amadey | 6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009

Analysis

max time kernel
13s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A2NOH_file.exe
Size

1.9MB
MD5

69f7588863e91f123d7cf2fef9452c0c
SHA1

1c60375348fadf76013f96d4a1122a85d7004a5b
SHA256

6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009
SHA512

2421dfa803a4c1754f1ffa7b3ce596150fceadd33b7f67d9e0f8f6c0f09bdd2e0d88523e095af4da8777133daf1de1d5d60afc5aaa2901197cd2a4ae7eeaab78
SSDEEP

49152:8zQ3t4rgxVs5wqQuewfkDBuo16D3eCFhI/BlR1P:8ziteV+qQ1w0BuWo3XFaR1P

Score

10^/10

amadey lumma stealc 9c9aa5 drum credential_access discovery evasion stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	A2NOH_file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3FEtgVY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EbjU3lW.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 3 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2220	chrome.exe
604	chrome.exe
1972	chrome.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A2NOH_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A2NOH_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3FEtgVY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3FEtgVY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EbjU3lW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EbjU3lW.exe

Executes dropped EXE 3 IoCs

pid	Process
2348	skotes.exe
1252	3FEtgVY.exe
588	EbjU3lW.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	3FEtgVY.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	EbjU3lW.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	A2NOH_file.exe

Loads dropped DLL 6 IoCs

pid	Process
2636	A2NOH_file.exe
2636	A2NOH_file.exe
2348	skotes.exe
2348	skotes.exe
2348	skotes.exe
2348	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0004000000012280-332.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2636	A2NOH_file.exe
2348	skotes.exe
1252	3FEtgVY.exe
588	EbjU3lW.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	A2NOH_file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3444	2752	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2NOH_file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3FEtgVY.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
696	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2924	taskkill.exe
2480	taskkill.exe
2844	taskkill.exe
976	taskkill.exe
2732	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	3FEtgVY.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3FEtgVY.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3FEtgVY.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2636	A2NOH_file.exe
2348	skotes.exe
1252	3FEtgVY.exe
588	EbjU3lW.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	A2NOH_file.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2348	2636	A2NOH_file.exe	30
PID 2636 wrote to memory of 2348	2636	A2NOH_file.exe	30
PID 2636 wrote to memory of 2348	2636	A2NOH_file.exe	30
PID 2636 wrote to memory of 2348	2636	A2NOH_file.exe	30
PID 2348 wrote to memory of 1252	2348	skotes.exe	32
PID 2348 wrote to memory of 1252	2348	skotes.exe	32
PID 2348 wrote to memory of 1252	2348	skotes.exe	32
PID 2348 wrote to memory of 1252	2348	skotes.exe	32
PID 2348 wrote to memory of 588	2348	skotes.exe	33
PID 2348 wrote to memory of 588	2348	skotes.exe	33
PID 2348 wrote to memory of 588	2348	skotes.exe	33
PID 2348 wrote to memory of 588	2348	skotes.exe	33

C:\Users\Admin\AppData\Local\Temp\A2NOH_file.exe
"C:\Users\Admin\AppData\Local\Temp\A2NOH_file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe
    "C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1252
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2220
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7479758,0x7fef7479768,0x7fef7479778
        5⤵
        
        PID:1660
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1380,i,2301063966220135961,8986739181442876592,131072 /prefetch:2
        5⤵
        
        PID:1372
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1016 --field-trial-handle=1380,i,2301063966220135961,8986739181442876592,131072 /prefetch:8
        5⤵
        
        PID:1628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1380,i,2301063966220135961,8986739181442876592,131072 /prefetch:8
        5⤵
        
