Overview

overview

10

Static

static

3

7af72d6090...46.exe

windows7-x64

10

7af72d6090...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/03/2025, 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7af72d60902f6d9bd4ddb565cd4b0946.exe

  • Size

    1.8MB

  • MD5

    7af72d60902f6d9bd4ddb565cd4b0946

  • SHA1

    9a81b3d5d58e5f5ad4719dcf4ff3f5c59aebbebc

  • SHA256

    5e597a1b3b27fc614676bc331e7134bda14805ad4458d8649195aab33a102ae5

  • SHA512

    d4429d47082bb917e84a031cf71fb62fdbf4c7b77febde69fee4188b21da2d97b00d3f02d25f08226124b84a7df030a6d00ffd1fc43df66a1554582f5b462c50

  • SSDEEP

    49152:Sw+XuSlBp9q3mmc5+d8hJC6gPJ/ReTbdVM:pAuSl39q3mmc5+d8nNgFReTZV

Score
10/10
amadeyhealerstealc092155trumpdefense_evasiondiscoverydropperevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    defense_evasion
  • Downloads MZ/PE file 3 IoCs
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 3 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7af72d60902f6d9bd4ddb565cd4b0946.exe
    "C:\Users\Admin\AppData\Local\Temp\7af72d60902f6d9bd4ddb565cd4b0946.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5540
      • C:\Users\Admin\AppData\Local\Temp\10318610101\81e76b37ed.exe
        "C:\Users\Admin\AppData\Local\Temp\10318610101\81e76b37ed.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2360
      • C:\Users\Admin\AppData\Local\Temp\10318620101\f2832e5128.exe
        "C:\Users\Admin\AppData\Local\Temp\10318620101\f2832e5128.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3396
      • C:\Users\Admin\AppData\Local\Temp\10318630101\ee03782cba.exe
        "C:\Users\Admin\AppData\Local\Temp\10318630101\ee03782cba.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM firefox.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1148
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM chrome.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5272
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM msedge.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1960
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM opera.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1460
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM brave.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1428
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
            5⤵
            • Drops desktop.ini file(s)
            • Checks processor information in registry
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5876
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2016 -prefsLen 27099 -prefMapHandle 2020 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {341249d2-818d-4ce0-a75f-722fe03a3dba} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
              6⤵
                PID:2216
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2492 -prefsLen 27135 -prefMapHandle 2496 -prefMapSize 270279 -ipcHandle 2504 -initialChannelId {98b5a646-fb05-4b5d-b462-32465dad1f18} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
                6⤵
                  PID:3456
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3804 -prefsLen 25164 -prefMapHandle 3808 -prefMapSize 270279 -jsInitHandle 3812 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3820 -initialChannelId {fa0c0e92-6222-47af-b3ae-73d47b35901c} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
                  6⤵
                  • Checks processor information in registry
                  PID:2168
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3968 -prefsLen 27276 -prefMapHandle 3972 -prefMapSize 270279 -ipcHandle 4056 -initialChannelId {757c87a0-29d2-4078-ab0d-48344782b296} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
                  6⤵
                    PID:1180
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2744 -prefsLen 34775 -prefMapHandle 4392 -prefMapSize 270279 -jsInitHandle 4420 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4428 -initialChannelId {7b248170-dd9e-4b07-adc2-8e1dadc0af14} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
                    6⤵
                    • Checks processor information in registry
                    PID:3188
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5040 -prefsLen 35012 -prefMapHandle 5044 -prefMapSize 270279 -ipcHandle 5052 -initialChannelId {c73cdae8-3d88-4116-a51e-41074e14d6d3} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
                    6⤵
                    • Checks processor information in registry
                    PID:5988
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5188 -prefsLen 32900 -prefMapHandle 5192 -prefMapSize 270279 -jsInitHandle 5196 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5180 -initialChannelId {715ce13c-2e16-42f7-b0e9-079dcd790e96} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
                    6⤵
                    • Checks processor information in registry
                    PID:5588
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5568 -prefsLen 32952 -prefMapHandle 5572 -prefMapSize 270279 -jsInitHandle 5576 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3020 -initialChannelId {0e6efcc5-65de-4b3c-b9e0-a9b97f7b3d4e} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
                    6⤵
                    • Checks processor information in registry
                    PID:4608
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5592 -prefsLen 32952 -prefMapHandle 5596 -prefMapSize 270279 -jsInitHandle 5600 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5552 -initialChannelId {f8acdd20-0069-408e-8961-33c95a2c17ca} -parentPid 5876 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5876" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
                    6⤵
                    • Checks processor information in registry
                    PID:4220
            • C:\Users\Admin\AppData\Local\Temp\10318640101\60a3f31b77.exe
              "C:\Users\Admin\AppData\Local\Temp\10318640101\60a3f31b77.exe"
              3⤵
              • Modifies Windows Defender DisableAntiSpyware settings
              • Modifies Windows Defender Real-time Protection settings
              • Modifies Windows Defender TamperProtection settings
              • Modifies Windows Defender notification settings
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Windows security modification
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5712
        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:4032
        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:5784

