-0x0000000000C68000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/504-88-0x0000000000400000-0x0000000000C68000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/504-345-0x0000000000400000-0x0000000000C68000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/504-92-0x0000000010000000-0x000000001001C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/2068-81-0x0000000000F90000-0x0000000001427000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2068-84-0x0000000000F90000-0x0000000001427000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2372-19-0x0000000001221000-0x0000000001289000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2372-18-0x0000000001220000-0x0000000001544000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2372-5-0x0000000001220000-0x0000000001544000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2372-26-0x0000000006C70000-0x0000000006F94000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2372-0-0x0000000001220000-0x0000000001544000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2372-3-0x0000000001220000-0x0000000001544000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2372-2-0x0000000001221000-0x0000000001289000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2372-1-0x0000000077810000-0x0000000077812000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2724-20-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-114-0x00000000067D0000-0x0000000006E76000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2724-64-0x00000000067D0000-0x0000000007038000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2724-30-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-303-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-65-0x00000000067D0000-0x0000000007038000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2724-28-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-335-0x0000000005FA0000-0x0000000006254000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2724-458-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-333-0x0000000005FA0000-0x0000000006254000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2724-457-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-456-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-27-0x00000000008C1000-0x0000000000929000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2724-80-0x0000000005FA0000-0x0000000006437000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2724-346-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-140-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-361-0x0000000005FA0000-0x0000000006254000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2724-25-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-24-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-22-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-21-0x00000000008C1000-0x0000000000929000-memory.dmp

                  Filesize

                  416KB

                  Download

                • memory/2724-455-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-390-0x0000000005FA0000-0x0000000006254000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/2724-448-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-124-0x00000000067D0000-0x0000000006E76000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2724-86-0x00000000067D0000-0x0000000007038000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2724-120-0x0000000005FA0000-0x0000000006437000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2724-87-0x00000000067D0000-0x0000000007038000-memory.dmp

                  Filesize

                  8.4MB

                  Download

                • memory/2724-62-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-115-0x00000000067D0000-0x0000000006E76000-memory.dmp

                  Filesize

                  6.6MB

                  Download

                • memory/2724-432-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-111-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-442-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/2724-443-0x00000000008C0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/3532-393-0x00000000000C0000-0x0000000000374000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3532-388-0x00000000000C0000-0x0000000000374000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3532-337-0x00000000000C0000-0x0000000000374000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3532-336-0x00000000000C0000-0x0000000000374000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/3532-334-0x00000000000C0000-0x0000000000374000-memory.dmp

                  Filesize

                  2.7MB

                  Download