agenttesla | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
45s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

agenttesla stealc vidar default rave discovery evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

stealc

Botnet

rave

http://185.215.113.103

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.jeepcommerce.rs
Port:
21
Username:
[email protected]
Password:
QtU[bF0Zo#+M

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Vidar Stealer 20 IoCs

stealer

Processes:

resource	yara_rule
behavioral4/memory/672-128-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-130-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-124-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/4592-164-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/4592-162-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/4592-160-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/1784-292-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/1784-294-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/1784-290-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/1588-310-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/1588-308-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/1588-306-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-336-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-337-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-353-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-362-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-364-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-373-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-365-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral4/memory/672-380-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ game.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	game.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

game.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	game.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	game.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Text Document mod.exe231.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	231.tmp

Executes dropped EXE 14 IoCs

Processes:

66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exegame.exe66eaee5323f5d_setup3.exeMSYXH9ZYL05YS.exe231.exe231.tmpvfagms15.exe231.exevsfdajg16.exelnfsda.exe231.tmpvkfsags12.exesmdsg.exe

pid	process
3548	66eb0d09c9f08_Gads.exe
3632	66eaf17e9bd9e_Softwarepaxck.exe
2256	game.exe
4024	66eaee5323f5d_setup3.exe
1756	MSYXH9ZYL05YS.exe
2640	231.exe
1792	231.tmp
3452	vfagms15.exe
4400	231.exe
4524	vsfdajg16.exe
3240	lnfsda.exe
4820	231.tmp
1468	vkfsags12.exe
3216	smdsg.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

game.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine game.exe
Loads dropped DLL 2 IoCs

Processes:

231.tmp231.tmp

pid process

1792 231.tmp
4820 231.tmp
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

95 bitbucket.org
96 bitbucket.org

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Wine	game.exe

pid	process
1792	231.tmp
4820	231.tmp

flow	ioc
95	bitbucket.org
96	bitbucket.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\random.exe	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5060 tasklist.exe
4136 tasklist.exe
1828 tasklist.exe
5024 tasklist.exe
3192 tasklist.exe
3452 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

game.exe

pid process

2256 game.exe

pid	process
5060	tasklist.exe
4136	tasklist.exe
1828	tasklist.exe
5024	tasklist.exe
3192	tasklist.exe
3452	tasklist.exe

pid	process
2256	game.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exevfagms15.exevsfdajg16.exe

description	pid	process	target process
PID 3548 set thread context of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3632 set thread context of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3452 set thread context of 672	3452	vfagms15.exe	RegAsm.exe
PID 4524 set thread context of 4592	4524	vsfdajg16.exe	RegAsm.exe

Drops file in Program Files directory 1 IoCs

Processes:

BitLockerToGo.exe

description ioc process

File created C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe BitLockerToGo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe	BitLockerToGo.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2248	4024	WerFault.exe	66eaee5323f5d_setup3.exe
5480	6128	WerFault.exe
5524	3688	WerFault.exe	B.exe
5168	4892	WerFault.exe	66e9359d801ce_sbgfds.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

game.exeMSYXH9ZYL05YS.exevsfdajg16.exe231.tmp66eb0d09c9f08_Gads.exeBitLockerToGo.exeBitLockerToGo.exe231.exe231.tmp231.exeRegAsm.exe66eaee5323f5d_setup3.exevfagms15.exe66eaf17e9bd9e_Softwarepaxck.exeRegAsm.exelnfsda.exevkfsags12.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSYXH9ZYL05YS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsfdajg16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eb0d09c9f08_Gads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaee5323f5d_setup3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfagms15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66eaf17e9bd9e_Softwarepaxck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lnfsda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkfsags12.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

66eaee5323f5d_setup3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66eaee5323f5d_setup3.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4316 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

game.exeRegAsm.exe231.tmp

pid process

2256 game.exe
2256 game.exe
672 RegAsm.exe
672 RegAsm.exe
4820 231.tmp
4820 231.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New Text Document mod.exe

description pid process

Token: SeDebugPrivilege 3476 New Text Document mod.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

231.tmp

pid process

4820 231.tmp

pid	process
4316	timeout.exe

pid	process
2256	game.exe
2256	game.exe
672	RegAsm.exe
672	RegAsm.exe
4820	231.tmp
4820	231.tmp

description	pid	process
Token: SeDebugPrivilege	3476	New Text Document mod.exe

pid	process
4820	231.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exe66eb0d09c9f08_Gads.exe66eaf17e9bd9e_Softwarepaxck.exeBitLockerToGo.exe231.exe231.tmp231.exevfagms15.exe

