Overview

overview

10

Static

static

3

ff91f18eb1...66.exe

windows7-x64

10

ff91f18eb1...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe

  • Size

    2.8MB

  • MD5

    5086ec6859f91dbf4e36bfffc4150e0a

  • SHA1

    854c904a7d05f4d8bb2acde139ad87d7792ed251

  • SHA256

    ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166

  • SHA512

    ad7d1068f4d1f0a0a9c0f75ad280a53866fd3e181e51050263e11dff4b1fac67bcac3c253d4c9206c2e0f36bd10d49ed6d3a0c96fb72f17ddc29af87017660c6

  • SSDEEP

    49152:g2RKpPXvqtDEvLXwCOHnfwpQ09nuXq8qjtoi:g2RaPXvw4jXwCafwNNuX1qR

Score
10/10
amadeylumma9c9aa5discoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://shineugler.biz/api

https://tacitglibbr.biz/api

Extracted

Family

lumma

C2

https://shineugler.biz/api

https://immureprech.biz/api

https://deafeninggeh.biz/api

https://tacitglibbr.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe
    "C:\Users\Admin\AppData\Local\Temp\ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3740
      • C:\Users\Admin\AppData\Local\Temp\1015447001\56520e9936.exe
        "C:\Users\Admin\AppData\Local\Temp\1015447001\56520e9936.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4488
      • C:\Users\Admin\AppData\Local\Temp\1015448001\d60e1e3f24.exe
        "C:\Users\Admin\AppData\Local\Temp\1015448001\d60e1e3f24.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4108
      • C:\Users\Admin\AppData\Local\Temp\1015450001\6dc701c670.exe
        "C:\Users\Admin\AppData\Local\Temp\1015450001\6dc701c670.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4788
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1708
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3544
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:820
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2252
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18407dff-635b-4cf2-afc2-cfb228890a7a} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" gpu
              6⤵
                PID:4812
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {079298dd-e69e-456a-840c-4a419a87075c} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" socket
                6⤵
                  PID:4376
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3180 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e4a05d-7642-4d91-bcc5-f565cd764266} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" tab
                  6⤵
                    PID:1980
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3960 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {352264d9-c77a-4ccb-b24c-2a027470c4d9} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" tab
                    6⤵
                      PID:4668
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4584 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c521119-1834-4c13-8d71-66889ff5b9fb} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" utility
                      6⤵
                      • Checks processor information in registry
                      PID:5292
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 3 -isForBrowser -prefsHandle 4428 -prefMapHandle 4912 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {222af24f-f60d-477c-a6ff-fcaac4030431} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" tab
                      6⤵
                        PID:5900
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 4 -isForBrowser -prefsHandle 5324 -prefMapHandle 5268 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {300d3e8e-ba8d-405b-9ea0-8a47df1e5fcb} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" tab
                        6⤵
                          PID:5920
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1168 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7c9e0b7-3364-4e08-8693-7d02619cf884} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" tab
                          6⤵
                            PID:5932
                    • C:\Users\Admin\AppData\Local\Temp\1015451001\79a5e45be7.exe
                      "C:\Users\Admin\AppData\Local\Temp\1015451001\79a5e45be7.exe"
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                      • Checks BIOS information in registry
                      • Executes dropped EXE
                      • Identifies Wine through registry keys
                      • Windows security modification
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5384
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1968
                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  1⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3676

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
                  Filesize

                  27KB

                  MD5

                  6d1705e29e8268a6a51b7ab06cf41de7

                  SHA1

                  4bddabc01612c956c7f714c7749a96c64757159e

                  SHA256

                  700d58524c3b3ffb7e0cde82034c3e17ebc025a06940162ba9c5ea74171a29dd

                  SHA512

                  5aa711d46cce67a7aeb1b8304cfa4b180535568e078e9c464b730a3cfdaf5293474e2d0e9d1049cb565c17a9772c8275a299231829db2e38b985edf463666149

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                  Filesize

                  13KB

                  MD5

                  086149a65831647181e357486f0156dd

                  SHA1

                  60743e3fa294f00712a572a5140c55c12747339f

                  SHA256

                  2d7865e88049526679a5f053fb888c83e12c06b7c55e81cbd3293cc92a60a6ac

                  SHA512

                  65646d21e81d12750bccd85f831f0793a8d3dcc9918303f66f91c1e015b769a82cc10b41a1e663383c4cdcd8323f674d33e27c9d79bf65be3c764b3adab08e4b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                  Filesize

