amadey | 09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e

Analysis

max time kernel
299s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-08-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
Size

1.8MB
MD5

a024d1e26b680dc4f36421d6bacbe980
SHA1

2e8600c97fa28f28670d25a337ae89d27eb58825
SHA256

09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e
SHA512

1045ad23a2e4bb7bb6f1c0a8eb083e25acccb3860529404982928d0f188086217f653beb3fa91dd342ee3dc25485266572079f581124a676b1e53bc04d913874
SSDEEP

24576:o+lTW7n5FSzPSvRMwlOgvPINqs1Z9Y3IViaAV1Fij9eSOuItgxn8BbyiJolc4+o3:o+lTYFC4laDe4ViatjABdyim+1

Score

10^/10

amadey stealc c7817d nord credential_access discovery evasion stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

http://31.41.244.10

Attributes

install_dir
0e8d0864aa
install_file
svoutse.exe
strings_key
5481b88a6ef75bcf21333988a4e47048
url_paths
/Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

nord

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7bf73c6bb3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7bf73c6bb3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7bf73c6bb3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe

Executes dropped EXE 8 IoCs

pid	Process
1952	svoutse.exe
1724	7bf73c6bb3.exe
2300	svoutse.exe
4340	266ac13c03.exe
1416	svoutse.exe
4176	svoutse.exe
4560	svoutse.exe
1960	svoutse.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	7bf73c6bb3.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	svoutse.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000001ab7d-44.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
424	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
1952	svoutse.exe
1724	7bf73c6bb3.exe
2300	svoutse.exe
1416	svoutse.exe
4176	svoutse.exe
4560	svoutse.exe
1960	svoutse.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\svoutse.job	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bf73c6bb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	266ac13c03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svoutse.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
424	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
424	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
1952	svoutse.exe
1952	svoutse.exe
1724	7bf73c6bb3.exe
1724	7bf73c6bb3.exe
2300	svoutse.exe
2300	svoutse.exe
1416	svoutse.exe
1416	svoutse.exe
4176	svoutse.exe
4176	svoutse.exe
4560	svoutse.exe
4560	svoutse.exe
1960	svoutse.exe
1960	svoutse.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3840	firefox.exe
Token: SeDebugPrivilege	3840	firefox.exe
Token: SeDebugPrivilege	3840	firefox.exe
Token: SeDebugPrivilege	3840	firefox.exe
Token: SeDebugPrivilege	3840	firefox.exe
Token: SeDebugPrivilege	3840	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
3840	firefox.exe
4340	266ac13c03.exe
3840	firefox.exe
3840	firefox.exe
3840	firefox.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
3840	firefox.exe
4340	266ac13c03.exe
3840	firefox.exe
3840	firefox.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe
4340	266ac13c03.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3840	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 1952	424	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe	73
PID 424 wrote to memory of 1952	424	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe	73
PID 424 wrote to memory of 1952	424	09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe	73
PID 1952 wrote to memory of 1724	1952	svoutse.exe	74
PID 1952 wrote to memory of 1724	1952	svoutse.exe	74
PID 1952 wrote to memory of 1724	1952	svoutse.exe	74
PID 1952 wrote to memory of 4340	1952	svoutse.exe	76
PID 1952 wrote to memory of 4340	1952	svoutse.exe	76
PID 1952 wrote to memory of 4340	1952	svoutse.exe	76
PID 4340 wrote to memory of 768	4340	266ac13c03.exe	77
PID 4340 wrote to memory of 768	4340	266ac13c03.exe	77
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 768 wrote to memory of 3840	768	firefox.exe	79
PID 3840 wrote to memory of 4208	3840	firefox.exe	80
PID 3840 wrote to memory of 4208	3840	firefox.exe	80
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81
PID 3840 wrote to memory of 2472	3840	firefox.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe
"C:\Users\Admin\AppData\Local\Temp\09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:424
- C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
  "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\1000013001\7bf73c6bb3.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\7bf73c6bb3.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\1000014001\266ac13c03.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\266ac13c03.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3840
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.0.215801298\1752512203" -parentBuildID 20221007134813 -prefsHandle 1696 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f900534-dc7a-4de2-9611-77e99d00d205} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 1776 1c36ca07e58 gpu
        6⤵
        
        PID:4208
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.1.1163420658\950742361" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7f28978-8606-4929-b7af-d3dd29a0a31b} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 2152 1c36b6fbf58 socket
        6⤵
        
        PID:2472
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.2.724753356\135930419" -childID 1 -isForBrowser -prefsHandle 2680 -prefMapHandle 2888 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55d5f399-a908-40ff-9dbf-f3cdf9c85ae7} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 2772 1c36f7cdb58 tab
        6⤵
        