        PID:3024
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1380,i,2301063966220135961,8986739181442876592,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1972
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1380,i,2301063966220135961,8986739181442876592,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFCBFBGDBKJK" & exit
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:696
- - C:\Users\Admin\AppData\Local\Temp\1010607001\EbjU3lW.exe
    "C:\Users\Admin\AppData\Local\Temp\1010607001\EbjU3lW.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\1010609001\5a36143244.exe
    "C:\Users\Admin\AppData\Local\Temp\1010609001\5a36143244.exe"
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1268
      4⤵
      Program crash
      PID:3444
- - C:\Users\Admin\AppData\Local\Temp\1010610001\1e2cbd9e7f.exe
    "C:\Users\Admin\AppData\Local\Temp\1010610001\1e2cbd9e7f.exe"
    3⤵
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\1010611001\0872b46541.exe
    "C:\Users\Admin\AppData\Local\Temp\1010611001\0872b46541.exe"
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:2480
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:2844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:2924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:1736
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:2088
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.0.1517756508\1907798651" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1092 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5dd013f3-fda9-47f8-917f-16f0db619333} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 1312 106efd58 gpu
        6⤵
        
        PID:2504
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.1.734427199\132443161" -parentBuildID 20221007134813 -prefsHandle 1528 -prefMapHandle 1524 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae8e800b-dffb-4b7a-a0de-3efdd0ac826f} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 1540 f3edf58 socket
        6⤵
        
        PID:2968
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.2.1675927886\29169808" -childID 1 -isForBrowser -prefsHandle 2164 -prefMapHandle 2160 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f99b2ab5-d87f-4c51-9e33-1b0fff1c5e23} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 2176 1958b858 tab
        6⤵
        
        PID:1324
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.3.1297425003\2129383153" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2736 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3a5ab88-22bf-421f-8257-feddd2a13981} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 2756 1cdd0358 tab
        6⤵
        
        PID:2792
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.4.1616454513\115496622" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 3840 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dece301c-8efd-4943-b475-ee67c3193234} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 3856 1f0b1558 tab
        6⤵
        
        PID:3804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.5.1546506271\788919567" -childID 4 -isForBrowser -prefsHandle 3972 -prefMapHandle 3976 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e73d2225-7316-4451-a0d2-37218f7c7121} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 3960 1f15d858 tab
        6⤵
        
        PID:3816
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2088.6.1915997616\1278855359" -childID 5 -isForBrowser -prefsHandle 4156 -prefMapHandle 4160 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {656cacf6-395c-48c0-b628-b6023950ebde} 2088 "\\.\pipe\gecko-crash-server-pipe.2088" 4148 1f160858 tab
        6⤵
        
        PID:3828
- - C:\Users\Admin\AppData\Local\Temp\1010612001\bc8dc7f241.exe
    "C:\Users\Admin\AppData\Local\Temp\1010612001\bc8dc7f241.exe"
    3⤵
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\1010613001\9c3d9e3428.exe
    "C:\Users\Admin\AppData\Local\Temp\1010613001\9c3d9e3428.exe"
    3⤵
    PID:4008
- - C:\Users\Admin\AppData\Local\Temp\1010614001\4e3c6d9389.exe
    "C:\Users\Admin\AppData\Local\Temp\1010614001\4e3c6d9389.exe"
    3⤵
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\1010615001\e847b15191.exe
    "C:\Users\Admin\AppData\Local\Temp\1010615001\e847b15191.exe"
    3⤵
    PID:3880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3ddea18061debcfa960eb69d8e90d37

SHA1
6cfc18b6c4961c866c80926f30952d32ee4216be

SHA256
027fcdec45fe31e0b3ba56ed5b01e42eb938f259d11d639ad2b784d341be844e

SHA512
e8d3b2f0de47c63b193e591545b9159bad30e2447cdc52253437b8efecb946e6be2938701bab116ce871aa757d1048d29e6e1d03e4017dce6008af1e12063746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bb2321c3ce56d4a15358b2de0885258

SHA1
8c8e46c91c4f8e58ae32a18907fe28a97073a1ab

SHA256
9103e45675566f391d8c490ffe21dba5573d00bfde396145c211339eabe42039

SHA512
7c69499e3a867d7f614dc82e60ee2a1960c5097cc93a6c23ef891b2d0298493570c8b6cdf023fd1a2995c9821b9336c2d7bfac86516ff04f6391282cf9b0955a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41e6a85196256713d57ef7f4a472ddce