description	pid	process	target process
PID 3476 wrote to memory of 3548	3476	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 3476 wrote to memory of 3548	3476	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 3476 wrote to memory of 3548	3476	New Text Document mod.exe	66eb0d09c9f08_Gads.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3476 wrote to memory of 3632	3476	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 3476 wrote to memory of 3632	3476	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 3476 wrote to memory of 3632	3476	New Text Document mod.exe	66eaf17e9bd9e_Softwarepaxck.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3476 wrote to memory of 2256	3476	New Text Document mod.exe	game.exe
PID 3476 wrote to memory of 2256	3476	New Text Document mod.exe	game.exe
PID 3476 wrote to memory of 2256	3476	New Text Document mod.exe	game.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3476 wrote to memory of 4024	3476	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 3476 wrote to memory of 4024	3476	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 3476 wrote to memory of 4024	3476	New Text Document mod.exe	66eaee5323f5d_setup3.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3548 wrote to memory of 1828	3548	66eb0d09c9f08_Gads.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 3632 wrote to memory of 4464	3632	66eaf17e9bd9e_Softwarepaxck.exe	BitLockerToGo.exe
PID 4464 wrote to memory of 1756	4464	BitLockerToGo.exe	MSYXH9ZYL05YS.exe
PID 4464 wrote to memory of 1756	4464	BitLockerToGo.exe	MSYXH9ZYL05YS.exe
PID 4464 wrote to memory of 1756	4464	BitLockerToGo.exe	MSYXH9ZYL05YS.exe
PID 3476 wrote to memory of 2640	3476	New Text Document mod.exe	231.exe
PID 3476 wrote to memory of 2640	3476	New Text Document mod.exe	231.exe
PID 3476 wrote to memory of 2640	3476	New Text Document mod.exe	231.exe
PID 2640 wrote to memory of 1792	2640	231.exe	231.tmp
PID 2640 wrote to memory of 1792	2640	231.exe	231.tmp
PID 2640 wrote to memory of 1792	2640	231.exe	231.tmp
PID 3476 wrote to memory of 3452	3476	New Text Document mod.exe	vfagms15.exe
PID 3476 wrote to memory of 3452	3476	New Text Document mod.exe	vfagms15.exe
PID 3476 wrote to memory of 3452	3476	New Text Document mod.exe	vfagms15.exe
PID 1792 wrote to memory of 4400	1792	231.tmp	231.exe
PID 1792 wrote to memory of 4400	1792	231.tmp	231.exe
PID 1792 wrote to memory of 4400	1792	231.tmp	231.exe
PID 3476 wrote to memory of 4524	3476	New Text Document mod.exe	vsfdajg16.exe
PID 3476 wrote to memory of 4524	3476	New Text Document mod.exe	vsfdajg16.exe
PID 3476 wrote to memory of 4524	3476	New Text Document mod.exe	vsfdajg16.exe
PID 3476 wrote to memory of 3240	3476	New Text Document mod.exe	lnfsda.exe
PID 3476 wrote to memory of 3240	3476	New Text Document mod.exe	lnfsda.exe
PID 3476 wrote to memory of 3240	3476	New Text Document mod.exe	lnfsda.exe
PID 4400 wrote to memory of 4820	4400	231.exe	231.tmp
PID 4400 wrote to memory of 4820	4400	231.exe	231.tmp
PID 4400 wrote to memory of 4820	4400	231.exe	231.tmp
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe
PID 3452 wrote to memory of 672	3452	vfagms15.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1828
- C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe
      "C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1756
- C:\Users\Admin\AppData\Local\Temp\a\game.exe
  "C:\Users\Admin\AppData\Local\Temp\a\game.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 352
    3⤵
    - Program crash
    PID:2248
- C:\Users\Admin\AppData\Local\Temp\a\231.exe
  "C:\Users\Admin\AppData\Local\Temp\a\231.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\is-61SN8.tmp\231.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-61SN8.tmp\231.tmp" /SL5="$B01E8,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\a\231.exe
      "C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Users\Admin\AppData\Local\Temp\is-VM3Q2.tmp\231.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VM3Q2.tmp\231.tmp" /SL5="$E0046,10740751,812544,C:\Users\Admin\AppData\Local\Temp\a\231.exe" /VERYSILENT /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4820
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        6⤵
        
        PID:4888
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:5024
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        7⤵
        
        PID:2184
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        6⤵
        
        PID:932
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:3192
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        7⤵
        
        PID:4404
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        6⤵
        
        PID:3704
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:3452
        
        C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        7⤵
        
        PID:452
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        6⤵
        
        PID:1468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:5060
        
        C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        7⤵
        
        PID:3996
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        6⤵
        
        PID:3868
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:4136
        
        C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        7⤵
        
        PID:1020
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        6⤵
        
        PID:2028
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:1828
        
        C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        7⤵
        
        PID:1748
      - C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
        6⤵
        
        PID:3292
- C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:672
  - - C:\ProgramData\KJEHDHIEGI.exe
      "C:\ProgramData\KJEHDHIEGI.exe"
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCBGCGHDGIEG" & exit
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4316
- C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4088
- C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1784
- C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe"
  2⤵
  - Executes dropped EXE
  PID:3216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe"
  2⤵
  PID:4240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1588
- C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe"
  2⤵
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe
  "C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe"
  2⤵
  PID:3008
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    PID:5816
- C:\Users\Admin\AppData\Local\Temp\a\random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  PID:1344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:4072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:1312
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f075bff-db1c-4a70-a9f6-5697938f2b30} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" gpu
        5⤵
        
        PID:2532
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b89f9c0a-3e13-4504-ba83-8715fc9ea13c} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" socket
        5⤵
        
        PID:3580
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3084 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77dbfc76-1467-4211-b780-e632f6378a4a} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:4232
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51714a00-2aef-4bf7-b50a-e4420bfbc82f} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:4280
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4208 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {447c9228-3a6b-4bf3-bd84-261c1c8589be} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" utility
        5⤵
        
        PID:5640
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5116 -childID 3 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bc0aeca-a2cb-4b04-b625-535c785a7430} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5168
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87cb7854-1da0-4605-8d53-58d0583caac7} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5180
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 5 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da58f470-4f12-4a9a-8a17-6e15f01f62a6} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5196
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 5400 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5868b425-c587-4b19-aceb-420ac78b783c} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5576
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 7 -isForBrowser -prefsHandle 5244 -prefMapHandle 5444 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe55c343-cdb9-4c18-a84d-2b39dd5380de} 1312 "\\.\pipe\gecko-crash-server-pipe.1312" tab
        5⤵
        
        PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:5204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5252
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1016 -parentBuildID 20240401114208 -prefsHandle 944 -prefMapHandle 924 -prefsLen 17509 -prefMapSize 166559 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54da0445-3962-4c3b-9943-aac0b1aacbb3} 5252 "\\.\pipe\gecko-crash-server-pipe.5252" socket
        5⤵
        
        PID:4084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:2976
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:4108
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 23602 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba0a62fb-2605-449a-af94-b93539b0433b} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" gpu
        5⤵
        
        PID:3452
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 24522 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a73a9510-61c4-4152-a2cf-c430cdddd48a} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" socket
        5⤵
        
        PID:5124
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22590 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b49e308c-5bdf-4c9c-a300-1e8059053733} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:4456
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4072 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3600 -prefsLen 29012 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f8ac4fd-5979-4e48-b238-8fde6f5ced89} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:5568
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4548 -prefMapHandle 4540 -prefsLen 29012 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {031914e3-d9ae-423c-ab55-1a5ea6747b0b} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" utility
        5⤵
        
        PID:5892
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 2400 -prefMapHandle 3012 -prefsLen 26989 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbf09bd2-0b76-4e57-828c-933283427b4f} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:5040
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 26989 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cce935e8-8e59-4c91-930a-b9b763ba0470} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:2520
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5416 -prefsLen 26989 -prefMapSize 244680 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {573af255-6e3b-4194-a3bc-9573e4079576} 4108 "\\.\pipe\gecko-crash-server-pipe.4108" tab
        5⤵
        
        PID:3888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:2480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5456
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1884 -parentBuildID 20240401114208 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 23602 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f883ecab-be3a-4167-98b8-dd3e5915fb9d} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" gpu
        5⤵
        
        PID:2540
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 24522 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e7f9590-4250-4277-878d-aad6e3caf779} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" socket
        5⤵
        