        PID:1904
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.3.1635721849\1292791129" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e0570a9-1637-46c0-a9f2-009ff41d551c} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 3500 1c35945d258 tab
        6⤵
        
        PID:1196
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.4.1413903827\1757833184" -childID 3 -isForBrowser -prefsHandle 4776 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c4c8e35-c4d2-4df7-953b-13ecc0486c20} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 4784 1c371ec6b58 tab
        6⤵
        
        PID:1736
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.5.232057679\1379765827" -childID 4 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {362ae8a1-a606-48a8-b16c-29b0fd443881} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 4912 1c3720ed358 tab
        6⤵
        
        PID:2740
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.6.391660155\1842954242" -childID 5 -isForBrowser -prefsHandle 4800 -prefMapHandle 5088 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70268ea6-4713-4f55-a3e3-d9d73a9562d0} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 5112 1c3720ed958 tab
        6⤵
        
        PID:4716
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3840.7.2055884813\1576765981" -childID 6 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4403368-c7d0-409f-9c31-fa55829806bb} 3840 "\\.\pipe\gecko-crash-server-pipe.3840" 5592 1c373df8058 tab
        6⤵
        
        PID:2064

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\037778A55E1B7E9BED3390289866D09402D6C913

Filesize
9KB

MD5
af18cabfa915d148c4a27802525d65a3

SHA1
95526c85613f743695ff1d36d9eb07c213155a3d

SHA256
1a4434f8c06e6ae7fc276886c82d982c10695602efbcc52c54c755a89bf21148

SHA512
34bcbdea48e625584b87dbefaba381235df0f60d626d807ec9e8b9242a867ca880f88fdcf869ef92522f0bd0da17bf57ee4f73c82d66c0572d7194761c657a7b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
f2cb33363ca86bb87a181c6a008680c0

SHA1
f6bca7d31c8532da6f86e67aa243675ff592539d

SHA256
ab5c8e3cd2302ca6e3b7cbc217579b84edec367fef0a5892454b70ccdafa920b

SHA512
8d3fe78a8aa98015a13b79de8391a26302da283a7130c460e288b40b5e4ead5bb73c4354573fd396d9cfbb04743921cafb642f5f1083f6ae61bc80b9769710a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
c21010420a19d05f8bc9773877506b05

SHA1
ba76d49785c07da297cb2653d7ba4456422dd494

SHA256
5166ac806347276bce1027be701365b14d3a8ebae77f578c447d6d208623e130

SHA512
96193d6780ec610101109bd1806b4b560dfad3289323f6c400a93acdf51ce1c7765eb041b0ee4bf58aaea0c2d269e169e2a9c60233b78c66b80615e7c342f57b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
22ff1a3646379ac979211ce002bf6693

SHA1
94d64264452f30756e3feed552ed7a7978f461cc

SHA256
0eef710bbd039dd5d01dcd41e29105922b66acfe7c6cf9ac3ef7d32c4af33452

SHA512
0e0369da98b42ca0bde0e0fe0a7ec5590ada2f7feabc89d7360585ded491ba90dc53caef9722e7c50dad260fe985ea93568696dbfb23d36a671d4d17c2638382

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\F210D48319A1879FD1C5213FA010C613B99BA085

Filesize
11KB

MD5
d327c6e2b50cff07cf05fc3b19dbcc62

SHA1
3b15c088595e25d541b88560c756c88a851eed9f

SHA256
59b26135a170c008b3672c2c08ab32bfdf87c3c77d8260b9d05cd12c7af3020b

SHA512
a19144e5d666d47b5b2ea37d2e2aa3a9cfa2ff6df50222930d5a1ed7a0b9749ffcb3bc80e64f8c031ee86dcbf396c0a364a9f96a9cb5efbad5b6b930c81bfce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Filesize
1.8MB

MD5
a024d1e26b680dc4f36421d6bacbe980

SHA1
2e8600c97fa28f28670d25a337ae89d27eb58825

SHA256
09b4ceda3aafc22e079fd5547db7b77dc126dc7ca3e60012f963d59d75ccc72e

SHA512
1045ad23a2e4bb7bb6f1c0a8eb083e25acccb3860529404982928d0f188086217f653beb3fa91dd342ee3dc25485266572079f581124a676b1e53bc04d913874