                  15KB

                  MD5

                  96c542dec016d9ec1ecc4dddfcbaac66

                  SHA1

                  6199f7648bb744efa58acf7b96fee85d938389e4

                  SHA256

                  7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                  SHA512

                  cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1015447001\56520e9936.exe
                  Filesize

                  1.7MB

                  MD5

                  6c1d0dabe1ec5e928f27b3223f25c26b

                  SHA1

                  e25ab704a6e9b3e4c30a6c1f7043598a13856ad9

                  SHA256

                  92228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d

                  SHA512

                  3a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1015448001\d60e1e3f24.exe
                  Filesize

                  1.8MB

                  MD5

                  a93bba39337fe57b7e24aa3f20bc69f7

                  SHA1

                  bb7e33927db153f2d6aae66a49228e4fb858b2ec

                  SHA256

                  d92fd757d80a662fca3988b9d43a9670dbdcb23182e1d25f717b166bc9c51261

                  SHA512

                  c17e3ae21c055fd4d3fe105fd3a59408eeaf5c11b941e95e99293caae67e17f1de84ee3cace56fb482d8c2ec4d2694d54b4e04044503ae60371ec4ef63283335

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1015450001\6dc701c670.exe
                  Filesize

                  949KB

                  MD5

                  6daca247f7d248f432901ac5a608d1ba

                  SHA1

                  5549555c05e3290fb4ced5bfa1fa1e1467352f69

                  SHA256

                  aeef9c987f5f9e4b3f171aa21ba73cdafe69a94b81ed927b428e0767b9513138

                  SHA512

                  f4b8675db14011fef03eb8541f7bc8684f48c7c4a7620f7bc54c1d23c961278e7860ee992e622b807ffa9a23c08508e073666960940ef9d417594784a3367ad9

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\1015451001\79a5e45be7.exe
                  Filesize

                  2.7MB

                  MD5

                  4680d071d278344740df125083f88cf5

                  SHA1

                  c0047d093bef4edf8076825b86c8e4a978aabd21

                  SHA256

                  789438468d1884824219bc33252fe90c908851465af503298607f781de859b98

                  SHA512

                  a6966492350bb5bd310aae12d12d49c94b5a8c725148e0222c31443318453cb4107a229b0a699166d0dd8f1c8d47c605753fe309552f3ab9b26dfe77701b29a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                  Filesize

                  2.8MB

                  MD5

                  5086ec6859f91dbf4e36bfffc4150e0a

                  SHA1

                  854c904a7d05f4d8bb2acde139ad87d7792ed251

                  SHA256

                  ff91f18eb1f1cc201ccb45500f7e7f88547dd982ced00edf15fd73b39a4f1166

                  SHA512

                  ad7d1068f4d1f0a0a9c0f75ad280a53866fd3e181e51050263e11dff4b1fac67bcac3c253d4c9206c2e0f36bd10d49ed6d3a0c96fb72f17ddc29af87017660c6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
                  Filesize

                  7KB

                  MD5

                  c306d43c5b911cf18843a7e4624d3708

                  SHA1

                  c1db07d678294daa95ac345880f868153a463e5f

                  SHA256

                  a808bad0a291588fdfde1929b462bf205d8511bf715f0ba609429d2042f14cf3

                  SHA512

                  1111dac4d9eebd469a2fbd8bd84d7b5cda52045a6850c7cbfde261efe321dc1628ebe7af824618d6d3468cf02a31206fd46739627d15fe85b6b71b552a05e76c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  f2b93252120dcaf7436f363ff3f942a9

                  SHA1

                  e60e8d19692bf9d5dd6827d40d312b5c52a22550

                  SHA256

                  9e956fbfbdb44a23228ce647b771fd145b1c803494a3983e1859da22bc7ff311

                  SHA512

                  5b1cbb2011938a29733017d1bdcdbe3ce1afecff883dd3b997330013f1d517682569ceab2340080abfff346bada2425307c9845e1ed24668f48c179f4711ef0f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  7c2eac46d56fb95e2c869e3f4e13caa2

