amadey | 4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
01-08-2023 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe
Size

639KB
MD5

4b9a2c82dae5a6747c9b6a635874fe1b
SHA1

16849642f7562fb28a7c57493ede6dc14e71e423
SHA256

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce
SHA512

3ef6541eb83fa9734b0277ba753b449f4c2f47d3f8e0b6e46cfcd0c706e0e4c91478f883b1698755351ada6dec7f463562f31f832aa23f7e84c904b3b8ff6a5d
SSDEEP

12288:iMrNy90KItLD9U6csc0Wlc5ao392/gTlYQbOH8t4MhxphtwML/:XyhAlpcw391pjOYFrjr

Score

10^/10

amadey healer redline smokeloader papik backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

77.91.68.61/rock/index.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

papik

77.91.124.156:19071

Attributes

auth_value
325a615d8be5db8e2f7a4c2448fdac3a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe	healer
behavioral1/memory/2668-145-0x0000000000730000-0x000000000073A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a5298088.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5298088.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 10 IoCs

Processes:

v1943436.exev7679029.exev9111658.exea5298088.exeb2824343.exepdates.exec3090472.exed9855588.exepdates.exepdates.exe

pid	process
2676	v1943436.exe
2216	v7679029.exe
4508	v9111658.exe
2668	a5298088.exe
3460	b2824343.exe
712	pdates.exe
4900	c3090472.exe
2668	d9855588.exe
212	pdates.exe
4860	pdates.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4596 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a5298088.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5298088.exe

pid	process
4596	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5298088.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exev1943436.exev7679029.exev9111658.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1943436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7679029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9111658.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2900 schtasks.exe

pid	process
2900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a5298088.exec3090472.exe

pid	process
2668	a5298088.exe
2668	a5298088.exe
4900	c3090472.exe
4900	c3090472.exe
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296
3296

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c3090472.exe

pid process

4900 c3090472.exe

pid	process
4900	c3090472.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

a5298088.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2668	a5298088.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296
Token: SeShutdownPrivilege	3296
Token: SeCreatePagefilePrivilege	3296
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exeb2824343.exe

pid process

2960 firefox.exe
2960 firefox.exe
2960 firefox.exe
2960 firefox.exe
3460 b2824343.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2960 firefox.exe
2960 firefox.exe
2960 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2960 firefox.exe

pid	process
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
3460	b2824343.exe

pid	process
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe

pid	process
2960	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exev1943436.exev7679029.exev9111658.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4268 wrote to memory of 2676	4268	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe	v1943436.exe
PID 4268 wrote to memory of 2676	4268	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe	v1943436.exe
PID 4268 wrote to memory of 2676	4268	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe	v1943436.exe
PID 2676 wrote to memory of 2216	2676	v1943436.exe	v7679029.exe
PID 2676 wrote to memory of 2216	2676	v1943436.exe	v7679029.exe
PID 2676 wrote to memory of 2216	2676	v1943436.exe	v7679029.exe
PID 2216 wrote to memory of 4508	2216	v7679029.exe	v9111658.exe
PID 2216 wrote to memory of 4508	2216	v7679029.exe	v9111658.exe
PID 2216 wrote to memory of 4508	2216	v7679029.exe	v9111658.exe
PID 4508 wrote to memory of 2668	4508	v9111658.exe	a5298088.exe
PID 4508 wrote to memory of 2668	4508	v9111658.exe	a5298088.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2576 wrote to memory of 2960	2576	firefox.exe	firefox.exe
PID 2960 wrote to memory of 356	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 356	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe
PID 2960 wrote to memory of 4876	2960	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe
"C:\Users\Admin\AppData\Local\Temp\4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3460
      - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        6⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        8⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        8⤵
        
        PID:508
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        8⤵
        
        PID:652
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe
    3⤵
    - Executes dropped EXE
    PID:2668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.0.43703511\1596517668" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1704 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abf0999f-8d8f-4eb8-86bc-03328b1f829d} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 1796 2ac3c7d4458 gpu
    3⤵
    PID:356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.1.1061029412\33504271" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efb97705-9cb0-4945-857f-932f01db11ce} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 2152 2ac2a271958 socket
    3⤵
    PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.2.701257958\182373443" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2972 -prefsLen 21120 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28262fd2-b2e8-4b5d-852a-426ccf5ab2c1} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 2984 2ac408a5858 tab
    3⤵
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.3.1564468150\1645141114" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60343d2d-37dc-4783-8333-a3171a371f39} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 3432 2ac2a26ab58 tab
    3⤵
    PID:2156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.4.1696644958\911481334" -childID 3 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6d66397-0a63-4328-9acd-41c3f1804a7a} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 4240 2ac41ee3558 tab
    3⤵
    PID:660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.5.281701593\145645904" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 4880 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {51ff2169-b700-4073-9025-44851f6d00b8} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 4896 2ac3ed37558 tab
    3⤵
    PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.7.603799954\1301010436" -childID 6 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a96bdfbd-8e7d-48d1-aff7-95b5590a291e} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 5192 2ac43020858 tab
    3⤵
    PID:2624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.6.806397000\18386884" -childID 5 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be1c6af2-85a7-437e-921c-f951f583d145} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 5084 2ac42822e58 tab
    3⤵
    PID:2620

