vidar | a09540a0f3c1f30344af4cd60574510f020dd55431e945d7b5672d0a883eb01b

Analysis

max time kernel
79s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe.Photoshop.2024.v25.6.rar
Size

119.5MB
MD5

efd67bdcf109be4cc4b2c0e7aea0bdf6
SHA1

bf97132a525b7f6fe0e29a3d5c5091f457ebe591
SHA256

a09540a0f3c1f30344af4cd60574510f020dd55431e945d7b5672d0a883eb01b
SHA512

da06cb2e325627bd04917470017142cbaea4583f26c53852c6d68e8f7b6a86cde122533d26151ac1d0d866fcb4fb0c705b2a00e8b74941e74e526ea1e287f977
SSDEEP

1572864:Do2AkBpfXFab5QhDoQxlUnit7DXsOWghEzrCd4xQRkgKhT3TtQweDRYge/GMg1Nw:2kBzUQoehkghEzG6iCpwDRY3L4PevaG

Score

10^/10

vidar 2c447a3a3ad43bca51b075083f951002 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

2c447a3a3ad43bca51b075083f951002

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/5860-433-0x0000000000B00000-0x0000000001759000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5860	Set-up.exe

Loads dropped DLL 2 IoCs

pid	Process
5860	Set-up.exe
5860	Set-up.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000003759468d110050524f4752417e310000740009000400efbe874fdb493759468d2e0000003f0000000000010000000000000000004a000000000082d5b200500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000002a59a14e1000372d5a6970003c0009000400efbe2a59a14e2a59a14e2e0000002c2902000000040000000000000000000000000000004f80170037002d005a0069007000000014000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5860	Set-up.exe
5860	Set-up.exe
5860	Set-up.exe
5860	Set-up.exe
5860	Set-up.exe
5860	Set-up.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4864	OpenWith.exe
756	firefox.exe
4568	7zFM.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeDebugPrivilege	756	firefox.exe
Token: SeRestorePrivilege	4568	7zFM.exe
Token: 35	4568	7zFM.exe
Token: SeSecurityPrivilege	4568	7zFM.exe
Token: SeDebugPrivilege	5644	taskmgr.exe
Token: SeSystemProfilePrivilege	5644	taskmgr.exe
Token: SeCreateGlobalPrivilege	5644	taskmgr.exe
Token: 33	5644	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5644	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
4568	7zFM.exe
756	firefox.exe
4568	7zFM.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
756	firefox.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe
5644	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4176	4864	OpenWith.exe	97
PID 4864 wrote to memory of 4176	4864	OpenWith.exe	97
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 4176 wrote to memory of 756	4176	firefox.exe	99
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 4520	756	firefox.exe	100
PID 756 wrote to memory of 2592	756	firefox.exe	102
PID 756 wrote to memory of 2592	756	firefox.exe	102
PID 756 wrote to memory of 2592	756	firefox.exe	102
PID 756 wrote to memory of 2592	756	firefox.exe	102
PID 756 wrote to memory of 2592	756	firefox.exe	102
PID 756 wrote to memory of 2592	756	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Adobe.Photoshop.2024.v25.6.rar
1⤵
- Modifies registry class
PID:2396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Adobe.Photoshop.2024.v25.6.rar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Adobe.Photoshop.2024.v25.6.rar
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccec123a-1285-43d3-8b4b-898300178df7} 756 "\\.\pipe\gecko-crash-server-pipe.756" gpu
      4⤵
      PID:4520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ee4074d-e3ea-4b88-a8f5-b9755795b3cb} 756 "\\.\pipe\gecko-crash-server-pipe.756" socket
      4⤵
      PID:2592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 3284 -prefMapHandle 3280 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be8e0930-8c28-4958-a309-30fbb7889b3a} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
      4⤵
      PID:4380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 2 -isForBrowser -prefsHandle 3148 -prefMapHandle 2940 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b0a96ce-82b2-4846-885f-a841b813cfc3} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
      4⤵
      PID:2044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4612 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b31614d9-f038-440e-a410-77f068348ee2} 756 "\\.\pipe\gecko-crash-server-pipe.756" utility
      4⤵
      Checks processor information in registry
      PID:5392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 3 -isForBrowser -prefsHandle 5544 -prefMapHandle 5540 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a85e3544-d6e6-4667-be64-788160f67564} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
      4⤵
      PID:6056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06de1fe0-4ac4-4584-8f73-8df02d2c2a2d} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
      4⤵
      PID:6072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5876 -prefMapHandle 5880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1004 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcfd288e-ca93-4e87-a6bf-d74860b9b899} 756 "\\.\pipe\gecko-crash-server-pipe.756" tab
      4⤵
      PID:6084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Adobe.Photoshop.2024.v25.6.rar"
1⤵
PID:4448
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\Adobe.Photoshop.2024.v25.6.rar
  2⤵
  - Checks processor information in registry
  PID:4936

