amadey | 4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe
Size

639KB
MD5

4b9a2c82dae5a6747c9b6a635874fe1b
SHA1

16849642f7562fb28a7c57493ede6dc14e71e423
SHA256

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce
SHA512

3ef6541eb83fa9734b0277ba753b449f4c2f47d3f8e0b6e46cfcd0c706e0e4c91478f883b1698755351ada6dec7f463562f31f832aa23f7e84c904b3b8ff6a5d
SSDEEP

12288:iMrNy90KItLD9U6csc0Wlc5ao392/gTlYQbOH8t4MhxphtwML/:XyhAlpcw391pjOYFrjr

Score

10^/10

amadey healer redline smokeloader papik backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

77.91.68.61/rock/index.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

papik

77.91.124.156:19071

Attributes

auth_value
325a615d8be5db8e2f7a4c2448fdac3a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe	healer
behavioral1/memory/2052-161-0x0000000000E00000-0x0000000000E0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a5298088.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5298088.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5298088.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 11 IoCs

Processes:

v1943436.exev7679029.exev9111658.exea5298088.exeb2824343.exepdates.exec3090472.exepdates.exed9855588.exepdates.exepdates.exe

pid	process
2640	v1943436.exe
3084	v7679029.exe
1040	v9111658.exe
2052	a5298088.exe
5308	b2824343.exe
5504	pdates.exe
5536	c3090472.exe
5800	pdates.exe
5852	d9855588.exe
1504	pdates.exe
5188	pdates.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5520 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a5298088.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5298088.exe

pid	process
5520	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5298088.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exev1943436.exev7679029.exev9111658.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1943436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7679029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9111658.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5596 schtasks.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings firefox.exe

pid	process
5596	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a5298088.exec3090472.exe

pid	process
2052	a5298088.exe
2052	a5298088.exe
5536	c3090472.exe
5536	c3090472.exe
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c3090472.exe

pid process

5536 c3090472.exe

pid	process
5536	c3090472.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

a5298088.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2052	a5298088.exe
Token: SeDebugPrivilege	4768	firefox.exe
Token: SeDebugPrivilege	4768	firefox.exe
Token: SeShutdownPrivilege	2628
Token: SeCreatePagefilePrivilege	2628
Token: SeShutdownPrivilege	2628
Token: SeCreatePagefilePrivilege	2628
Token: SeDebugPrivilege	4768	firefox.exe
Token: SeDebugPrivilege	4768	firefox.exe
Token: SeDebugPrivilege	4768	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

firefox.exeb2824343.exe

pid process

4768 firefox.exe
4768 firefox.exe
4768 firefox.exe
4768 firefox.exe
5308 b2824343.exe
2628
2628
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4768 firefox.exe
4768 firefox.exe
4768 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4768 firefox.exe

pid	process
4768	firefox.exe
4768	firefox.exe
4768	firefox.exe
4768	firefox.exe
5308	b2824343.exe
2628
2628

pid	process
4768	firefox.exe
4768	firefox.exe
4768	firefox.exe

pid	process
4768	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exev1943436.exev7679029.exev9111658.exefirefox.exefirefox.exe

description	pid	process	target process
PID 5104 wrote to memory of 2640	5104	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe	v1943436.exe
PID 5104 wrote to memory of 2640	5104	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe	v1943436.exe
PID 5104 wrote to memory of 2640	5104	4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe	v1943436.exe
PID 2640 wrote to memory of 3084	2640	v1943436.exe	v7679029.exe
PID 2640 wrote to memory of 3084	2640	v1943436.exe	v7679029.exe
PID 2640 wrote to memory of 3084	2640	v1943436.exe	v7679029.exe
PID 3084 wrote to memory of 1040	3084	v7679029.exe	v9111658.exe
PID 3084 wrote to memory of 1040	3084	v7679029.exe	v9111658.exe
PID 3084 wrote to memory of 1040	3084	v7679029.exe	v9111658.exe
PID 1040 wrote to memory of 2052	1040	v9111658.exe	a5298088.exe
PID 1040 wrote to memory of 2052	1040	v9111658.exe	a5298088.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 1360 wrote to memory of 4768	1360	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2636	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2636	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe
PID 4768 wrote to memory of 2348	4768	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe
"C:\Users\Admin\AppData\Local\Temp\4ada782bf1a9a2fd7b1e5c351fd4ecaaafd19e9e07ae9a26847b65bf48c318ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:5308
      - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        6⤵
        Executes dropped EXE
        