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        4
        T1543

        Windows Service

        4
        T1543.003

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        4
        T1543

        Windows Service

        4
        T1543.003

        Defense Evasion

        Impair Defenses

        5
        T1562

        Disable or Modify Tools

        5
        T1562.001

        Modify Registry

        6
        T1112

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        7
        T1012

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Virtualization/Sandbox Evasion

        2
        T1497

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9z25oblb.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD
          Filesize

          13KB

          MD5

          2c80d38ca0827fc8029847c0d6881a4a

          SHA1

          40dcb1839792ae3f23f2507822e3c25d5a47f17f

          SHA256

          f486f100add2d9a29dd4fa51cdd539965dd122ecac40da8e01674d99ed0d0e10

          SHA512

          55a0d2a374873eacba15d4202b58fb15ba71d17b89305fa5326712732df7a809d2b79b1a549a0c65333fd7a6fc558250c1676420e92f7764323b11f444e569b9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0f07af11-aaf6-48f1-8959-2ae88b77fc95.zip
          Filesize

          3.6MB

          MD5

          eee2a159d9f96c4dd33473b38ae62050

          SHA1

          cd8b28c9f4132723de49be74dd84ea12a42eef54

          SHA256

          52c720ca9b1d7649214694bc46a9ea0cf2ee3091e1ac717633ee06b6e2864384

          SHA512

          553c8b347e1654ca256dd4b760deb669cf394763419c972bb60a555006525afed2cff53b2516e8b239bc4bb35afd5429bd89611303143e7e65b901c0f5c2cc07

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10318610101\81e76b37ed.exe
          Filesize

          2.8MB

          MD5

          ddc21af1dcce8a34e50651c30f50fea6

          SHA1

          0ee349ca451d76b5e647f0e01184bc5313619107

          SHA256

          2fdec735ecc810b4741cfe97a95fe352ec5cd931b55b148ea98825ca31333ed1

          SHA512

          d6100f447c6b9eb6ccae0343deef01da8bb9d3ce6e570b34c05f217a8ad3540593025bad079f8e64df87710ab77d2be3f44f8588d2247d649515991c3a44d118

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10318620101\f2832e5128.exe
          Filesize

          1.7MB

          MD5

          8d11087a47c122d153a0f32a60ec79b7

          SHA1

          d60299a6118fb5706dc3fab2b3d49541374720fe

          SHA256

          cc886d5b507c8dd985e23d060b0b890bbf68683b46c572bf7b3e58f66a6be48a

          SHA512

          4119bf9786b26d39d4216481737087529b7543e4382c5860fe7e145571839487ddd783a8d83f0c084df1516ee9f7780212d4d8dac812251e6834d8f26ef28436

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10318630101\ee03782cba.exe
          Filesize

          950KB

          MD5

          81c02be5ee8d37c628c7a0016c468149

          SHA1

          89bc9d55785d71f396fb2b50960aa248799ebef9

          SHA256

          186bdab14c6784d101350b0386d06e3c0b890f895d64cdf2a1a6e9cc32e48f57

          SHA512

          ebf4058e4a096f0b24221574ccd372f864dc4db853c3bf6d763d3286af49a348372656c4de5efb173b07f5096647bed4747e7d13109989743e95a7e6bb091fab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10318640101\60a3f31b77.exe
          Filesize

          1.6MB

          MD5

          0352afc500e6104d51a1099c441fda4a

          SHA1

          f13c4e80db7722aeeb6a8aceb77fb3ca8bb1a860

          SHA256

          8df4bce66ec1404ffc71cc3cafdbd198f3d6a5b45166e9be8ef42feebc42e9c7

          SHA512

          7e43882d65ad9115b17921792130fd7b5b172eb4a385be90164b979198d4bf5b816b24b6933a9e501300d79b36af4d749f10dcd40e21aa09809ce6518f8c64c7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          Filesize