SHA1
aaf22b005982cdfde1b507fd810839a0ca4d519d

SHA256
bc628ab66cb5429f068d6546197458cbe95208885dfa4bb31542da8ebbd7ca83

SHA512
61fca2e820374ed5641a5a1beedf5384ae9ce6ccf6d4c351afce89bdf274bd334a62852709d4544268dccf1d7fc3160c62d80dbd28e28848510d7ceb1cf8b2fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
333caa9380497acb5f874dc4fa556656

SHA1
7501f79169332b1fc9f70be506a904ee578d6374

SHA256
78c02c30ccf975608998ace7cbaad34268cfd66fbf097ef652621bbca408c397

SHA512
486d2308f3d8f40888e77fcd85b3cf97183df03f8035e4cd6ea5bb00da48f487c1f5efc0ff15a01be3f0cb86ceaa19f313e80cea176bb22bdb4e2a370e165c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
1cf0d56ed900f16eea820aa5632aee95

SHA1
29c0955942c80d8ea050c463e9df00547f6f808d

SHA256
bb6c19a33f172776ec5da825a57eb4f2451daa983cb499f0dce64311083454d6

SHA512
77ac58c629d2cc8170f66ac7774375ca6b84010b5c69d618ae8ec5a9f98b0579bd60dd504cc71c4b2e709d0807806a9cf40c275a76af03ab3ce3dff24d8627ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\76561199803837316[1].htm

Filesize
34KB

MD5
5db80594fd6f5fda3ce3320a17741156

SHA1
905560e932dc3d7130abd5695e92346ffd039451

SHA256
48b1014065ed1ea94908f9a2b919123aaaaaa9efebe3f3b4f3034aa2eb244d85

SHA512
bfdacfaa2d8b7206f233e8db8c5221faa6cbe597adc213b81487a0a8c467122afad6434eca6c44c30948a4581aaddb1f2e44457af7108793517df2c91be9143b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
5ac0a0e954aa74dee7356f3139304baf

SHA1
5e2267fc08a2e120200c1f03b2ad657743f00d26

SHA256
eb32cb04835aa046bb7e90360865a74da0a4c800061fda6f8f4210153968c48a

SHA512
204b0aef3c3e317882f0765c590e4d91d1a71c7708c8f1530974363e94ce081403d11bcb7f7d45f30bae449b1da1ffd08e85ff9392940507bae30c933cb757ce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe

Filesize
1.8MB

MD5
a151487b27e539f2f2ec79ac50940872

SHA1
eb655ee0a8762714754c713e5bb3171ff1be3467

SHA256
70a4257b71a11086ab596f6122ee6a8b6ef9335f5538f79e68f48727fa1dc439

SHA512
4eb5de737ad27d4aed33d02ef3b6f58c045252e81b3b733de2d204747519d8f6ff9ea75c2858259467439eb833055bebb8c3449ce8fe68852d3ec51bc7b58c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010609001\5a36143244.exe

Filesize
1.8MB

MD5
f39d36f64217e34500b5bae41f7db3ef

SHA1
06c5d3929fe215180455f771eccaf67e107a2f59

SHA256
01be31d9e89c730cc3204343cb7ccf8a765d0042a2de86d97b1489dccf1e3cd8

SHA512
092f0cc00bb2698df8ca4034f963d10a12f2f158480afca39c77f0d5a1f950cdb9fb46713da5d51a349232e05062df9cb69c8341766c4b28bd01063ed9da877e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010610001\1e2cbd9e7f.exe

Filesize
1.7MB

MD5
2843528f4a04c4d3532c3b54af2f5537

SHA1
2e9a764fdae46b271af76e7e55a85ba2dc580701

SHA256
7d36844cd7e12fd72f6f94f6d6cb5fd3b37fdd956f7f9a9bc09d96404b834a46

SHA512
d7d24803be7fe970652e6c37b2e512c6e7fa27b7abd892caaf67fbbc863703cf3748389f02a39958696a2fc866652921a98efca01de1ca468ebcc02ec1c6bfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010611001\0872b46541.exe