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\7bf73c6bb3.exe

Filesize
1.7MB

MD5
b0c5a7e82d19864c77427dd2f5185934

SHA1
f419c6c3ec85d45f43b202dba267484b5e0db9bf

SHA256
19c61af4933da3f3acd5dbddc1623d759c2e190851ebf0da878b2cd661c414b1

SHA512
2cb54f88a057b63d87f7ecf956a90166fb62e47b33d373108d40f37b0cbfaf099ad9a38bc5431b6b2add07b44010e490b61892c2ea79c033877750a94c0e3869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\266ac13c03.exe

Filesize
1.2MB

MD5
ef47799a883833fce849449575600215

SHA1
00907e85b3c353668d7396fd51a961a68c71c9c3

SHA256
8e1117b8c78531c13208dc4b7cefe247e951d44c24374232fe8101ccc5bfb57b

SHA512
708f903cbaeb78d1d0a3b067e86d78695e8fb6f89547cc8fb62a8ab05542033f5af76b5544002e346ed97b524bb915f3fa1e1caff05dc049e8107e3f2934fc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
49407da8991a21d620d2212b685521de

SHA1
1fd08a2c0fbe32c2ab875cdca3b8a4e6abc290cb

SHA256
f8db6958245e7652bf3e484fd6b6b23466d11682cf7911a79a53bda83cd8e3c3

SHA512
a61a50069de8ee095d524d09eaa93619a7a0b7abbbdb32582c1a2fa0069dbf84b1e106f3797aa371ad2892314ec05b01e6b43944fadaed1d37602bbea14dde02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\bookmarkbackups\bookmarks-2024-08-22_11_ynjabA+xcPNHPZU1gEyrew==.jsonlz4

Filesize
946B

MD5
bc3030c50bf86982219a2ef0685a4342

SHA1
f5959d9850ba5f1b0e7ac71cfa35550c0dfb6c85

SHA256
5e38cdcb2dda5e8038815eb31f05ec6bf9d4db0718af6443aa4247fb70d888d6

SHA512
7970c02c7a335c3b1ae73f9363fd3282f495ddb8238947af59828eca4c52345e5ed2801e2b766b86d13f1fd784629ea86dba711711cc0760fcd579e11c0dae8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f5a91e5ad81bac423d34746b829bde08

SHA1
0d86c7abbba56de767e30cea08a546be375ee064

SHA256
d1fca263b15d152e1dcca3bd8ab99d05940ece47395f8f41d3f1421afbcdfa42

SHA512
95030dff11bb6cf3997b0b45d99cab555220021a66be2cd37d5fa54309add52f304a07db496f1fb847c50d15df714ec85cfec09d835e09b300a81b787cc2b3d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\20a3b184-5c33-49cf-964d-7dfc801f437f

Filesize
746B

MD5
8ad67a1ad39416d2fa61c7c336aa586b

SHA1
53b254fd7e5f107638ade98763ff0a321cdc85c4

SHA256
0fdeb9149bbe5800345c53e57d383f70c0d3a7b2f1e02d3dd7c4c7d2a40c2717

SHA512
3ac6232dc752a863e21200aa51d2dddef039547ee5b68bbcb5d19e4d0696b0327a2a4179a3e589b6813bb70e90a14db0b87c1431c33e627dedb130b2517bdbad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\dcb784fb-ad48-4f2a-bb6e-b12eb0210dc6

Filesize
9KB

MD5
ed895b1aa72d4e9d8de3b2c4394ed4a5

SHA1
19959564524eab37c1341d19f649a3f9e4a12123

SHA256
40616a0645011181eef82d12c43c9cf64fd1b75519cd4767835291c8e88965e5

SHA512
bebace6aadf4532561c960de57fb5015c3b40b44d665e0ed82dde7c8451355a8fccd4227846107146f0e2eb24242e980c2e099cc00aec2999ede5ef62b6c01ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
7KB

MD5
207f581da5528c83108c8779c414623b

SHA1
a39e09d4b627b7dddb60ea944525afca02c5d92f

SHA256
7df1cfd48cddc68e37844ab643b1bad3edc23ce8af9929d76ef336063589d9fe

SHA512
9caa8f7997d1edd3cfb93746a1eda65cc31986734f4d4a4ba2264309808a552cdeb612ae6c6bb3330932c0be2501a21361d83c1832b0b6bfe069ea515baaa3c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
2b08278fa00e1e3621a206ca2aff5922

SHA1
4058157bb67778f99055666d876ed27d3945eb3c

SHA256
351845da4eb5bd7c662037d96a58e6b083a6ff9f20b48cd8801a7cc3d4b1bb6b

SHA512
e27f2ee7c9d959041c2ee7bf8cb91e584f86e93fac26cebe85e2af6c155f2ac558c49282689312100c6ebc3ff0907842522adbe3d1e010ad67745614f76f8a95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
7KB