        PID:4504
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 2764 -prefMapHandle 2756 -prefsLen 22590 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e6873ce-f9a6-4118-a7f0-9e1df3472a62} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:5604
    - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
        
        "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\4dfea552-2453-4ac0-878b-830de84ae47f.dmp"
        5⤵
        
        PID:3632
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -childID 2 -isForBrowser -prefsHandle 2884 -prefMapHandle 3032 -prefsLen 29012 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7c6f90a-7241-48ef-a32d-19ca6a08ec9a} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:3836
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4560 -prefMapHandle 4564 -prefsLen 29119 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd4f50f-a57d-4fbd-8644-26c5791e5212} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" utility
        5⤵
        
        PID:5832
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 3992 -prefsLen 29119 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86066129-5d3a-4031-97bb-d7f66a204a8d} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:5056
    - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
        
        "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\e365886e-e189-469d-ac4f-950da13a2da4.dmp"
        5⤵
        
        PID:1136
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -childID 4 -isForBrowser -prefsHandle 4748 -prefMapHandle 4824 -prefsLen 29119 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c02126e-8c0e-4aed-b67e-af17d60322b9} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:5284
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -childID 5 -isForBrowser -prefsHandle 4596 -prefMapHandle 4760 -prefsLen 29119 -prefMapSize 244680 -jsInitHandle 884 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cbfff9f-3af4-4d52-a343-c88e4b52fa7d} 5456 "\\.\pipe\gecko-crash-server-pipe.5456" tab
        5⤵
        
        PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:5480
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:5852
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1908 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 23602 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1907607-c88d-4b06-8cf0-bc28e3aba8b3} 5852 "\\.\pipe\gecko-crash-server-pipe.5852" gpu
        5⤵
        
        PID:4832
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24522 -prefMapSize 244680 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e946673f-a7b7-4011-bc36-b6b0f036902b} 5852 "\\.\pipe\gecko-crash-server-pipe.5852" socket
        5⤵
        
        PID:4076
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 24522 -prefMapSize 244680 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4495fc49-6d87-4a00-9eb6-4acaa590126e} 5852 "\\.\pipe\gecko-crash-server-pipe.5852" gpu
        5⤵
        
        PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
    3⤵
    PID:5392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
      4⤵
      PID:1976
- C:\Users\Admin\AppData\Local\Temp\a\gefox.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\is-UCTJC.tmp\gefox.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UCTJC.tmp\gefox.tmp" /SL5="$A01CA,2784848,56832,C:\Users\Admin\AppData\Local\Temp\a\gefox.exe"
    3⤵
    PID:3488
  - - C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe
      "C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe" -i
      4⤵
      PID:4888
- C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe"
  2⤵
  PID:1828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6020
- C:\Users\Admin\AppData\Local\Temp\a\B.exe
  "C:\Users\Admin\AppData\Local\Temp\a\B.exe"
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 1212
    3⤵
    - Program crash
    PID:5524
- C:\Users\Admin\AppData\Local\Temp\a\ord.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ord.exe"
  2⤵
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\a\kin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kin.exe"
  2⤵
  PID:6128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 844
    3⤵
    - Program crash
    PID:5480
- C:\Users\Admin\AppData\Local\Temp\a\euro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\euro.exe"
  2⤵
  PID:932
- C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe"
  2⤵
  PID:5372
- C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe"
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe"
  2⤵
  PID:668
- C:\Users\Admin\AppData\Local\Temp\a\trueburner.exe
  "C:\Users\Admin\AppData\Local\Temp\a\trueburner.exe"
  2⤵
  PID:5884
- C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe
  "C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe"
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 884
    3⤵
    - Program crash
    PID:5168
- C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe"
  2⤵
  PID:4732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4024 -ip 4024
1⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3004,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:3
1⤵
PID:4336

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2856

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5548

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6000

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1484

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4948
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:3152

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4892 -ip 4892
1⤵
PID:5452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\MSYXH9ZYL05YS.exe

Filesize
226KB

MD5
a64beab5d4516beca4c40b25dc0c1cd8

SHA1
d7ab35d89d9b348ccadf6f6b91259776be9b064e

SHA256
36fb87f4e3048659d91fb4250d07582bbbeda35a7a5839ca61aa0d85dc1bd63c

SHA512
26818459084194b5675e521ead75a0c2d2f1ae0299e63e05af645113caa8ed6dcdcdb1b499d24712db084a2e0948bb4a0a5e9ea7e0adfe28a99911256e565328

Download Submit
C:\ProgramData\GCBGCGHDGIEG\KJEBKJ

Filesize
114KB

MD5
6e389da3969c19b6dbfb95013149bbb5

SHA1
f02ff8f1f1b353e36e4f609d39815c17eba8cee3

SHA256
4928d3109995b2faee203bc67184c892e9633fc7df6ad619f5852cf680c36ed4

SHA512
af965dc6aa1c26442f883e2d916509bc7766b425768e6a482223fdd1d3a5133c3b1955ad91bd578c387cc260efee4f738095d8ed7bafb7ed953edcc948313636

Download Submit
C:\ProgramData\KJEHDHIEGI.exe

Filesize
355KB

MD5
731a25a9b1f2c31056f7bd75c71deac4

SHA1
ac95005a75add78f8226e553ff3bb32bcfeef1ea

SHA256
d0285d1ff85d7ef17ce9e3c0b185bd93624d6fde47a2cf0ec99a8cfd4a7afb0d

SHA512
efccfa84482c3a262c2efe9d5107a22a94efae352a46d01c0c677266835bb1d4b04a105ff7b94c5042640d40672576512ca06201260a5ee82257c7f524304fa4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Jekky Video Editor\jekkyvideoeditor32_64.exe

Filesize
2.6MB

MD5
4976ad606dbe62c71d713e2ef8f58c50

SHA1
6b1902728c307ce1fa29ba708659249a3696c1f6

SHA256
9ba1afb660a7cca1858c81e037710f79403d1dcebc9b8b66624ec893b8b26d76

SHA512
0bb0edc1a8bcaac1e9473842fe27a4cd0d6f97c54cee6bf35d956800005ffca358f9c4a22094ab56cc66726f6fd3454df06115fee265de961781a848abd47880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\smdsg.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
a070704e23ae9827dd91376aca720df0

SHA1
b35626e704ebc51b05e361839916d1f693bf861e

SHA256
20c12777f47a12ff81b1e76fde876d28bac542cc19cd3b8fd1db9bcfe3909c62

SHA512
1129198e368faeedc2587600502da9eb9a82aec06f7faaaa252f5c1c720224a4d058eeab26ba82101593c6f5dcc6cdad8c9a45d256939b865c4835cd352f16d4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\231.exe