Filesize
901KB

MD5
b41ec8796f23c8adbc8c485921e30c05

SHA1
317a826843e8d682d29390645cbf98b4cc2e61d9

SHA256
fcfa6a31d016d9b4e92fe59ffc959cd406d88543643f375d18e549e52f249197

SHA512
709d4964561b8ecc30eb692369bb03478242d6b5b77e376d15da0ea9e2258306611f6c9428b3190cc714464f1f089a24fcbfd7e6472d3b27fc4f79c0f101be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010612001\bc8dc7f241.exe

Filesize
2.7MB

MD5
d411ff4997d06a1d8946b0bb6c1c4392

SHA1
851900aeb53cd9ecf0e6ed07589e3da3f82ea722

SHA256
8b61b8ac54efabf8708464399025293f88934ed3b8cb68d8c1bafb3e17fc20a8

SHA512
bf5a7bd9b53a4e43ac6b810370d276a63e528faccf4be373349b4f7f7753923e5a1c514aedf71d0e47f777fce952065e66f2d3ce3f5bb51e4177aee201c7e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010613001\9c3d9e3428.exe

Filesize
4.3MB

MD5
b9135cce5a371bfe6dadad02845410bd

SHA1
96fedda72617bb217f710f8470e97146d7fbc70c

SHA256
6099d2337b585d79dd82ff5771a4b86840668a1213d01862cabccf09f40b3e6e

SHA512
337c7d41a81eae7649d4bf115be33ec7b4f3f630702e3ffe522929e39c2609656bcb5f6ae2d4bfa53b74779a0a178d786694ee893bffbb794c6f32b3f22cd5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010614001\4e3c6d9389.exe

Filesize
4.3MB

MD5
4c8baea05797d476b79aae87e81462ef

SHA1
447003951e78565e626490da1a98eae52d9f46c4

SHA256
564f4ac4ec2dc73a83e271c0b957c3a4e211d38b31781b01e3ea01394be9fe4c

SHA512
55f0ffaa387a3e9a1ed1b9e1e590fb2dc8f22689f71f920f72a37235dcdff43aa62697b5f7cbc1588d9ea92d785667e8bd24d39881e21de7f52b201f845b79e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010615001\e847b15191.exe

Filesize
1.9MB

MD5
ac44247e8835b336845ad56b84583656

SHA1
ff499dadf0fd0f90d3e156ba2d521367678be35e

SHA256
e1a6fe984f3ffc681defb85678e20fb0fa1c4afe1a8e99dc974dc3253a04b371

SHA512
0a9476d193084f2232301734cb558b2e5bf56e59d73c2e6f418c51c0592e4b350e19855c3b4a7ca95c19fe071baf3ff097ee0b68077d9976f68600a0266f15d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab391C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar394E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.9MB

MD5
69f7588863e91f123d7cf2fef9452c0c

SHA1
1c60375348fadf76013f96d4a1122a85d7004a5b

SHA256
6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009

SHA512
2421dfa803a4c1754f1ffa7b3ce596150fceadd33b7f67d9e0f8f6c0f09bdd2e0d88523e095af4da8777133daf1de1d5d60afc5aaa2901197cd2a4ae7eeaab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ba8e22b9f535c9076f3587cbe894e3c2

SHA1
6499399440c80b923d50db07fbdf2a2f58f07b04

SHA256
c50384bce04de480c390d658b41cb7628dbab8a72e7d02c64c0341ee3bb698a6

SHA512
4bf3d59ab2bd10c0343dadd92a098fc3c46035b883212ea0df710de1e9753dcc81e929770a8b7a304c176e97c4eda7fdec95940a927b98e90bdcb9b90597746e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\470458ed-8dd1-4f2c-af47-c646222cafb7

Filesize
10KB

MD5
99e3e302efc7d83f7eb863af361e0dc9

SHA1
2b33994380915dec5befc00231d0894603eb4935

SHA256
2e25c816107b9cb87021b91b39ab487f9b17db979143cbae33deef5738ed9c7d

SHA512
2a591d2b38b5e7353086622b8352cf9e1568985d24f5e4e0abd63cb90ef7e873df1aa1a123836984d5e0063c0214b941863039e153dc1bf0a183ddcc1b426aa9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\4f0d60e0-6958-439f-b432-b297e3394a8a