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:212

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\activity-stream.discovery_stream.json

Filesize
163KB

MD5
c1dbb252dce336adfdeb015b398d299f

SHA1
995b1cec25edee3fe81ea633fbde957fc9fe7a3b

SHA256
205c760ecd962fb590bc5364cdcabd78101308bf11f5992e36d1497ffd0976ce

SHA512
1885b2e94c918c48d2ba52b81c7e6b02554c88faebccfd44ea40e3fcee999867fba8f47ac1b1988795e96bb0d34756bb4016eb49b7b432f6776ac8843653fe11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\cache2\entries\ED9826654AE8BD972BDE17A9E0A449D3F881E430

Filesize
13KB

MD5
14a750435a488ba13d7b1c5696ec1c93

SHA1
db7504ecee60251935fbe58d8c7d5345a57fdcc5

SHA256
34cfc22dab1aaff09ce6358236f7502740e1feede7704609af424eb1a4a7b165

SHA512
e6151526de06b39f7fc0d69ac2cfd10699635bce0b217e4e1a9608fe1da224be83c3f9c39e288ee935740cd1614241307a6305b175d9299b9da658bc0f99152b

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe

Filesize
514KB

MD5
4a9a8315e08ab3c5ebaec761ba363846

SHA1
d78a4ae3f3736604145ae07a5318513152291156

SHA256
64f9a22fea16d876f2b3128ae763e2803fddbfe3a97cd91be8e80114deead6eb

SHA512
99b71bafd8bf1eaa9ceff84cec55735a74caad790539cc1d7235d4e6918baa240e7469aef2faa3f93bd34fb0933222ecdfc8afb1ff150f4b3d1d77a13276655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe

Filesize
514KB

MD5
4a9a8315e08ab3c5ebaec761ba363846

SHA1
d78a4ae3f3736604145ae07a5318513152291156

SHA256
64f9a22fea16d876f2b3128ae763e2803fddbfe3a97cd91be8e80114deead6eb

SHA512
99b71bafd8bf1eaa9ceff84cec55735a74caad790539cc1d7235d4e6918baa240e7469aef2faa3f93bd34fb0933222ecdfc8afb1ff150f4b3d1d77a13276655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe

Filesize
173KB

MD5
43981693053923e1a57a9fb579c4f75a

SHA1
64a21e3e3ba5121d4a799e0fccd1f20af6f82e25

SHA256
fac54a8c9f27428f3531d4cfa06c30743c51d112f5f49c564d58045b47a11fd6

SHA512
cd73973def2f972af937f6a942911af6477bcfc5b508d55100857decdf5300bf7ec1581bd1fb969236885c8e849b6471d61a331bbdad4715e2c05f9c43b4057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe

Filesize
173KB

MD5
43981693053923e1a57a9fb579c4f75a

SHA1
64a21e3e3ba5121d4a799e0fccd1f20af6f82e25

SHA256
fac54a8c9f27428f3531d4cfa06c30743c51d112f5f49c564d58045b47a11fd6

SHA512
cd73973def2f972af937f6a942911af6477bcfc5b508d55100857decdf5300bf7ec1581bd1fb969236885c8e849b6471d61a331bbdad4715e2c05f9c43b4057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe

Filesize
359KB

MD5
177599010642041a74679ae4de272585

SHA1
363baef7ab1250dd1474f07c4f340e4fc5d677d2

SHA256
5131c72cabec7a343fb00926054ea641c8b88f01dfea4afb59fa4904e5db4c8a

SHA512
1159a011c64f210c0b5f587ed83f5533a288a53bc5924aad361b540098d236042e6faac52562c98482436101827eb0072672719ef16c3ec6b83a4d654af0937c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe

Filesize
359KB

MD5
177599010642041a74679ae4de272585

SHA1
363baef7ab1250dd1474f07c4f340e4fc5d677d2

SHA256
5131c72cabec7a343fb00926054ea641c8b88f01dfea4afb59fa4904e5db4c8a

SHA512
1159a011c64f210c0b5f587ed83f5533a288a53bc5924aad361b540098d236042e6faac52562c98482436101827eb0072672719ef16c3ec6b83a4d654af0937c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe