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" C:\Users\Admin\AppData\Local\Temp\Adobe.Photoshop.2024.v25.6.rar
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4568

C:\Users\Admin\Desktop\Set-up.exe
"C:\Users\Admin\Desktop\Set-up.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5860

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
34c735d2e5815c1ca1b28e9fbe4b98b7

SHA1
189d61de23d9dcab66e843b1e1d5eda63eed9181

SHA256
3841e0a4193d69271ca519f12c5b6fb0bba62e164c1b22740de9a594c27f1310

SHA512
9237430556a202239c0b0ff2f08b9dfd61d84d577af9ca4c4d1098f7df6f93def02fdf4fb46ad4661cbd1c63e40517adc665072f909c257d5e27e96219952d00

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8D1F1708\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\AlternateServices.bin

Filesize
8KB

MD5
729e2894c3271f9208b2cb8d088bcdd5

SHA1
6b48ab7c863b4adcd1a7945c8b82ecd7ca3a6037

SHA256
bd4d86e4c2b33257cfeb6a8dfd7718db999eaf6655c3354dddc06c6cbe968e0b

SHA512
1bfa74cf3dfb4266f7acc86e742335919904fadfc2c4a5257373770d0acb9bd61cd4de86db3b591642f74598612e70ad6da6e9185a66ffcd5f4f11aa5bff067f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
82ea8f325ec6b8dde5cec430a00d4995

SHA1
d6b8b1552fba862973963cd65e90e2d7ccf4a0d4

SHA256
f892baa451bea8e00b8b4c582329f413e4f01d5a6d1e7319d2cc5dc46238932b

SHA512
c4900b4e714b2f05cfaa1af0d09b3934b69f2ed96f999463862c77ba6ee9a507745d4688ccd9bc03fd6ea7c623a394dbadd77e17cddc84b3fa65f27cb2d8f60a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
30b8a654c5d6eb7b8389e0cae7a1017a

SHA1
c8f6d7c0c713fdbc54c564ec43dc80bcad2c4f82

SHA256
45172c77c63b4b2bba4b2e00d776f5f9a84796a9de94527672d934d2642b4316

SHA512
092be3183bd09e94c7b903c6427e427f04668081d9082f163b3ad4e820e73255127f51afb92e8628dcbf0f97ec0e2835c41c618cc81042d8c080b5bcdb37f74c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b69a8cc173bddb0b80e2d337e2b27318

SHA1
0ac066c7ecbb1182e811cb2dd1ee23c924f9e5b4

SHA256
e8bcc8e7f659ae95495b694de85bdbbef8e65539cf20554374c67a4bb4140f7b

SHA512
ebbb781c63cdee11fe13e578145b2f6461efd82089a968f9bf1510e8359747d5c49a22324a231afde7cb7d1bfeb2e1b7cc93f8444b718b8309a57d86c8796fb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\c2c8919d-9d1b-4f51-9b92-ae5524989984

Filesize
982B

MD5
f49cc1b3fab59b7a4e093b498aba689f

SHA1
4429c8a19479a398fa829249969bb5c4734aa14a

SHA256
675f9b7d464e9619edee162a4f0a27e582cb56d577af243c135dabc172206875

SHA512
03f610a7b23b0a546815f2a890ce4dcac95741d7d669fe4f81a91ed79c07fd39afde7b836b9ae6888a3df740e43f1b301237f40c537f46aa580dbd7a4e32a84d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\caa46547-a8de-4b1f-98b4-23791b3e20a2