Filesize
745B

MD5
26d3a03effe9be02543077cf8607eb87

SHA1
6189961ad0473914f882fe28f9610efe11fcacc8

SHA256
3af3d595afa90451be59ecb2dc17614004489e32bad30d2a4f78844dae742e18

SHA512
a14397261f509a83fefa1abdecb812c34fe98f6bb9b8265ad64bace02a7cb93f4203bfef15b971b740a0b1e3e3f3f5692d5f2c60caa728ee6d40d890a05c0ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
7KB

MD5
f6431faaeba73c2c78b8829ab8b6e0c2

SHA1
5b1788ca25bf5a4838eb36682a9120701c5fce4d

SHA256
1bb6ed27a3495266683c6c582ee978e615025b6c0675d43479db8d87a450363c

SHA512
08a44543f3dab4239aa288ffade81a04cdd694c461e39c60725d3eb1a83ae2927288a7dfb4b8e967ca21870ba1e4b874f2091a9931e68a7d8c3010987e6fb5fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
7KB

MD5
97debb58288a08ac224bfac1401c7f97

SHA1
9d3f62ebfe09e77a621288fedaeca67e1c3ffa97

SHA256
5233dec5b97ad4ddef4c4f42f38647ac6c3a628bbc9fa03c61df318dc04cd577

SHA512
3548082e8342c64025fc612280daa0d1764f5ec88a7de33218ad8d04cb91ed7185acbac9b2fb3cec97711a937235a5b138bb4103e9d10b05e999004a3d7d36b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
6KB

MD5
96e1494923a226744ccfb482099b3c3e

SHA1
ef2f44d64e180db32d73f73824017dc75b7d2b8b

SHA256
e7f1a38dbaa357ebbc23196d02a0082dec1ea86fb09ff5e5e6aa010ed6950048

SHA512
363425cee8bf53037a9f195c57a5ec436bad3140c87e5d751685e5d7671bd8022348f7792aac88f0b8649599734301993d7ffc4169b3760deb398626c66f8212

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

Filesize
6KB

MD5
7a9de45391839d9b2e67885e9d45e125

SHA1
d28f4bca88eb38db734450780cb3e0635a677b20

SHA256
647c5d6e54904afee5ce61121e0756c49571e9417e78d433b865dde471fc1047

SHA512
3f7a78c8d3504cd53003e022f1bfc86502050ea453cc6077c4a991fce071b73ca5891f354cf5530277194359269bc2f44a5083d58673f21861cf83eeb9a2ed71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
97ff4dc90d23e1894f3c25bdcc52fe1a

SHA1
9649ff64581d3d20fb898f702edeee0c402c5aa5

SHA256
cf27124c79b9109a547f10a271d8dbded84de884063864aa776be2b3464f4f91

SHA512
2bd0f1c49aec446a213a6a9c2c980f215d1d555413a35caf044d10dbb21f682616533328f4e1f636706ae40a608ee823b6fab0b73e4711923ed6f4d3080faa00

Download Submit
memory/588-820-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/588-314-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/588-326-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/588-144-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/588-496-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/588-1008-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1252-303-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1252-258-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1252-790-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1252-876-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1252-443-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/1252-46-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2348-1015-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-45-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-1124-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-411-0x0000000006B20000-0x00000000071C0000-memory.dmp

Filesize
6.6MB

Download
memory/2348-409-0x0000000006B20000-0x0000000006DD6000-memory.dmp

Filesize
2.7MB

Download
memory/2348-1122-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-444-0x0000000006B20000-0x00000000071C0000-memory.dmp

Filesize
6.6MB

Download
memory/2348-1120-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-1118-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-1116-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-327-0x0000000006B20000-0x0000000006FD0000-memory.dmp

Filesize
4.7MB

Download
memory/2348-325-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-323-0x0000000006B20000-0x00000000071C0000-memory.dmp

Filesize
6.6MB

Download
memory/2348-578-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-1111-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-322-0x0000000006B20000-0x00000000071C0000-memory.dmp