                  SHA1

                  a1d1314f501798ae36be726cb66754c8b390ba39

                  SHA256

                  726804d630201f0dc86b593c63b4b8e03cf1c66543650483b25eeb6512babc69

                  SHA512

                  9303e809e01dc129e613e17c7c88e0e07afbcefd3f0165ee6f91f9dd6f61c568e6b263dca39dd00b60fb4f4c567803f04d2b14ddb57b26a2b8b72dcbd39ca397

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  936ca4bff91b286c95a5eee31778dcd5

                  SHA1

                  fe425ef2fce01de32a9b8546ab254a84b90dc4c6

                  SHA256

                  828cfc6c5b8c73f5a3ff34998a4aa89bcb617b8563f1a5a58fa3a36ebafc4e59

                  SHA512

                  be8fad324e2d6c2d0b2e517f85fb80dfeb467ea6a0146c62fcce091dfe50c4df8899fe7647219b4b68d0951e1566c388707326d5c8b0f084796b826eeaa3263b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  3ee3bf4069692d975b59a5046e877d04

                  SHA1

                  bb383cee7cb214e76fcc7c63f3a0a39200a0471f

                  SHA256

                  b6d70b61fbc85cc72a820e47df760d2ed391b238e8f33de9fdb081f7d90f7e9f

                  SHA512

                  fc083e1a869245597811716ebcc1688b431f54cd027577d5d7ff5adc81ab4e88fae085a6b5c2d1d09f374f7ac7bbf064f32b004be60624d44b88436da9103dc9

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\8d13b6e2-df85-4b64-938b-840363994b56
                  Filesize

                  671B

                  MD5

                  a62dd15273c309a9457a484871608d4e

                  SHA1

                  fab33cf7903abe1e09f91f1e5c1cb1f7ae64996d

                  SHA256

                  00c22fbccff31628a8d57c39d26efbaa6ebb6c141f031f6204368e19fd8da92f

                  SHA512

                  668868609e9f90f50147aec2c144575f1775551751658cabd0efdc4afa105c38b57ce6f9c3ac0c3c4c7e548f5f21ad1c0319a917790610ceacdee4bc5ed492e0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\b464a6cf-1ef2-4bd9-a444-dad1f631d30d
                  Filesize

                  27KB

                  MD5

                  1b06f78a2c2b5c5579d84ed976af21ae

                  SHA1

                  99b8cdc9aee97063490198dcc2d3d116a6b02d36

                  SHA256

                  4a8b9646f0cd6b736d8f6ab56971708f0fcbb268d78fd9d0655fab80d5369e89

                  SHA512

                  11337c6c18ee004cf0b822dd797077fe105e769d352d057a8a9e0d225158137153fb28721289aff22c357368dc43ab583bc774ee7292c495b2cb4328b5712d03

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\e87bf7da-c5e6-4c35-ae2b-eeeb3d216a09
                  Filesize

                  982B

                  MD5

                  83dbf96c6df8c625eea1f475825efdbb

                  SHA1

                  bbebc21e166fe06367f070caad887c7fa4f2ef33

                  SHA256

                  40031ddb7a034a2c9062601a89a38332582adc3b8e379e3759e17c1c77f97686

                  SHA512

                  6018de66f3a28a668c42e0679eb55d15285e55111f4e00f9b5953b8431c65f903c317b7c82c5a24a1cac4f01d7468714dfaba6fbca915dfdb658c3cb9a6157b4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js
                  Filesize

                  11KB

                  MD5

                  85b20ae9908b45b5e2a3b2c6f213e991

                  SHA1

                  b9fd38a43a0f838eab6ed7b1e46dd9e2a6ad9c0e

                  SHA256

                  fe7fb6f67d59abaf9c4c2053ae3238211bdc2b235988c9f3a51da9c0abe7ef1a

                  SHA512

                  f7e6996dcac7f105b66c461cff454db53999e06958a5ea7da40599229212de1a4df426e9e149da58503cbc36750634e9134d0fdcb2a4d77e0cd837b4db4f53e0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js
                  Filesize