Filesize
11.2MB

MD5
4fa734db8e9f7ce5ecd217b34ecc6969

SHA1
fbfc15ded2ebd130c92d812c26dc052561f7ff83

SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

SHA512
76ffd5839721ba668762c4458fd8da8fa8edc656c232e5957c253acc67c599846b89bc9acda1ec8dc5b07d229e143d3deca415c528ba4c04bf9264670f74f48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57196bb898_111.exe

Filesize
887KB

MD5
b2a7b79dd7a9fe2786679a0ee2cddfa1

SHA1
bc86afc382707167791784d5e47089c721e441b3

SHA256
bb6b7a806b6fbc27e47c95d876f018a0e1823d696f76e58a3d6b5f745d72b070

SHA512
a4097ecdc0712ff8b5480e486982516de0a10d9d8c738ae2c7193ea81beacb8ecdc3a33c18416181e226ba9a3548d783d2d4eba2da7dc657c881c6b36e31e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e57a08ef022_crypted.exe

Filesize
314KB

MD5
8240da70945e9b8a7844f1f4e2f1c770

SHA1
37c0f67a71107a5821e1e3f98563e8c331f3618d

SHA256
50c33eaa07d5b99a35a9860123e2fd84551a0907170a199ead8f5e1e2b0097c6

SHA512
e8b6f7baa8ce2d0d2cd18ab59f15be033d8785a5b9c89e9b2cbd6abdfd169856ca11860e2f9cdf8c910f332aa26f39c8b093a0c67671fc05016ae3eb56f5c039

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e6ea133c92f_crypted.exe

Filesize
343KB

MD5
ba0dc71d562da0d40e7f409502daa9e0

SHA1
80618645fc93f72086cf1eaf3c1580fb764c5b27

SHA256
d5dd7234246219e84199d9cf575586760737bed43a6994c2abed41fcee4e1403

SHA512
b0750b985bc39ee54ae5d39860fe69463556eaabae725b2ec11bceda7bdb4b21148cb247c290366d50d4a00f94776bee931c2273ece05f1ae97fbe531b5ad5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e805302f63c_otr.exe

Filesize
395KB

MD5
d3d2aafaf86262baa7528e397f1ce761

SHA1
f30e50655abeb2509fa313fdef291afddc9d8218

SHA256
36befc5f19af22b3b731c573b8244d7e70a594730789351b3470dcfcaf9a7e71

SHA512
078f87337739dd1247f0fc65bad9ddf9cc9e60ff0424cb482a14c80e90dc43e21d9f98535acb6785f0e73d894002c53df2f09e6b45ff8b879d174fa5c43faef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e9359d801ce_sbgfds.exe

Filesize
206KB

MD5
de6101b925ca754f1ea8c8ab216a38f6

SHA1
9b94e543b94c8bdcf1925dcea2b181a7300d58bc

SHA256
6d70e80c80af977af8b15cb47304b4cbd78759faa406906ed3a9e0a6dac74773

SHA512
4dab34e66be8ad89650a43ec1707a56b6a701a1319008e3bd2b809d14e0cffef465f6d41f691b47ef40dac90cc92904a02c2e97dec59d09d53bd9b63e8dc560f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e98ff1d44e2_crypted.exe

Filesize
323KB

MD5
a0c6989730b44ee30722feccd86d946b

SHA1
4ef62e701352c7dfdf0807460dc4bb3c22be67f0

SHA256
5669998000fdc457a919dea600b100809d0bb5681cbca6a67b544307233b5915

SHA512
e5c622f22ad40cddae798853d40af4695a37bd75624193c0181504a3ac2a28c146339bf06ae0110a995c90bdfcaab9a3072e18a7f610cbed24d5b1d028fc5eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66e9b62daa62d_xin.exe

Filesize
352KB

MD5
8e3fb69a56d807d7ef1c432ea1590496

SHA1
78843735c41af9906484df7c3e3a1d1cd4a0b83d

SHA256
cb2e830d6df32fd5168d39a10d138a1f724651b7dcc561b2b87b59cc96ebb20a

SHA512
12ee5797845e86768d5a99e45fb7cd93b328f4839031a91ea735f41f0eec373a2fb593bce7bb13201e982ee75bd0bc22ed7c2b6caa954facfa238c2a5bae521b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66ea645129e6a_jacobs.exe

Filesize
11.0MB

MD5
d60d266e8fbdbd7794653ecf2aba26ed

SHA1
469ed7d853d590e90f05bdf77af114b84c88de2c

SHA256
d4df1aba83289161d578336e1b7b6daf7269bb73acc92bd9dfa2c262ebc6c4d2

SHA512
80df5d568e34dfc086f546e8d076749e58a7230ed1aa33f3a5c9d966809becadc9922317095032d6e6a7ecdfbfbce02a72cc82513ab0d132c5ffa6c07682bd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaee5323f5d_setup3.exe

Filesize
227KB

MD5
a7d7d48f4a9bb7718ec17d11fba9cad8

SHA1
748fec11d5becea085af46e8197f42ac9a1e011b

SHA256
de74bd2a1d74bfb4f73d97a1e652c2a5bd778ae108df31ede4dd96950485118c

SHA512
98dda258e460098e79b9aaee795dbd0122f4541f9864fcf71d039ada426dff0fb8540725d779412eea52a6e66d45875665f11961fc7d7d3a2d2be061671e2e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eaf17e9bd9e_Softwarepaxck.exe

Filesize
10.8MB

MD5
e4795aedf3d67af6b0cc029d010f7183

SHA1
d29438881071842571f96e658ede500cfba2deb5

SHA256
8f96d1f67c72bf89b1b57433e52a1b193efbc243ee14fb716c7c9b0aa68a3a9f

SHA512
2e6beaf7814e95ea1b425b3783233ae00e4fad44cb360f8e4c129ff97b0bf4d17cebe2dc757988e876463a0962dc8ad636cccdedefaf5325c58b7fb1f139130e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\66eb0d09c9f08_Gads.exe

Filesize
10.7MB

MD5
5fb5e099087ca0db68f8d58ae7555949

SHA1
caafb9713225e958041183455c1113d2018b9879

SHA256
f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353

SHA512
307af716a5fd9ce4c01fcc72618595867c167c8de26c4727fd4595e444fa15af9ae8ddcaf35809effc3148552fb166c57a0dd35e38e2082cb29559b6d90b1116