Filesize
6.6MB

Download
memory/2348-313-0x0000000006B20000-0x00000000071F9000-memory.dmp

Filesize
6.8MB

Download
memory/2348-1102-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-236-0x0000000006B20000-0x0000000006FD0000-memory.dmp

Filesize
4.7MB

Download
memory/2348-1100-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-749-0x0000000006B20000-0x0000000006DD6000-memory.dmp

Filesize
2.7MB

Download
memory/2348-1097-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-237-0x0000000006B20000-0x0000000006FD0000-memory.dmp

Filesize
4.7MB

Download
memory/2348-21-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-234-0x0000000006B20000-0x00000000071F9000-memory.dmp

Filesize
6.8MB

Download
memory/2348-23-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-164-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-145-0x0000000006B20000-0x00000000071F9000-memory.dmp

Filesize
6.8MB

Download
memory/2348-22-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-843-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-24-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-143-0x0000000006B20000-0x00000000071F9000-memory.dmp

Filesize
6.8MB

Download
memory/2348-81-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-26-0x0000000001180000-0x000000000164D000-memory.dmp

Filesize
4.8MB

Download
memory/2348-42-0x0000000006B20000-0x00000000071F9000-memory.dmp

Filesize
6.8MB

Download
memory/2348-43-0x0000000006B20000-0x00000000071F9000-memory.dmp

Filesize
6.8MB

Download
memory/2636-17-0x0000000001300000-0x00000000017CD000-memory.dmp

Filesize
4.8MB

Download
memory/2636-0-0x0000000001300000-0x00000000017CD000-memory.dmp

Filesize
4.8MB

Download
memory/2636-1-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/2636-2-0x0000000001301000-0x000000000132F000-memory.dmp

Filesize
184KB

Download
memory/2636-3-0x0000000001300000-0x00000000017CD000-memory.dmp

Filesize
4.8MB

Download
memory/2636-4-0x0000000001300000-0x00000000017CD000-memory.dmp

Filesize
4.8MB

Download
memory/2636-20-0x0000000006FC0000-0x000000000748D000-memory.dmp

Filesize
4.8MB

Download
memory/2636-18-0x0000000006FC0000-0x000000000748D000-memory.dmp

Filesize
4.8MB

Download
memory/2672-810-0x00000000008E0000-0x0000000000B96000-memory.dmp

Filesize
2.7MB

Download
memory/2672-446-0x00000000008E0000-0x0000000000B96000-memory.dmp

Filesize
2.7MB

Download
memory/2672-412-0x00000000008E0000-0x0000000000B96000-memory.dmp

Filesize
2.7MB

Download
memory/2672-775-0x00000000008E0000-0x0000000000B96000-memory.dmp

Filesize
2.7MB

Download
memory/2672-445-0x00000000008E0000-0x0000000000B96000-memory.dmp

Filesize
2.7MB

Download
memory/2752-356-0x0000000000300000-0x00000000007B0000-memory.dmp

Filesize
4.7MB

Download
memory/2752-872-0x0000000000300000-0x00000000007B0000-memory.dmp

Filesize
4.7MB

Download
memory/2752-387-0x0000000000300000-0x00000000007B0000-memory.dmp

Filesize
4.7MB

Download
memory/2752-718-0x0000000000300000-0x00000000007B0000-memory.dmp

Filesize
4.7MB

Download
memory/2752-238-0x0000000000300000-0x00000000007B0000-memory.dmp

Filesize
4.7MB

Download
memory/2804-324-0x0000000000DF0000-0x0000000001490000-memory.dmp

Filesize
6.6MB

Download
memory/2804-338-0x0000000000DF0000-0x0000000001490000-memory.dmp

Filesize
6.6MB

Download
memory/3220-789-0x00000000012F0000-0x0000000001FA1000-memory.dmp

Filesize
12.7MB

Download
memory/3880-1099-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1115-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1109-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1117-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1101-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1119-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1092-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1121-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1123-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3880-1016-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/4008-828-0x0000000000E90000-0x0000000001B1A000-memory.dmp

Filesize
12.5MB

Download