        PID:5504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        8⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        8⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        8⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:5520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:5536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe
    3⤵
    - Executes dropped EXE
    PID:5852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.0.1410870704\706922323" -parentBuildID 20221007134813 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {702855e0-4eec-44c3-be2e-8460b9b6f160} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 1908 2b6bb503b58 gpu
    3⤵
    PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.1.1252666539\1852877666" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50261481-2234-44db-a38b-9d2de38e0586} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2364 2b6b9f31158 socket
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.2.2115263868\1002851555" -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3168 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a23ccabd-e1fa-49d9-8494-01c0895c9abb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3056 2b6be2afa58 tab
    3⤵
    PID:1260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.3.268223406\1755348444" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05babee3-7ed3-4b74-8d38-a33f4db419c5} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2912 2b6bf219d58 tab
    3⤵
    PID:1304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.4.520421987\1122227975" -childID 3 -isForBrowser -prefsHandle 4424 -prefMapHandle 4396 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c45e707c-8471-42c7-b184-117b1558eadb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4452 2b6c029c858 tab
    3⤵
    PID:824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.5.1278070583\880019882" -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5200 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8410bb50-52ae-4836-a2c6-9f07ea4536ab} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5248 2b6adc61f58 tab
    3⤵
    PID:2128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.7.1150502628\1052417766" -childID 6 -isForBrowser -prefsHandle 5424 -prefMapHandle 5288 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3880b13-0603-42dd-a18f-9a5c88342aa5} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5392 2b6c05f9e58 tab
    3⤵
    PID:2692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.6.1975988265\1039217133" -childID 5 -isForBrowser -prefsHandle 5276 -prefMapHandle 5264 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e13d13e0-c531-4619-90ad-7890b6663899} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5288 2b6c05fce58 tab
    3⤵
    PID:4992

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:5800

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\suuk1m1w.default-release\activity-stream.discovery_stream.json.tmp

Filesize
163KB

MD5
d5ca732494fb4bbcac825592bc968591

SHA1
81d8c1149b681f02b4dc072545920e9ea9ef15fe

SHA256
d13fbea2c6b7c98533099772dc73761a5e24000f7914c4b4ab161849f162369f

SHA512
82da55fc6924337ac1cbfe53d7469969d6ef20854d5f685258a6f4377eb6c07f0e7d23a0367670fb6ed7b93923c111d0aa02bab96662c9c20f81269334b09073

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\suuk1m1w.default-release\cache2\entries\ED9826654AE8BD972BDE17A9E0A449D3F881E430

Filesize
13KB

MD5
31b964d1db65028aee3e6a0939749a76

SHA1
f695cb0a125d071e8dc72fb5b1c6254d6f96951d

SHA256
bec894f333461851881d5274d72167bd39192e1b2a743f76d91711f1b5d8817b

SHA512
7487c64ae2be5fa4963dc1f9e69dc5ce909cb5d16636be42dcd9694d8c25422760405ca5a903dd60c583cd7f51bef45470e445e2820d0be0c8dadad313312c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe