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\B.exe

Filesize
239KB

MD5
7778bbeacc8add7df3996267fc83ece5

SHA1
0aab0f274c4e262a49109f4cd3c53580678b2fc1

SHA256
5711154a5a3b1fddef167b688eb44716d120b1b6a21d67449bf49d77ce33059e

SHA512
14eccff71e0671cb05a96bdb1fe2a0f3f7724923661955b0e4153afc1682b721b3c623afab3816e812fe13d19cceab93651be55aa5a2f961f695f097607dfbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\euro.exe

Filesize
239KB

MD5
e89f78e780b64eeb920d5dfebd033ffa

SHA1
b964dc9e8f5350d3a917b6a26b58853099859d8b

SHA256
d48ee1f6f04504d641c8769aeef83185c8de8745458a3fbc362cd53c20ef10d9

SHA512
ee38ff8ed0c955616bd7ef3ab4112765407490a2bf93523a66ba8924b8674febe73d90c95406acd0fc793904f8cb641f300f8c0a4ee48345f094ce02a91e4fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\game.exe

Filesize
2.7MB

MD5
4ce02a77839364d0c6622c43095b2fd2

SHA1
08f5c9628408f6c3fca6f80f112db755d7c0ff62

SHA256
55dae00b91675ae4aeede8d34151a18a10b6b3d37c94d31782800f30eceab373

SHA512
17b4d01c38ecee620d338c049b3efcaa1cab17cc47a98f4bfedd656a81865f918014393650d8ddd66566d5bab27b06bd0c02dff3c0860377fc112dc374311fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gefox.exe

Filesize
2.9MB

MD5
75e79e5b6134267e8eaa0af2b2be6952

SHA1
554c9d9d31b6f11e96ac957c7ad6d285a120c8a4

SHA256
0ecc78c8637b4b28d7158a31ee3ca75f07dea64d7bb8c2330ce38189340a4c9e

SHA512
5d1ad17950921fea0a3b08a61df8596200e55db384eabbdd3f2b618cdc472d8529a9933af6461877a0ad021dd4b4ecc73de589b95c2f15d92473cdf16d7ab4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\kin.exe

Filesize
239KB

MD5
2eac5118a040a13e0207693aabfe88fe

SHA1
5596609073d18903506351dcbe44cb973b0394d2

SHA256
e13e7d8d8aad930b652ff5528e22fe505495688f7ffb27eeb1a1f80d0f5c5fd3

SHA512
a512961cce7a6af063b05530807bbb39b92da88920a6fd19effe6ab7552834b579d7eef2bcdd8828587f8ee261403d397b1e0fae2160df61c0e0da5a0657e061

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lnfsda.exe

Filesize
352KB

MD5
6f4a0ae013610785ad54438f4af26f1a

SHA1
c8ff55002963dde8457db2b11f68e67a070ddb21

SHA256
ccb16a2e8b58be824d838d5607ecd4b07123de87f9fe9e42e64507d77b0f374d

SHA512
6f3a30e8ee4ff36cfaac09bfe1272ed4678783c4628dd82e47dd1ef23d4a8ef1c153a9a4e8951cb38b4c7a833f2bc744dbcc7dac1e550b2f44ffadc8181d8ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\onePackage.exe

Filesize
8.3MB

MD5
6c2db0ef90b27f880a1566de7711e6c6

SHA1
e9e14a284fae52c5c91200f81af4f94b53526816

SHA256
c2588125970db20ac97818d2170eecec857f578d7bf3f24ef8f6a3f303798ac6

SHA512
1a9a1220958cc5b9d32dc70074df174eae7040c53bbf1fa4c97753a9f8c2a9a8c20668fc957d743fb038a97ca0017e333181856a783e10cfae0f557d2aab73a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ord.exe

Filesize
281KB

MD5
c9de515a559b9423bf8bcc7e4449afb5

SHA1
d80ad372d1a4d2693239f570c3f71d4f6e172a53

SHA256
f8281ab4854afae09b60e2a66953587e0c5459d079bb1b307ef29a28e5f1be0c

SHA512
e1290e736ac2c0d0e23a2b197df98e324dac73c0f4b702b3b3fea19f57c1a7a6e71d8deaf4e0e3287c050758b93136bd874f05bb73f8c64eacffa90c633f1604

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
898KB

MD5
42f4943fe59d8eafe5ffd7c99bb0a1e4

SHA1
353113d2518ce00390917a73078e81aa52f644fd

SHA256
56f80df241846ea5b1ef32dfb08f156978f6d5ac80e5982f5d7265585bb9fc83

SHA512
02c8e8e54d56fe6d0b4ac697831235d046db31b55e9ebcf8564bbb233a4fc5e21859b8c4240763d6de54c92e58a707f4d35d81205cfb1084d0ca54d2a2c28e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smdsg.exe

Filesize
216KB

MD5
272b330726dec4add609e0d8025d71b7

SHA1
75543ac27b430ef6fec461056ceb6a55a35c7369

SHA256
e48219567f84882f41bb1e957bbd1358e453274ca0d2025505c66779f642bc30

SHA512
6e2731c61ce8ce018deb9e20f772bbe8b6b57df77ac5054fd67b18199ae2de1399add3b29b7a18bdc994f5ab1f8678f3454e593685e1626d4ef525df59532558

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vfagms15.exe

Filesize
292KB

MD5
89599341387624a951de84b66f9ec572

SHA1
e44a6665fecc1b38903a01c72901ee88e618f077

SHA256
5c4992108c7c312408fb94508890b2615fbe7fecb09cac3b7a2cf38581e28be5

SHA512
9e7f25b5e6704dc91bbbc9ba1e1528b2c34d81ead50ad3cdf6b3b4911a044e5b9d733d0882316cc97735971ff3aadf9b5117af355a6ca48a6ac96610668465cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vkfsags12.exe

Filesize
292KB

MD5
fede424830238cf2c2e661b5cb12e584

SHA1
5a8f787c25eccd1e5a8d293625ef80c5d416da19

SHA256
72d4e5a68545de1c0268a4616db6807e90a027e0191dda20377ecbd61ae577f0

SHA512
713891e18a615e7013f555d05b08eb91e7520b94e1bba0fa0483c29f6f3af5ef8f2055b2e35e8e83b75cd41256b5fd86405318b87440da463b82daedfd8ac39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vlsadg.exe