Filesize
37KB

MD5
07d1424642ef120d01a5f8ec3655620a

SHA1
c97d7eabf451d934702e59c3bad535349d44073d

SHA256
793efa0f022bf158c4b0d70f0119e787216b911f4141fbdca7d1888480f6e604

SHA512
73081c42eb9f05ed6330a27dd35fdb4c3d526fb9abefc77337f23ab7c40e4137ae5ac99933fc9b927aaee1856addb6c1ffc311371ce7dac989c2bb6a40717d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe

Filesize
37KB

MD5
07d1424642ef120d01a5f8ec3655620a

SHA1
c97d7eabf451d934702e59c3bad535349d44073d

SHA256
793efa0f022bf158c4b0d70f0119e787216b911f4141fbdca7d1888480f6e604

SHA512
73081c42eb9f05ed6330a27dd35fdb4c3d526fb9abefc77337f23ab7c40e4137ae5ac99933fc9b927aaee1856addb6c1ffc311371ce7dac989c2bb6a40717d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe

Filesize
234KB

MD5
063c63685d99cd7886d779e6044043c5

SHA1
0bb9d6af814d1f07cc7b90202c5f00a3e50a42f9

SHA256
e53e9b5cae6d5dbf5dc867efe8e384046195c78a97642e7f4077dfa269cb5607

SHA512
ac180999f6f9aca3465b458bd6009eea1e803124c62fe01a2aa7a8848131e804dc657e734bdbf2c0cfd19dd66e3eec8efdcb1fa6aa62da14493a21d14e6f7d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe

Filesize
234KB

MD5
063c63685d99cd7886d779e6044043c5

SHA1
0bb9d6af814d1f07cc7b90202c5f00a3e50a42f9

SHA256
e53e9b5cae6d5dbf5dc867efe8e384046195c78a97642e7f4077dfa269cb5607

SHA512
ac180999f6f9aca3465b458bd6009eea1e803124c62fe01a2aa7a8848131e804dc657e734bdbf2c0cfd19dd66e3eec8efdcb1fa6aa62da14493a21d14e6f7d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe

Filesize
11KB

MD5
bbd440498315e029d0707a934d76cb98

SHA1
36503d21cccc67be0c8143f51d066f7c0d9ad3b0

SHA256
5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3

SHA512
5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe

Filesize
11KB

MD5
bbd440498315e029d0707a934d76cb98

SHA1
36503d21cccc67be0c8143f51d066f7c0d9ad3b0

SHA256
5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3

SHA512
5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
9851b884bf4aadfade57d911a3f03332

SHA1
aaadd1c1856c22844bb9fbb030cf4f586ed8866a

SHA256
03afb988f3eec62c2da682af371625adcac5a0e69615298f83d99365ab07ac0f

SHA512
a7de560f51bacd381d3e741f887c3c40ece88521ee93a22a4f7448297e8bda2131be866d9ae6438c528d9f40a277c18bae517deec16b6b723f67d4c308031327

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
5ec087cd9ab4b4c95f6b8238f81b613f

SHA1
0b912ab048367734de7f1506c469b66648ebfc91

SHA256
686c955c564d2af8abef8b660a6b5fea07442163bebdaa535ed90a087efafb71

SHA512
3db484c4abf552299609394016075c6c656c3aa70dd038161ad87e359f9ff4bba1f6bed2b43e3a2d27992f8970430f3d5e18c98c115bc4ee67baca5376d247e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\prefs-1.js

Filesize
7KB

MD5
c07c9682563f4422aa80130af3226023

SHA1
647f5637dcd2af757f991391011419034f791a9b

SHA256
69d64eee2721a4ae391cd2e5945d924548a6a65c44dd6b3e19d647e40cc70d88

SHA512
5c943b4dc3c0434ce9bd3a33f91a64049c7aa9b460d64b26d33a006211470480a791be353a35682994f80a322fe5d2f6eeeb1b9a9cd472f31cf1ebef382ba6bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\prefs-1.js

Filesize
6KB

MD5
2156775f2f42ab9530719b8efc22cd15

SHA1
01b41872ef0b99b0ab491e74a6d933493997504b

SHA256
6cad8ac34daa7a163467c4ecc8b24f72eea761dd7ee169c9eeb4d095bc91db35

SHA512
5ba4c9236dbf73d070998235fe4d856ba2aefd2217f9e5917287657e58260d72b4b6cdbe5f9887682a75229cfa282a9f83153e16c10fde8f391086aba384db71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
992B

MD5
db0a27c5acfa1bdf5de386e5bfcee356

SHA1
7f5d06140dac8cc32708ac27a269ce32e7786937

SHA256
8c3ce0ac46787bf8e661eec6f3b8d246932fee9536039114da20dcfcc40d71a2

SHA512
9debb3e81d02f090749cb38fa9bf39ef6f2c56e88ff0bc74238fca95492c1796df9f283333ba2d389cc4b5190ee9e1e6cdcd4f9f7b41d01e49f116234a0bb517