          1.8MB

          MD5

          7af72d60902f6d9bd4ddb565cd4b0946

          SHA1

          9a81b3d5d58e5f5ad4719dcf4ff3f5c59aebbebc

          SHA256

          5e597a1b3b27fc614676bc331e7134bda14805ad4458d8649195aab33a102ae5

          SHA512

          d4429d47082bb917e84a031cf71fb62fdbf4c7b77febde69fee4188b21da2d97b00d3f02d25f08226124b84a7df030a6d00ffd1fc43df66a1554582f5b462c50

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
          Filesize

          14.0MB

          MD5

          bcceccab13375513a6e8ab48e7b63496

          SHA1

          63d8a68cf562424d3fc3be1297d83f8247e24142

          SHA256

          a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

          SHA512

          d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
          Filesize

          502KB

          MD5

          e690f995973164fe425f76589b1be2d9

          SHA1

          e947c4dad203aab37a003194dddc7980c74fa712

          SHA256

          87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

          SHA512

          77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\AlternateServices.bin
          Filesize

          10KB

          MD5

          d39f7e6b85ed5763f284bd363dbd5975

          SHA1

          4a4a06df2b6b9e4434eb037c8f582d8b27750159

          SHA256

          d1972f9f5d398ed1bf7cca6b014f08de71ec3bcb76a5661cde91af95c68a90e0

          SHA512

          9c0b7a1fe57ca51e3fb470efe956836b1520c8b579fb4a8f5554dc17b5e84f5dab1fdbdde7cfbd13777fce996e95fddb9652d244db0f0f1473b93e9e197596d5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\AlternateServices.bin
          Filesize

          17KB

          MD5

          4f770b9e86ad382b5514baa72d04e779

          SHA1

          0f3332dad6c80e9b5081a58d78e32baf5f2f8db5

          SHA256

          d85e945155e078332e2cb20d1ee55771bdcde7cd13920628978ea86b1c6ab391

          SHA512

          e370b29c2ac674a2ad77cb6495dbea94f9257f4d37bc65638fec7460b42837cd3d399a873dfc196403742a3549b0ee497decc33a110ade704ca68c0995a0edf9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
          Filesize

          6KB

          MD5

          ec7384284ed8aaacfc298523bc303a94

          SHA1

          6bd914c7d5b4f632ae898553aef95df5e19fd48c

          SHA256

          a4bfaeb8a0fc6a0ada213b36c71e262441c3e0868e855b5f47af07d570ddda82

          SHA512

          c1a4239b2578ea08d01ac984af285d678a831e88c41904b1a0b927be760ab4232381c0402a17869a29af7cbb11fa676e9c8f875dc44dfa393f9e4a965f093229

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
          Filesize

          6KB

          MD5

          605cbd02e61546acd5709ff1f1460af7

          SHA1

          8933d15a7a11c68af4ce7fb85937ae6d1a21bba1

          SHA256

          d2004466a81f8f7a3693e23c1ff0f2f5cd922a8c3c1b1aaf964e92dee64b6653

          SHA512

          f6f87fd3f333940b8678ce6306980d65870367f22c6d70275a3e5e80204eb1e99062c8f35da2860334adbdc9d6f514d3a3b3b208c087f8f66d2ab55ac8e5c06e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
          Filesize

          29KB

          MD5

          857a58214cdea7e1494ee33293774dc4

          SHA1

          71cefeb26fe7d0ea29c325e53cc5c5bb3e3d8768

          SHA256

          c4d5484e90266ccf6cc46edb897dbeef42b39e3f1694b5bd7be12259da0c02b3

          SHA512

          dc7652d751e4ad76744dcd028390ec81fb6e26710c21afb68d26df0fc80d66981d03fea8f6fff645ccdc8837bf905f141b9f931a250337cca268b00b64414c48

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
          Filesize

          29KB

          MD5

          a08b3af8f5345f41802801557244ffda

          SHA1

          fbeb30e6bbca9ea5562737d9e87c7167339058b5

          SHA256

          0c3e09c71ea0eacd99793c941f3b6067e0f8aab010ffc42ca23fa0209afa8b2b

          SHA512

          cb11a1bc68aefad59f933e01bc5d49e83b8649540491b0edae6d442aaee60d34156169f3ee17706e50c04f656a39b04630e3245229413577e7e647c3e178fc6d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\db\data.safe.tmp
          Filesize

          29KB

          MD5

          863202019273ee75cd51d103687b6fa4

          SHA1

          8735c9ade4fc7516b48d7fc86c772a99c9832903

          SHA256

          2aa4f72aa5470f09fbe3b83b60abe49ca32b1d782e4a25f82ba8402c5aed9041

          SHA512

          b9e8894423ecdfe8084bc5dc2ebcb6bdb3596940a46a3ccdfacea4c3551bfd025543a78f07c19bb8cee51a14b2491ce46eeff57496bdb506b05feaa27d4d1980