Filesize
292KB

MD5
a714209db1b2b68a95e680df111922ed

SHA1
5533ed29bf3239839e6acf03965cf27ddf4f4138

SHA256
7ad095de4171dfb3458752e1f4406b726ea94327e529fd83e2189b8c04ffee86

SHA512
25ce432979995987a26e9442c2c9ac026d55ff9f4820d983ab30496d28a75dec508c4083b11a2433f5bc3c2f903828ed2849aa5542fc7de84394b44a29fbcf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vsfdajg16.exe

Filesize
292KB

MD5
d0263e1e29b4f202bffd383f136395c4

SHA1
24a701fe63e5b6d31c103db118ca21a75ed4496b

SHA256
a6fc0eacb5308bb4e616a6f5caabc12104256d13049ee0744cf53ca7debe6efd

SHA512
2d8af02d8bf2b8eb09c15a87e2c2cbcd7d34c619180e6dca29be3fd43108a0e993ab7aad418a2ecb2bb2e0792f382bb8b79dc85537f5bb7da1fdd7673e41339f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vtrwh12.exe

Filesize
283KB

MD5
d264213f54193475ffd0301f7d92639f

SHA1
8e494a7d4b3d54e03a3b27c8dfde51295bb56737

SHA256
6b11a91599104b307955a4cde5942d89ed2aa29e833fa229e21368a73139186d

SHA512
1a699be3bb71083c35d5c0bbbcb862fdacb71f67fc8c4e34cfa68c52e7ed1b4360c1975ba290d14d95dee8233558e6dfc1b10e628d5da97a2faffced2bb14f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-61SN8.tmp\231.tmp

Filesize
3.1MB

MD5
81636f80b1e7c0b8f946c8ff0081436a

SHA1
9e7b01f8324e089b925cb9050ce74cd099c58370

SHA256
ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35

SHA512
67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PVU2N.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UCTJC.tmp\gefox.tmp

Filesize
690KB

MD5
d306b8eda5654893c88a5822556ad16d

SHA1
ea9dcc67c6043cb4e51683adc09384032fed7fd0

SHA256
c3c4e5b9e999e5959e8d3412588d042d35398c816a10c0138a23192ce8d6bf71

SHA512
da96dc6f68cced888a0b969c0fd3286eb481f147daa7db0dc8993fba75936d59bbf2d45b0a6dbe7f5f39e9c78a5339c3d7cc8f8fbe1475cacb474ad3d1404063

Download Submit
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

Filesize
940KB

MD5
0bc6d1c595e440233c6daa45813657a0

SHA1
3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3

SHA256
1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac

SHA512
0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

Download Submit
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

Filesize
62KB

MD5
647d824a19511783d1a011f8b775c1d4

SHA1
46b0213afa55d27a688e9729ac120d4574318cb5

SHA256
8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b

SHA512
ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\LastCrash

Filesize
10B

MD5
3ebc46f7aeb94f7847dae4a1607a90f8

SHA1
da4526cba5ecc24c1b3b36c8e306f87c73f61a79

SHA256
83c0cde9ae3c3a609ff6be0d9479364c8f321045da90c8d590e94ddcb402403e

SHA512
b8c82d8df48a3ae4f16223065e8eca8cbb66fe1832bb38c08ea9d2f2bc9f92b512c339e7db4b30985cfc966ffe26e1e942b378975000a335d3b636312e27e24f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
12KB

MD5
0b82e060ff36b016bb32227bed65b1fc

SHA1
385462ac396ae773e09e6f46a15e14b0165fce0c

SHA256
380ccde24af2fba83ef05bfdac8f02f568f72a42b3b7f4af71c9dd63602b88a2

SHA512
6a7a4d0a76099c311fbf852f1d9ad16a8fdc6a722ea2d8df6024b89258b79828c932229c688a082fad2673170c9a44f26f4001840f6921ed25b0b1bf72f88fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
13KB

MD5
0cd46d75b943b7f10373a440da0d719d

SHA1
f96cff2dcda9aaa8d7e0d57248e7ac7549228bbf

SHA256
482f5cb05e20e0b3f2442088c20f632fdf20c0673e7a916b16e4e71a02dcf320

SHA512
245aa005a9a74111d107e0bced2bb6fdc37b9ae97379d906500b863f979b40d1dcebf091c43bb0a16496f17f74b046c636c3cbf24fdc94a60efa759fc3f67cbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
6KB

MD5
6d466000ab3f33e4b150a9ab0e056658

SHA1
50fb8dbcad0e041ad9cdbd7e3ad128b1853b60c4

SHA256
bc84a2bc94c2729e112edf505232ffc3993003b1be134d2b57937b23e9587e8c

SHA512
d2b86c3fafc7f41326a64a63e3ab78de2a6bba578130988d9916c89c631e7d677636276170bc6fbb1ed46e42adfde8b1b7a78b5414221c0740dca0f2f42f5a2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cookies.sqlite-wal

Filesize
192KB

MD5
da089ee0aeed8a9a7eaa9e6afff6f6bc

SHA1
cf7d8a84e091d925d14c98fce185763a7f9d180f

SHA256
f149e3d5f63be5d9c4396d861f193eeef7465b2903282b51f29875d66a6eeda2

SHA512
f501834a66ab10c77df1263085e09cdf161a2f9f6a029c61b97bbf64e0422d2bc44d381e817f6daf8dd1d8dc6d34a207dedde70ecc1d610c3a1e46f55ef370d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fba752144835c95ca5e13180a50b39fc

SHA1
53114b2ae7a780b04fa300575cf054a1c97d3312

SHA256
bda206f64d1a81b0a5432214441d718d6ddefbe6b279e4f93d0ce79897aa11bd

SHA512
336a7a31d1e4a6093bc1190d7d7e1715bf48ab6fcf2dae52b916fb21fee08f889828569a3d9e953934ed92c85b342f0050125c2ed22bbf724c9891a5b7a9ad46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
ac965f009a31aec645498900df6beb11

SHA1
a31e2a40fc8bb73d05b0c91090be7fcc1947b68e

SHA256
2435f1edff052a689a0ac01373475e2fc2c0cac050e2ebc0425fdc1b5dff1136

SHA512
93a077e0d0c1d36105b4d1b17f812e407238038d610099bd4d03ac382b089aac4951c0b6737daf21dee68f980dd5672d1366cb0b14c54bf6789be3a4ba8e5b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ee60a84a634548cbce4863bcd20e34c8

SHA1
d211743e63a1f2871e90b32ecc567b1bc6347189

SHA256
1ce6257e516b5651c4a497ed402bf69663646be5e88bb991a058c7ff1c8fe63b

SHA512
1d3f9ef4e18ae3c8bfc038811caa313e5bc18fe09f11a5ff3418ac80a9d0334f83c80fd384aff4abf9dc2bdcbeb5f79da16602a5000dce3ca62d8d394d7d3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
2e35021c430d3ca03ee4288d4afc9d12