Filesize
28KB

MD5
e630b71eebf70aaa728bde685a721158

SHA1
c78b5c01a91fac330e6b8a79900cfe62cb80351a

SHA256
dd303a5afe0d73e244a5ff94b62965092ed13c74e621612c6ba39a7e45f9ae36

SHA512
a73717ed31812a26b6e4b441cb0318ad8684dd2401cf37c7395c1601c5fe6b067d543d051684e95761f76592ed6cee4831458f2b967d0f2facd277481a80c40e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\f5f18959-b644-4bcf-b755-38f53a3edf31

Filesize
671B

MD5
4c418c43d0afdb32287655bde0185eeb

SHA1
41ffd7b716ad68f8fffcc93c17f3adc3c98f314b

SHA256
99a46382c79ffd42df72c9808eadf3d1ea500c17883f9879ba3d9b385f30d249

SHA512
2c22e2718ea662c8842728e7e844b550cf0a3906c6bba892c9b2ead18460c102bb9741fb770c7ba603b4c0f6734d5f3980554bed483506de40e4085ffcda6c5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs-1.js

Filesize
11KB

MD5
bd4c7e1286d6ddab4cb24afef700fe53

SHA1
8a58de2473ecde0cbb98440a7afa4ce1806a8cc8

SHA256
92431a14e08c2f66fc51f08140b12d7f44f6fae69201177669d4da38c7040873

SHA512
513d6f30bbfa531e54c896406f350b692ac917f86b6620bd9def54078d68a7cff7fdfb5b450c6101bb7b3b8139d41dcadc61e9db04c4ea9c8d64fb0bdc348842

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs.js

Filesize
10KB

MD5
51138b1e371db80442e145f608f8ddc0

SHA1
4303755d6f6c0e3d9717d8080f52d3fd0216a1da

SHA256
d9555cb2ff6d7d318063c86172c351d29dba732bccac7c4efb9e59bf84631a74

SHA512
ca630a879fb201ffd0cf0bdacb191ff142d5baf87fc54c104a6869565a46642663254cec7f5b251d31dfabe3a274f3132ab2aab0d8d5ef70d328e36e1a9bc183

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs.js

Filesize
12KB

MD5
7d0cf25da259c06a03590d52eeba6a89

SHA1
1acccc06cf3c592efcb0b51023b33ced3f828f48

SHA256
05d286d770e9c2966d42cd6fde5c72b1efd1e50763932857787c9ea1ae1cfc75

SHA512
6e5e9b0b0a9c111ce84d0224896ce4d8602e8523c899c0124aa034577d655f68b467e8bff215a63d84fc1f0433deae33d1acff6c440738636e661f5b4ccf86b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
dc78c4cf8186a71e3b2e8cd89ae87bbe

SHA1
1396082841ab587d6d8b0b1dca141ce5d360aaa2

SHA256
fd39b4c0feb1d756214bc000a657a4c5c5bda408ef9fe9f73559c92aa71434f6

SHA512
d66c7ced940b6338ef97e316b3d35579b6616faf93085119944a8c6e68d1ae8a68ca5b39dba500eb9059aec2a7231d5ef1355a622c02bcf96a25236ebdededd4

Download Submit
memory/5644-561-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-551-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-557-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-558-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-553-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-552-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-559-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-563-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-560-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5644-562-0x000002950CD10000-0x000002950CD11000-memory.dmp

Filesize
4KB

Download
memory/5860-481-0x0000000025CC0000-0x0000000025F1F000-memory.dmp

Filesize
2.4MB

Download
memory/5860-433-0x0000000000B00000-0x0000000001759000-memory.dmp

Filesize
12.3MB

Download
memory/5860-401-0x0000000000B00000-0x0000000001759000-memory.dmp

Filesize
12.3MB

Download
memory/5860-432-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download