MD5
d817418940f7ac0a9203ef074489af52

SHA1
5d749dcd5f7acaebfa4eb8decc0a36117bd5a47a

SHA256
35146045b90444dc2c3912e34570a9da9cbaf100da7b7e6d9553542d68feddb5

SHA512
b6f46b41abab2a1611e8cf8fa6144fa007328455cdd2d84e574fd03ba72c4d09e9314a2bee7bf58527dd9275da1303f9b929e719c549f4b401e9063b2602821a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
70bb90bb501bb6b84a5d56ef243b5647

SHA1
bd909f8f167e2dce29a9fd59b130b8b382a00eb9

SHA256
f7fb9ebb9042363b3fbc433a39fb3c2be499e6f4d784df5f1bef56ab64d77433

SHA512
a857c801b90ba4d6d370d6e421748ab029211181cc900eb645da056036bcbf42a87167ff3a0fe685370198299289bb971c6cdf439f8a4f1bcdd2ab9a4aaefde8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5c3b4255255a54bbe560439bc3787714

SHA1
44ee5913ac3369620fce3e6b1484a87e8cf62150

SHA256
116b7dec5732bf2de62b25560400b4bbc3465f9fc981b9c63fe8f18ef5749467

SHA512
3b4236ab83694d537837e116e2f895badd12bc4b298e01528df1dccdeeb1498f3c5abd940b9b9c7b40c946dfbed48f696f06e0f9397caf5684ef114392b00c4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b4ddbe242d79b013298aa2bbc5cb7b3c

SHA1
78bf2a5a76d16d924ed8eda058c905237a070548

SHA256
7c887c80dbef1ae82c7d580eaf80eb8646c19279589905029a503215638e5027

SHA512
cabb33ee9de7e4497a85a304740e6ae9d873ef823937a1b7d4f09110f3fc71dbd067cc2492003ad7b8f8d6a0bf7cad3a6012d9818b61b22c928acc33021e6960

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
200KB

MD5
ca75850e82be0a3c6a60cc378cb1dafe

SHA1
fe8c79660a10205633cbc9815d29f84eadf74982

SHA256
59705d33b83cb23025b41a134e4ecb922775265eb816dda55edec29f21f2cb8e

SHA512
b9a10c40c9394e305919d713d881c98069a865a992c41b2b434e3e7bf8a63ebffd075801e51d554950b6c17a73892b2befc69a3fa3bf7a1a43ceaf725580e273

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\targeting.snapshot.json

Filesize
3KB

MD5
325614ce7d4c6cd5b9b5f5e39a2153eb

SHA1
579d166fd3720ac027eb2f8a8867b3c7c9d956f4

SHA256
e18671d67475c3cd0678bd527be8406262e7c7a9c212af963fc3d082e7304ac1

SHA512
93e9ad0033edad484c9350aad72e4f64c49915e514ba40e70d66933fd01331d379b8254c21be7993f06b0d04383ec4006d93ea94976b52b8b9fea04192e99fdf

Download Submit
memory/424-3-0x0000000001020000-0x00000000014DD000-memory.dmp

Filesize
4.7MB

Download
memory/424-5-0x0000000001020000-0x00000000014DD000-memory.dmp

Filesize
4.7MB

Download
memory/424-14-0x0000000001020000-0x00000000014DD000-memory.dmp

Filesize
4.7MB

Download
memory/424-2-0x0000000001021000-0x000000000104F000-memory.dmp

Filesize
184KB

Download
memory/424-0-0x0000000001020000-0x00000000014DD000-memory.dmp

Filesize
4.7MB

Download
memory/424-1-0x00000000776D4000-0x00000000776D5000-memory.dmp

Filesize
4KB

Download
memory/1416-297-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1416-298-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1724-36-0x0000000001210000-0x0000000001895000-memory.dmp

Filesize
6.5MB

Download
memory/1724-32-0x0000000001210000-0x0000000001895000-memory.dmp

Filesize
6.5MB

Download
memory/1952-31-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-334-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-18-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-299-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-304-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-305-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-306-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-307-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-308-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-178-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-404-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-312-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-318-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-319-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-320-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-325-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-326-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-399-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-330-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-332-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-333-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-294-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-335-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-17-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-16-0x0000000001071000-0x000000000109F000-memory.dmp

Filesize
184KB

Download
memory/1952-398-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-15-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-258-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-397-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-38-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-39-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-211-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-383-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-195-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1952-386-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/1960-385-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/2300-37-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/2300-34-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/4176-311-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/4176-310-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download
memory/4560-329-0x0000000001070000-0x000000000152D000-memory.dmp

Filesize
4.7MB

Download