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\events\events
          Filesize

          1KB

          MD5

          4abe402426f603a80648598b463ce69d

          SHA1

          911ece02ed21e6f4a087c6a2a62000d193140fba

          SHA256

          3c96f1261ebc6352264769b63e4e6717be4052e31da259480f820437d7a8afb0

          SHA512

          8c9e67755a08f5e9633869f63c6ca6bb87ce050cb31c82d649e84b081fefd8692c759005e819c6ed3dc2006f00bd749921c6986b5e3339dcfb5496deb45adcef

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\052928e0-86c4-4723-9bac-15ea2366ecf5
          Filesize

          235B

          MD5

          593bfdba04e875a34102cfc219973c6d

          SHA1

          fcd36ad4c75e3d218750882acb006f2a42ff8478

          SHA256

          adf159e072900b135b5e755a8ce1dc8d8d2de818f6b8b5b91ad89e0d679b0a2e

          SHA512

          c59c88305a707ce341cf47376949ce11623c49d763c8e9ca1cd5c1412fafd4dff77b40b8f57323baefda0b8a05242ebedd426bcf007b1c81630d9faa8941f101

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\3b7ae028-ca92-49eb-a4d6-79ed540c71ea
          Filesize

          886B

          MD5

          0dde2acf6a65b8369032ff678d9e5512

          SHA1

          715b154eadb4c8bc08e204a3cac049ef3419dd56

          SHA256

          209a43d35811aa43f9947afba4b1134c916172b38458fcfe843f627f98808532

          SHA512

          9d796bee722dad105e0d5d356a679381c4a1898fce473fcf9f65aab1e077cab9a8d293b41a3c6d194c2e217273ff0b820e5c4884f8418213151cdd9bdea9f56a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\4c8f8d38-8b1a-46af-859d-21eaff5e16f1
          Filesize

          883B

          MD5

          19bbac4ebe20ec21be72324bac05f6c0

          SHA1

          66705c24915637c593c8631fdb1b353fa03cd010

          SHA256

          499c1ca7797416566f263a1b313da1f6c94ac2dd31fb79b034d04bf5d47fd5d2

          SHA512

          b0ed2dc7d4890dbdb2e014270cff983d32725d4301422290755216d37fec47d63aacba1f655b77d6c785cd97ee71ced81d647f1ee05734bbc94049014f8777b9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\51715d30-3c7e-4ae1-b4ec-709d5072f769
          Filesize

          16KB

          MD5

          dcf486e5176698f10cd96b67d70a09b2

          SHA1

          848b6aa34a1a884bca8c071a94761fb1edd85b59

          SHA256

          4289d759f46eb01067ab85ba6b54d83e937b0e0905b95abe653fb071aac93000

          SHA512

          8059c423669ab7a54fdc75b2c2f294e4635ce7bdf9359a9d4c765a332cc42b84298b30ac72933fb587c63fb8bd9a2410ca1d8b78ee1224effd18413325a011ce

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\61b8a3e1-da16-45a0-b910-efa059ecb0d4
          Filesize

          235B

          MD5

          5bf2d42f0dfc854f06b49aece212b064

          SHA1

          67e5f069865e9d271914569ff0646924b9dc5215

          SHA256

          2205ad4064243d4a461f4dde9272adc9a031170b98d6a08b6fe6bb0a29ab3944

          SHA512

          de16eae8b2996f649cc1d6fbe3dfb72a5e705732de00168fa1f252eebfec7f97fc7c667daae1a5367398c54db6c13385051597e3601ff26a4d4aed13163be425

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\datareporting\glean\pending_pings\9d694e17-6659-4e7c-be63-ae914fe4d8f8
          Filesize

          2KB

          MD5

          2ca79063ead8c04fe4a6b535cb77e85a

          SHA1

          642a056e4bb9796d96ac92d1795d0009c5fd96bc

          SHA256

          f559c1fda75423e04d0d4913ad9dbad80136c0c18f93ba8f0ab0dfb60dcbb196

          SHA512

          7102c12006b480c1a1d4060648381f55ca29620356619c3357d7bc8047d39a30d3caa63dc0e7deb85ae4c1f32799141db949e690205b6c39c45668f27215f631