SHA1
4fe175b7802c600509e3f3a6b23409242082f78f

SHA256
f734b92f25f5ae4f5140c9d2a617faabf8c1ddfeecc6db2138353b95bfb9c212

SHA512
41a4e930c4ef8e9c45bff035c5dd363cb92d2f851593e23c837dc391c4a77bf1f8b6d109eccacaa543d945720048cd5348a81df924b1d982d87c2418f6f0d651

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
eb5d9dbc2a3568b03bd0ada7e17302c3

SHA1
2d3885392f0a69e194a6a97c64d4ddfa794db431

SHA256
229399b389ff6ccf1ce053a440fa5c189defb4fccec4e2b637b7254a1267094c

SHA512
fc5852cb9ffe7a1efc7faed8bf5703745bf90c4920806e81aff1cc43f2de25f4ac05c5d06dd223ff0bc6799e4af11116df8dd6517f03df1048605280150259ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
e0d891adf2fb6b3d45662cfd9470149c

SHA1
c337d6011d29af3a2c908210268af1dd76810257

SHA256
65071544a8593d258451d4857a0abe102cdb1063e5c00b42a35209fe980e8e42

SHA512
4914f5ebad632e50e420ad826bd2f1f9f5e0462f91f31763d96298a825ff9836bb02a701b996dc00734b2a7c4f44e1ae7f51ea93a07a9a6206de0bc50dfb11a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
dee8b3a9141b8aed92e4721ef8607b92

SHA1
718def045125db6b96ff8b8d1eb0f6d68da555bd

SHA256
f9bb06c40e872f9fcece420dbac47444bb3a5546912c5442b744cad84b9133b9

SHA512
8333fcff8d4fe601182c0f13a484e5da80f880e2ba10f894edb5a8f773965799d18b8411dca073a937049e80cbc4060aefe5d6c379b25230990b030af7431dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3dd8994c51194240ccec1815f59c5800

SHA1
10fe7dd5b7e40dac8dfd3d80754c1acbfb6cc3d1

SHA256
69f91c2d150b4637dbbe5f6eaa964d5971156553faa057e49989bd80903704b7

SHA512
6a0f89e96f0a95e670e9ace25773cc8e67efde728eae8996ea2c6d2ef99433f31ed46bafdcbbf4023f373f5235d919631785006d8c79cd76715d470194a50d8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\4eef2eb6-4f3c-4c84-b94b-ba7cd8d6c937

Filesize
648B

MD5
6a10fcc81eda448b99ac168de3214886

SHA1
d9f42f2118bce8503e39d7a45c8661ffa9210ea9

SHA256
bf6ffd10568a34eba7d8460e6bf76d24574f6e9ae7da097ad1b357d308aa43ea

SHA512
9105437d0cf2422c71dd9cdcb13abe10e5e6c8506440e6935649fa985560dfa59bec28e858875b7695a3f5faa51b966cba3f831b1adb35b5ead752734beb92e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\5aa1d4f5-2b93-418e-bd15-9b8e0d7f7199

Filesize
772B

MD5
d47444f9199996060c00ab03483f808e

SHA1
d821b695efaa00f39a6cf2222e0ac35b39cfc641

SHA256
29e2f435665aa3c19c2c971c83713862dac1d47bc9d9f0afebab0883ac246044

SHA512
b466ed6591f35fce8575959f8732477178bac6a00a02d46e09d9e6b4143a32fe7bf6ff5fb06d2c4697ea98bef81f9f3686df8f39b39848530ecfa6e3161584bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\90d1f049-44c1-4d05-be42-823d0d18e0ba

Filesize
769B

MD5
6e02c5080eb7dd1f4dbe6434dd2c2e7d

SHA1
395a5e71ed0c8212a1986579eebef7bbe6b20cd7

SHA256
e39a4908f263aa51866c2070529db846e97d081fe91cf330e6a575b28f514fc2

SHA512
72d8c2623400402831196840f0514e4d2563375e3e4a1b0ec91bea146e7c15084b2a7ca28e2f370df7438b6a6d0c68a27e400c0ab62c7fb12008ac8dfc3cc674

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\926c6c2c-f216-4098-8f70-806bb479f1cf

Filesize
28KB

MD5
725b4e4c047443ce6ef75650864a6d6c

SHA1
1367e68b776dc0bdad253bdb78b37c6456df4f84

SHA256
a133739fd78b52f82554e4453ad2809446ff3aa1db255f4f7a622f6604d091de

SHA512
5d8db893978a1b26a1be36d1c735d571d86188d3fb56b0d99c75a019c4878cf600b12de4759a56404bcaf8624ebb7a3e6b8aec9ffb8c867b58126e24aa536f7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\ab38074f-fab3-4320-8628-4a0aa4e588c3

Filesize
671B

MD5
8dfe4e2e971997ef9d9edccf4852c35c

SHA1
02c230c36fa06b7d327e4be6d6bf9b1174fa66c9

SHA256
753fcf6864ac3f6a13a057c09e3f14ec310781b5db1ad65da403ab19eb2728b4

SHA512
340457adb468ddf4106fd298ac58d3b1beb1d11c7c4513b9cd64cb44ebd6cf94c70409d4ec860c0bb486d7cf01a84465673b05bda11e3d604292d69ce179bca1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\acfb0e55-c9d8-497b-8cb4-4bc77cad58b9

Filesize
982B

MD5
958a625e0c73523ad8e526e51d37deda

SHA1
d78028566ef4d50ca2f0e28843f01992556645bb

SHA256
c6a3f894cfa907206a05dc94e4d38af3a477482cf9ad5e37b83982c6fd28308c

SHA512
9ca52e1a4b774e3f6612e0677e6bab2bbcb3cce3f583271b9985353c2f4778104d69ed50f61241d8da55b26d8a7377837cea87090aac6549432bd82ca508167d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\ae290142-8080-4e1e-8430-0fcf8cdf04b3

Filesize
905B

MD5
b2be8b55b700b80cf54edcf3a2a53b7e

SHA1
acbaba01ef38bc8ad5ec03354623fc49b424384a

SHA256
e72dca765a598ee53384ae78feedad82cdc971ba6629ca581585613e8df24324

SHA512
0da2a3c5bb7d263b5a55c0ce90396d363ba59d4182b533dfc32160cf9576dcd7e389976029222ad6a5358e07832064904943f660f7da6c73b44d6715313cb651