                  13KB

                  MD5

                  dc3e29e17c730df61f3ff2f6f27edf8c

                  SHA1

                  7bd5959570eac557520f925310767405daa03ba9

                  SHA256

                  87a024e23cc73241fdd495148d0db79a5fd414f24f1caddf7ab63495ef92b344

                  SHA512

                  4f7653f21efc50a3305231e982ab9c648a0926abe32565ea7b214d4d0424c474e0aa1a3e9d24d94163d037354410222827a178e416f643d9cb6015fee7bd4eb3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  f1494060347df2952c2d2b0acfe40604

                  SHA1

                  b6b8e7bff18577cb16c35b1d70dfcf55ebaf07fc

                  SHA256

                  aa0ba8035c7294eab4b08813ed394b55c33cb89c1cbc68e0287e939df3dc5576

                  SHA512

                  5579ce45d645e0c70a533bdb3047509c058b8e3f383fbb77e30dd606f068de1ea1b7640eb49dd5a476d9a539ff6d144af7157d95ef7e9a6cc4a7b08d50ec2acc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  e8ef1249d7f0176e412086dc5880495d

                  SHA1

                  b8a2b50fb256a14afbbc0733907b66786fa0d477

                  SHA256

                  d75aff84a548c4f19d9f9c1b7f72c4d50d8af6b6b833ef759c4c0fc72f43375f

                  SHA512

                  2085f81dfa2f8954d0905607757b7b25b4035e7680191b224ad77b59d6416abef953818f742b3607a4558b96ba16e33801331e5fabbb550812c8f47fa2681dc7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  912KB

                  MD5

                  f4e4a97fc0ab3d35f9cb11b4b10e9785

                  SHA1

                  5845c9986cb21edcd76b10e8af0a7fbeff75499f

                  SHA256

                  283219cd4128541a23cf94bb6750192c555054bb7ebb8e663d0cb01a1a461f48

                  SHA512

                  39eaa7bc73f70a06f22ceba4df88e92a49b5acf6a8103b55e5deb1c20513b374578257174f99aa850131f614246db9dc68b738342f1053941a7e47c593247e68

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  2.9MB

                  MD5

                  9e5ce12c3d24ed03b67521637a603853

                  SHA1

                  2fd22375a4166289e5a26574c2ff18320639e348

                  SHA256

                  8ad041ac258c7cd82d53b86466ab989ac08445aaa42e1367b2966b5197fa7db1

                  SHA512

                  4a687de8345295b066b7dff79a425a1e23840f9d515ce1793151694950d403b90dc69bdd1cf61cc56bb81a9590c22417aeabeea0c5967be9b39f0f0d49054ad1

                  Download Submit

                • memory/1968-480-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3676-1283-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-24-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-703-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-2250-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-23-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-1909-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-22-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-21-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-1792-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-1382-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-1271-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-20-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-19-0x0000000000EC1000-0x0000000000EEF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/3740-16-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-452-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-1107-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-857-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-40-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-492-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-47-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-70-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-517-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-43-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/3740-65-0x0000000000EC0000-0x00000000011C5000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4108-64-0x0000000000700000-0x0000000000BB2000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4108-66-0x0000000000700000-0x0000000000BB2000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4356-1-0x0000000077434000-0x0000000077436000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4356-0-0x0000000000B80000-0x0000000000E85000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4356-3-0x0000000000B80000-0x0000000000E85000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4356-2-0x0000000000B81000-0x0000000000BAF000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/4356-4-0x0000000000B80000-0x0000000000E85000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4356-18-0x0000000000B80000-0x0000000000E85000-memory.dmp

                  Filesize

                  3.0MB

                  Download

                • memory/4488-42-0x0000000000DE0000-0x000000000126B000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4488-46-0x0000000000DE0000-0x000000000126B000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4488-48-0x0000000000DE0000-0x000000000126B000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4488-45-0x0000000000DE0000-0x000000000126B000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4488-41-0x0000000000DE0000-0x000000000126B000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/4488-44-0x0000000000DE0000-0x000000000126B000-memory.dmp

                  Filesize

                  4.5MB

                  Download

                • memory/5384-491-0x0000000000BB0000-0x0000000000E76000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/5384-481-0x0000000000BB0000-0x0000000000E76000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/5384-380-0x0000000000BB0000-0x0000000000E76000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/5384-382-0x0000000000BB0000-0x0000000000E76000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/5384-319-0x0000000000BB0000-0x0000000000E76000-memory.dmp

                  Filesize

                  2.8MB

                  Download