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll
          Filesize

          1.1MB

          MD5

          626073e8dcf656ac4130e3283c51cbba

          SHA1

          7e3197e5792e34a67bfef9727ce1dd7dc151284c

          SHA256

          37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

          SHA512

          eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info
          Filesize

          116B

          MD5

          ae29912407dfadf0d683982d4fb57293

          SHA1

          0542053f5a6ce07dc206f69230109be4a5e25775

          SHA256

          fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

          SHA512

          6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json
          Filesize

          1001B

          MD5

          32aeacedce82bafbcba8d1ade9e88d5a

          SHA1

          a9b4858d2ae0b6595705634fd024f7e076426a24

          SHA256

          4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

          SHA512

          67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll
          Filesize

          18.5MB

          MD5

          1b32d1ec35a7ead1671efc0782b7edf0

          SHA1

          8e3274b9f2938ff2252ed74779dd6322c601a0c8

          SHA256

          3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

          SHA512

          ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\prefs-1.js
          Filesize

          8KB

          MD5

          4bca6271da3f28522d6903285ff2930f

          SHA1

          33be06a54e5d27568c544e3c3229b92e71073e93

          SHA256

          f93a6e0364cbce92c452e54f08a833cd10034fb5eacd0316a3758c1baa996d2b

          SHA512

          6613e5f13d4e8e83179728a0bb2ac198ebdb4e5ff65f1902ce58a8c1ebf6b77c90fbe5c33f0c54eaa84a5e5cb3b70aa90739b361557033f4d31ecbb12bca4716

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\prefs.js
          Filesize

          6KB

          MD5

          0478d82ed4fd07272a26b7e086b0a1a3

          SHA1

          9778283c9e627bbaac81ccfedbdd9e4eb336539e

          SHA256

          6e689b996784f136052e8012b51d3dd3f3b5da958aba14ada837e3de57c781c3

          SHA512

          4b69cd42f780d96163fd6fce430b9c0c25ecb4c05088657332a6bfe5ff90f4278bf79c3c6590122a1bdbf193e181d1066a04b0abca43cbb3c44113efc48a9f6d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\prefs.js
          Filesize

          6KB

          MD5

          cb05353c9096b193cb38e489e7fa23f6

          SHA1

          a77505d95b2a9f21260d9753cfae856c4c5a2ec2

          SHA256

          422a7cca792c4ffbdcd82431def13d70a79f0eea1555ab73f7ac3d2ca89f80f9

          SHA512

          6d5997f4595270e3bdf340465bac34c33fc3cc3a56136fb56a0904c242d4a1cc94c32019cfe129af38599b7128db01b535aa3d01c35d876412782bad1977234a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9z25oblb.default-release\sessionstore-backups\recovery.jsonlz4
          Filesize

          4KB

          MD5

          f1135abf0a40966029a450e9933fdf09

          SHA1

          0de74dd8f81c067dfc9994aeda8da1d97c2b443e

          SHA256

          5efaf4192a38ae47f41954fed3ecb9fe76a235e217a8cedacba3e2c264386701

          SHA512

          f7a7fec6d5690767c4d2271450fb3a627928c3ebca28c116d13574a61650a8f1092f4b211477a14004d463b55f75630902c8636cfc40952224c9b0bdbc9000ca

          Download Submit

        • memory/1652-18-0x0000000000FC0000-0x000000000147F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1652-1-0x0000000076F94000-0x0000000076F96000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1652-3-0x0000000000FC0000-0x000000000147F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1652-0-0x0000000000FC0000-0x000000000147F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1652-4-0x0000000000FC0000-0x000000000147F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1652-2-0x0000000000FC1000-0x0000000000FEF000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2360-38-0x0000000000250000-0x000000000055B000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2360-41-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2360-42-0x0000000000251000-0x000000000027E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2360-44-0x0000000000250000-0x000000000055B000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2360-40-0x0000000004D90000-0x0000000004D91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3396-61-0x00000000001B0000-0x000000000084C000-memory.dmp

          Filesize

          6.6MB

          Download

        • memory/3396-62-0x00000000001B0000-0x000000000084C000-memory.dmp

          Filesize

          6.6MB

          Download

        • memory/4032-836-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4032-785-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6286-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6290-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-17-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-499-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-37-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-39-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6294-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-19-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-20-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-21-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-80-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6293-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-525-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-784-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6292-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-46-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-43-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-5235-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6278-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6281-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-29-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5540-6287-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/5712-510-0x0000000000410000-0x0000000000844000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/5712-478-0x0000000000410000-0x0000000000844000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/5712-507-0x0000000000410000-0x0000000000844000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/5712-466-0x0000000000410000-0x0000000000844000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/5712-477-0x0000000000410000-0x0000000000844000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/5784-6289-0x0000000000F60000-0x000000000141F000-memory.dmp

          Filesize

          4.7MB

          Download