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\f015e27c-4b31-43c9-adbd-b320159e6b67

Filesize
788B

MD5
5c16f864fc0599dc0f6b48e6700c071a

SHA1
fc2d2f744553a051ab2d8aee859c5dcdae6ec7ff

SHA256
ee72cfb925cd6212bcf17cf9426fc8c0ef7563fd6b79d8e86714f3aade694f02

SHA512
31cbbf04998fd25aa91107100dd475fccb784c8428e8d9aa8ba4a7aacbe87c17a7fb304dec72fd8dad9ac7574fb8c1fab8bb15053f1f98eec6daef76e9b92cff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\f3ce877a-58e4-4fe0-b94e-362071b608d4

Filesize
653B

MD5
a7b127b3b50fb23f543170020fe65ae5

SHA1
61e53a4c79cdc5f807fce4f22c8711abfde84970

SHA256
1644655ca73d24961f38f9da8e8b8948899bfa936d7f35d5a6f8b54ce3a4a965

SHA512
71de78711d159f59c9429ae62948c3db537163c1985ea21a850d4aadbe50d3e75fb9fe82ee30a4895d3a59abc21279200b93189137197465ece91ab0fb11f697

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
10KB

MD5
51815c8583f52e81245475da4899a9b8

SHA1
7cc1e2d1b42436b393bac78d2b66cca78d004173

SHA256
2f065a7ea326149eec8bc18c0f3ad81e43cc5643a8298562b8a70602076ec6c1

SHA512
e48b0e2f1fcb869ebabe9f6d16c84baee45a96f7d658a94dda5af701138a9fa166541a4644ede378cc7ee73392d8cd4458490702f5a44c9d4b7f16189fc9cc5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
10KB

MD5
55b936c4e62bc828adb88f9071a5f2e1

SHA1
a82671f9c4848d3fdad6d0a7d6a9709feb0562b8

SHA256
b2fb36f0d240f72137fd3b6a36a5461ce9d5e40089b2d289a7cfbc09eff04952

SHA512
970033eb85b415cd2185ec10f80cf0a3a32e55034029759024b8777921bdd86501db7c0da64a3c2dce6295cdaef481333407b8374c38a9bc85fb6bdb9541b542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
429be881f88d01ee4c4589993d5bec59

SHA1
c284189d6d45164addbabaa0ca9b259d2cb694c9

SHA256
f739a7a584338195bb140417b5a545d34641fb007369346664c52b5e993b5bbe

SHA512
a099ce7122e91fd3c2e42e762a1bc597686b9a7f0354f03a187f26f84d27f7571fb5c492e9220004841010126c343b5040ffd995213ba30aa441357ab417509b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
b57688a1f43f9e27ecd46ed86968efda

SHA1
37e64cb68107e245cb1489f972bb8de99bfbaf50

SHA256
e33fe35196fe5895faa14403ae1491fb292b0fd2ad1cd0bb5c3cdf9f8def9ffe

SHA512
65502d67e50ccc209d03ed38fae7705efc3b23c6e7af6d7cafd0b023753f5864a78a30dd31e462438b60006fa6d01ef407368c0003774e7554e99723a6dbb37a

Download Submit
memory/672-130-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-336-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-380-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-365-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-373-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-364-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-362-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-128-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-353-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-339-0x0000000022230000-0x000000002248F000-memory.dmp

Filesize
2.4MB

Download
memory/672-124-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/672-337-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1468-158-0x0000000000E20000-0x0000000000E6A000-memory.dmp

Filesize
296KB

Download
memory/1588-310-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1588-306-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1588-308-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1784-290-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1784-292-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1784-294-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1792-95-0x0000000000BD0000-0x0000000000F04000-memory.dmp

Filesize
3.2MB

Download
memory/1828-580-0x0000000000700000-0x000000000075C000-memory.dmp

Filesize
368KB

Download
memory/1828-50-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1828-49-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1828-35-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1828-51-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2248-393-0x0000000140000000-0x0000000141A86000-memory.dmp

Filesize
26.5MB

Download
memory/2248-392-0x00007FFEBED10000-0x00007FFEBED12000-memory.dmp

Filesize
8KB

Download
memory/2256-47-0x0000000000360000-0x0000000000845000-memory.dmp

Filesize
4.9MB

Download
memory/2256-34-0x0000000000360000-0x0000000000845000-memory.dmp

Filesize
4.9MB

Download
memory/2552-313-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2552-302-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2552-300-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2640-99-0x00000000009D0000-0x0000000000AA4000-memory.dmp

Filesize
848KB

Download
memory/2640-68-0x00000000009D0000-0x0000000000AA4000-memory.dmp

Filesize
848KB

Download
memory/3216-264-0x0000000000710000-0x0000000000748000-memory.dmp

Filesize
224KB

Download
memory/3240-146-0x00000000004E0000-0x000000000053A000-memory.dmp

Filesize
360KB

Download
memory/3452-92-0x0000000000170000-0x00000000001BA000-memory.dmp

Filesize
296KB

Download
memory/3476-14-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/3476-0-0x00007FFEA0393000-0x00007FFEA0395000-memory.dmp

Filesize
8KB

Download
memory/3476-3-0x00007FFEA0393000-0x00007FFEA0395000-memory.dmp

Filesize
8KB

Download
memory/3476-2-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/3476-1-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/3688-805-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/3688-797-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/3688-794-0x0000000000890000-0x00000000008D2000-memory.dmp

Filesize
264KB

Download
memory/4024-48-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/4088-281-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4240-298-0x0000000000710000-0x000000000075A000-memory.dmp

Filesize
296KB

Download
memory/4400-338-0x00000000009D0000-0x0000000000AA4000-memory.dmp

Filesize
848KB

Download
memory/4400-93-0x00000000009D0000-0x0000000000AA4000-memory.dmp

Filesize
848KB

Download
memory/4464-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4464-52-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4524-121-0x00000000007C0000-0x000000000080A000-memory.dmp

Filesize
296KB

Download
memory/4592-164-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4592-162-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4592-160-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4732-1397-0x00000000008A0000-0x00000000008EA000-memory.dmp

Filesize
296KB

Download
memory/4820-354-0x00000000003D0000-0x0000000000704000-memory.dmp

Filesize
3.2MB

Download
memory/4888-596-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/4888-1835-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/4892-1299-0x0000000000020000-0x0000000000058000-memory.dmp

Filesize
224KB

Download
memory/6128-858-0x00000000007B0000-0x00000000007F2000-memory.dmp

Filesize
264KB

Download