Filesize
514KB

MD5
4a9a8315e08ab3c5ebaec761ba363846

SHA1
d78a4ae3f3736604145ae07a5318513152291156

SHA256
64f9a22fea16d876f2b3128ae763e2803fddbfe3a97cd91be8e80114deead6eb

SHA512
99b71bafd8bf1eaa9ceff84cec55735a74caad790539cc1d7235d4e6918baa240e7469aef2faa3f93bd34fb0933222ecdfc8afb1ff150f4b3d1d77a13276655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1943436.exe

Filesize
514KB

MD5
4a9a8315e08ab3c5ebaec761ba363846

SHA1
d78a4ae3f3736604145ae07a5318513152291156

SHA256
64f9a22fea16d876f2b3128ae763e2803fddbfe3a97cd91be8e80114deead6eb

SHA512
99b71bafd8bf1eaa9ceff84cec55735a74caad790539cc1d7235d4e6918baa240e7469aef2faa3f93bd34fb0933222ecdfc8afb1ff150f4b3d1d77a13276655a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe

Filesize
173KB

MD5
43981693053923e1a57a9fb579c4f75a

SHA1
64a21e3e3ba5121d4a799e0fccd1f20af6f82e25

SHA256
fac54a8c9f27428f3531d4cfa06c30743c51d112f5f49c564d58045b47a11fd6

SHA512
cd73973def2f972af937f6a942911af6477bcfc5b508d55100857decdf5300bf7ec1581bd1fb969236885c8e849b6471d61a331bbdad4715e2c05f9c43b4057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9855588.exe

Filesize
173KB

MD5
43981693053923e1a57a9fb579c4f75a

SHA1
64a21e3e3ba5121d4a799e0fccd1f20af6f82e25

SHA256
fac54a8c9f27428f3531d4cfa06c30743c51d112f5f49c564d58045b47a11fd6

SHA512
cd73973def2f972af937f6a942911af6477bcfc5b508d55100857decdf5300bf7ec1581bd1fb969236885c8e849b6471d61a331bbdad4715e2c05f9c43b4057a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe

Filesize
359KB

MD5
177599010642041a74679ae4de272585

SHA1
363baef7ab1250dd1474f07c4f340e4fc5d677d2

SHA256
5131c72cabec7a343fb00926054ea641c8b88f01dfea4afb59fa4904e5db4c8a

SHA512
1159a011c64f210c0b5f587ed83f5533a288a53bc5924aad361b540098d236042e6faac52562c98482436101827eb0072672719ef16c3ec6b83a4d654af0937c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7679029.exe

Filesize
359KB

MD5
177599010642041a74679ae4de272585

SHA1
363baef7ab1250dd1474f07c4f340e4fc5d677d2

SHA256
5131c72cabec7a343fb00926054ea641c8b88f01dfea4afb59fa4904e5db4c8a

SHA512
1159a011c64f210c0b5f587ed83f5533a288a53bc5924aad361b540098d236042e6faac52562c98482436101827eb0072672719ef16c3ec6b83a4d654af0937c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe

Filesize
37KB

MD5
07d1424642ef120d01a5f8ec3655620a

SHA1
c97d7eabf451d934702e59c3bad535349d44073d

SHA256
793efa0f022bf158c4b0d70f0119e787216b911f4141fbdca7d1888480f6e604

SHA512
73081c42eb9f05ed6330a27dd35fdb4c3d526fb9abefc77337f23ab7c40e4137ae5ac99933fc9b927aaee1856addb6c1ffc311371ce7dac989c2bb6a40717d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3090472.exe

Filesize
37KB

MD5
07d1424642ef120d01a5f8ec3655620a

SHA1
c97d7eabf451d934702e59c3bad535349d44073d

SHA256
793efa0f022bf158c4b0d70f0119e787216b911f4141fbdca7d1888480f6e604

SHA512
73081c42eb9f05ed6330a27dd35fdb4c3d526fb9abefc77337f23ab7c40e4137ae5ac99933fc9b927aaee1856addb6c1ffc311371ce7dac989c2bb6a40717d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe

Filesize
234KB

MD5
063c63685d99cd7886d779e6044043c5

SHA1
0bb9d6af814d1f07cc7b90202c5f00a3e50a42f9

SHA256
e53e9b5cae6d5dbf5dc867efe8e384046195c78a97642e7f4077dfa269cb5607

SHA512
ac180999f6f9aca3465b458bd6009eea1e803124c62fe01a2aa7a8848131e804dc657e734bdbf2c0cfd19dd66e3eec8efdcb1fa6aa62da14493a21d14e6f7d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9111658.exe

Filesize
234KB

MD5
063c63685d99cd7886d779e6044043c5

SHA1
0bb9d6af814d1f07cc7b90202c5f00a3e50a42f9

SHA256
e53e9b5cae6d5dbf5dc867efe8e384046195c78a97642e7f4077dfa269cb5607

SHA512
ac180999f6f9aca3465b458bd6009eea1e803124c62fe01a2aa7a8848131e804dc657e734bdbf2c0cfd19dd66e3eec8efdcb1fa6aa62da14493a21d14e6f7d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe

Filesize
11KB

MD5
bbd440498315e029d0707a934d76cb98

SHA1
36503d21cccc67be0c8143f51d066f7c0d9ad3b0

SHA256
5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3

SHA512
5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5298088.exe

Filesize
11KB

MD5
bbd440498315e029d0707a934d76cb98

SHA1
36503d21cccc67be0c8143f51d066f7c0d9ad3b0

SHA256
5256ce16ffd51bb8705484957104fd08108954094c1a63e96af68624a4ec23a3

SHA512
5d42afbcdcfa1ceab806af9a6547f9c1b880ba8ed8ef75d4abaa6c8523ca91018afc8d852ab6f4b63833db6d8edb2e48dae4bab12709140ddcd8fd3c978c3cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2824343.exe

Filesize
227KB

MD5
816bae1c1895ce3277ecfad5577722b6

SHA1
cf85d34a84f2f7931d1852314d4deaf34e4aefa4

SHA256
d6037d67f4ecfb120a7654ef87d402f71f405473805adb49908aa2e2fc8bca0c

SHA512
ce8769a5a551b43b9a7efc0ddc6c0c35025e81476cb274a28087f8fe48fbf7e77bbacc18ba35677d58c5d96b8156d8dd8ceb951c75c93c55da2274535e7f9994

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
9851b884bf4aadfade57d911a3f03332

SHA1
aaadd1c1856c22844bb9fbb030cf4f586ed8866a

SHA256
03afb988f3eec62c2da682af371625adcac5a0e69615298f83d99365ab07ac0f

SHA512
a7de560f51bacd381d3e741f887c3c40ece88521ee93a22a4f7448297e8bda2131be866d9ae6438c528d9f40a277c18bae517deec16b6b723f67d4c308031327

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js

Filesize
8KB

MD5
bc9f9bc008a9dff4766fed94101723ac

SHA1
99f890dcf3d61f6bf540273bb26d796b33b75a28

SHA256
668349441c176f9dba6b4bb5290f6b42d093c9dc38bf42da38707cf9428d822e

SHA512
7248c817477052772163eb84d91d671c5f12741d02404611750884684b62780485505fd14ec50770c9892e2024496da40669b2645fe947507fdaa6ed2cefc743

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs-1.js

Filesize
6KB

MD5
71e9dc49efad5565a534d02332d62bb0

SHA1
20b10d6719a47ff0b8a562c51ba5b2af5d4e272c

SHA256
89c07b5cd869ff26bbf22a83d441093d9c4889a13fd2b4dd8a8e73ff8bc35f16

SHA512
757eb98960c676b685608a7a4f63d84081c8542b8882eb9eca324e55e501dcac964a9fb21596fe7921ac33d29b65d3e668f8ada47e047f060de09c4dfd304f30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a725e010d27016be1e688ab58b45dd71