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1d26e45afc9253bb4ea3ea9d864d8369

SHA1
cc69983e09cf133a9d438ae7bbea2ce06be6d6e9

SHA256
3739788e1c489dee50e89923edaeba85e2ec5f4329cfaaacd0e4815a511f0d80

SHA512
0e631c8c1e49034ab226939803dacfd5eb457c0456a6e53e5e59d4c6ddf97fab2cd1a7b42596bb59ec1534b4ab84c2bf0cb3fa46d3cc5bd1ce288ba1c57dec2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
98e231868fed5bba915d850c21e8985e

SHA1
dce03fcf17c2b736715cce89a13dd5e3c5a1c002

SHA256
6c8cce9c78a73307656afcfc77d51e042796074e6475514c63890e908a2b03dd

SHA512
4930871565042cde259966c6ccecd33c8480112ee91309697e07056b533fd18ea4108f58b976ad997840332b0d4ebefc2124511bbf94a76588117632bba06cec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
678715fed9d246d215fff136afd61f5f

SHA1
bcb8994869794635b1b7bf7e87263eafe1f90d7b

SHA256
cbb0d8b1b962db19e3b3e9010738dae6e22f1a8a2be15c3744c2c90b75a1ff2c

SHA512
f7386de3d97336e73364a68669e8f3e8b9ce36a813021d69acd644237172d9a41adf316f6ea3273bc5faadb1d5665131d9d417a73bac9e8a66d126e0a0844840

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
053bf8fe0b85237a2969fe18643ce913

SHA1
d84bb1ee5f59e24380080b16f9adef18b6ed1867

SHA256
6f4ffbe383a71288d8006721fa7fe863b670fc1a9d9d501c36dc9c4a8940a1f5

SHA512
d7d95d73a6b342fa59eee20ec027a312d0c8e0b6e7cfd388888c97741996a016fb1a0639ed00ab7f872e0ebe6b8382bf47dab7aa9561c987511cdc2bb74279d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2b0281eeec6d47e6c41bc6dcb695c0dd

SHA1
655e8590926598ab6243ca90f92c06a17d356a06

SHA256
feed3c9a13f2838945b7701f123b394f4bb05a00f601bcf3f98fd447c90ee39d

SHA512
d1c4090195239609561556815d870d3b01d25b9398d3cf44fc8cc33e95cbeb3a70dc0bd9cee0984f3a8c40e4b5b16d7fa7ac3bac1a7df133204fd2bd5181a161

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
75516304fb301630d54bcc6aa8ee8e1b

SHA1
aa051705eba79ff786e967caaeb36dec201b33cc

SHA256
6ca00bd0bf800475cba279d3fb9fe4a11ae1a7b52e403304c711ca74ca59b2e0

SHA512
29de13eed56f0ef1fb1aea6fd78440d3c798b32265123475885d08a29efd47d8deb94d5ec2fb005c97d13c1dc06b4afc61f9fb487dccb1335358ae65e7816444

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.3MB

MD5
68e1f0629c82e361cf526a7d8f09c6c7

SHA1
eb53931a028b207b4c1fb0703942d7b2ef4a7127

SHA256
dda285b495f314e620a41fcef933e0397754cf3b91b8db9b10b20f7932290566

SHA512
aa60b1358d6750d1d1fdb3a31f5cfc6d6e92a17b176b9f1eb373aec565a4bdec85e8c3268552bef8b47bf309d1d59fa9c2f2d05772f47e11bcf99afb14059915

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
memory/2668-222-0x0000000004AA0000-0x0000000004BAA000-memory.dmp

Filesize
1.0MB

Download
memory/2668-224-0x0000000004A10000-0x0000000004A4E000-memory.dmp

Filesize
248KB

Download
memory/2668-227-0x0000000071AF0000-0x00000000721DE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-145-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/2668-184-0x00007FFE25B30000-0x00007FFE2651C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-220-0x0000000004840000-0x0000000004846000-memory.dmp

Filesize
24KB

Download
memory/2668-225-0x0000000004A50000-0x0000000004A9B000-memory.dmp

Filesize
300KB

Download
memory/2668-219-0x0000000071AF0000-0x00000000721DE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-223-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/2668-221-0x0000000004FA0000-0x00000000055A6000-memory.dmp

Filesize
6.0MB

Download
memory/2668-146-0x00007FFE25B30000-0x00007FFE2651C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-218-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/3296-206-0x0000000000E60000-0x0000000000E76000-memory.dmp

Filesize
88KB

Download
memory/4900-207-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4900-198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download