SHA1
d2632dba7f20c65c2eaa34dbdbaee3162410246b

SHA256
bcb97011aac99ab21d93f895560f0747aad210289287e9a17fa9603089598cd1

SHA512
46c621556f74a9bacdc27a89095973e7139520b844b466caec5ad3534c921932640743c271a0dd7203ff6cf56911cd21698619bc9eb0f2f3f7b2701c2ae706a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
987B

MD5
c469145b9dc2b9d221fb33e220320de8

SHA1
16a8ee309d72f97b578d3977e21770da216f2ef8

SHA256
e4786ff0b11d670d8cf9a971820d6691a3165a955fc09c40565bc7cf6547690b

SHA512
dae5d8c7c05679a52d8d979b60493864432860d807aa93e624ae2addbe79631ecaa225fe1e79751478c0d968a43d5ed8f303f71db3809c0385bd72eadb48f052

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
394e7236ab89f3baa95ef63b93f881bb

SHA1
8f2efa10a9412137d159f7150b44201173d8d8b7

SHA256
aee6c564f0718c094b62e9dd568dd37f4d8abe27fd46905b41af3405489fc08a

SHA512
db5c8dcb890af6d331a734150fce0b363d9ae373565c03c1a219cd3249d7f4779249f0a83f28bd30351f8d3e7eb6f9562833844a71c22b4b3c4a14dcd16f6374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
de7b6688528de17d3e799bd2576aaec9

SHA1
6541583c7a8f88d9213853da7f142bff91c07fdd

SHA256
62fd1cedc98344354aececeae8dc77441b6fb8b8f39bf23ce96026d20ad8d8f4

SHA512
c26b2eb3554e35c2c648957cbe09c55efe80210684c4037d173393005956bb5f0fd3339f786c37a22d6255daed50f3d9bd187adbe01f56ada9f2431fdebb728e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
eaec4996b5284cc47ae512c6d34b1be8

SHA1
c05759296c0847caba37fc64ddb7db9166d077d9

SHA256
227db2a0eeb1f5fb83cd2c401620b4ea6f94a6e8a504e76065456fd7dab94b11

SHA512
74cd41eb8f04569a15fc23c46db6a33da9c775788a0485d8f88d1af23588203d79467b77b7c2835a696b39ad803c884201122db3d2b987a70a9ab1f6fcf4cb25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
151d10e7840a73947ad4d4802bcdb5e6

SHA1
17c374f8a0276276289f40bed50e564852973d90

SHA256
bac9fd699b2c7e3c1321f9b9f6fa9ff81f464a594f5ce4f844e3e80347c508bd

SHA512
6a21db85e0f5046de9c5c23b003b743bfcd202dc5c728d4165026e8d0ac584711276e946b5a334596f3ef1804b1cc3aba9f18723f034663c29ed6f1a40cdfbea

Download Submit
memory/2052-162-0x00007FF879850000-0x00007FF87A311000-memory.dmp

Filesize
10.8MB

Download
memory/2052-209-0x00007FF879850000-0x00007FF87A311000-memory.dmp

Filesize
10.8MB

Download
memory/2052-207-0x00007FF879850000-0x00007FF87A311000-memory.dmp

Filesize
10.8MB

Download
memory/2052-161-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/2628-232-0x00000000027C0000-0x00000000027D6000-memory.dmp

Filesize
88KB

Download
memory/5536-226-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5536-233-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5852-255-0x0000000072FB0000-0x0000000073760000-memory.dmp

Filesize
7.7MB

Download
memory/5852-240-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/5852-246-0x00000000050D0000-0x000000000510C000-memory.dmp

Filesize
240KB

Download
memory/5852-245-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/5852-244-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/5852-243-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/5852-242-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download
memory/5852-241-0x0000000072FB0000-0x0000000073760000-memory.dmp

Filesize
7.7MB

Download
memory/5852-256-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download