amadey | 6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009

Analysis

max time kernel
13s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A2NOH_file.exe
Size

1.9MB
MD5

69f7588863e91f123d7cf2fef9452c0c
SHA1

1c60375348fadf76013f96d4a1122a85d7004a5b
SHA256

6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009
SHA512

2421dfa803a4c1754f1ffa7b3ce596150fceadd33b7f67d9e0f8f6c0f09bdd2e0d88523e095af4da8777133daf1de1d5d60afc5aaa2901197cd2a4ae7eeaab78
SSDEEP

49152:8zQ3t4rgxVs5wqQuewfkDBuo16D3eCFhI/BlR1P:8ziteV+qQ1w0BuWo3XFaR1P

Score

10^/10

amadey lumma stealc 9c9aa5 drum credential_access discovery evasion stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3FEtgVY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EbjU3lW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	A2NOH_file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5008	msedge.exe
5664	msedge.exe
4064	chrome.exe
2748	chrome.exe
5080	msedge.exe
5672	msedge.exe
2784	chrome.exe
3268	chrome.exe
732	msedge.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EbjU3lW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EbjU3lW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A2NOH_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A2NOH_file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3FEtgVY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3FEtgVY.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	A2NOH_file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 3 IoCs

pid	Process
4828	skotes.exe
2632	3FEtgVY.exe
560	EbjU3lW.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	A2NOH_file.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	3FEtgVY.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	EbjU3lW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023c20-216.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2808	A2NOH_file.exe
4828	skotes.exe
2632	3FEtgVY.exe
560	EbjU3lW.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	A2NOH_file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6300	4272	WerFault.exe	114
6328	4272	WerFault.exe	114

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3FEtgVY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EbjU3lW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2NOH_file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3FEtgVY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3FEtgVY.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5348	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5976	taskkill.exe
3756	taskkill.exe
3336	taskkill.exe
1608	taskkill.exe
5264	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2808	A2NOH_file.exe
2808	A2NOH_file.exe
4828	skotes.exe
4828	skotes.exe
2632	3FEtgVY.exe
2632	3FEtgVY.exe
560	EbjU3lW.exe
560	EbjU3lW.exe
2632	3FEtgVY.exe
2632	3FEtgVY.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	A2NOH_file.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4828	2808	A2NOH_file.exe	85
PID 2808 wrote to memory of 4828	2808	A2NOH_file.exe	85
PID 2808 wrote to memory of 4828	2808	A2NOH_file.exe	85
PID 4828 wrote to memory of 2632	4828	skotes.exe	87
PID 4828 wrote to memory of 2632	4828	skotes.exe	87
PID 4828 wrote to memory of 2632	4828	skotes.exe	87
PID 4828 wrote to memory of 560	4828	skotes.exe	89
PID 4828 wrote to memory of 560	4828	skotes.exe	89
PID 4828 wrote to memory of 560	4828	skotes.exe	89

C:\Users\Admin\AppData\Local\Temp\A2NOH_file.exe
"C:\Users\Admin\AppData\Local\Temp\A2NOH_file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe
    "C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2632
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2784
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb68cfcc40,0x7ffb68cfcc4c,0x7ffb68cfcc58
        5⤵
        
        PID:3680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
        5⤵
        
        PID:1820
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
        5⤵
        
        PID:5080
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2596 /prefetch:8
        5⤵
        
        PID:4872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4064
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3268
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2748
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
        5⤵
        
        PID:4092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,10448802844927911852,7057004540468287454,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:8
        5⤵
        
        PID:4436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb689046f8,0x7ffb68904708,0x7ffb68904718
        5⤵
        
        PID:4864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,766198463082635309,15913639215903145716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
        5⤵
        
        PID:1512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,766198463082635309,15913639215903145716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
        5⤵
        
        PID:1720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,766198463082635309,15913639215903145716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        5⤵
        
        PID:3384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2216,766198463082635309,15913639215903145716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2216,766198463082635309,15913639215903145716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2216,766198463082635309,15913639215903145716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2216,766198463082635309,15913639215903145716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5672
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DGCBAFIJDGHC" & exit
      4⤵
      PID:5248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5348
- - C:\Users\Admin\AppData\Local\Temp\1010607001\EbjU3lW.exe
    "C:\Users\Admin\AppData\Local\Temp\1010607001\EbjU3lW.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\1010614001\9f60469e8e.exe
    "C:\Users\Admin\AppData\Local\Temp\1010614001\9f60469e8e.exe"
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\1010615001\3687bf1285.exe
    "C:\Users\Admin\AppData\Local\Temp\1010615001\3687bf1285.exe"
    3⤵
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\1010616001\ea67a70496.exe
    "C:\Users\Admin\AppData\Local\Temp\1010616001\ea67a70496.exe"
    3⤵
    PID:4272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 1644
      4⤵
      Program crash
      PID:6300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 1656
      4⤵
      Program crash
      PID:6328
- - C:\Users\Admin\AppData\Local\Temp\1010617001\b96003bf54.exe
    "C:\Users\Admin\AppData\Local\Temp\1010617001\b96003bf54.exe"
    3⤵
    PID:5236
- - C:\Users\Admin\AppData\Local\Temp\1010618001\3b2491a0f1.exe
    "C:\Users\Admin\AppData\Local\Temp\1010618001\3b2491a0f1.exe"
    3⤵
    PID:5928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:5976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:3756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:3336
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5264
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:1272
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:3964
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cbbfb4d-fcfc-41c4-bcfe-6d7f3afe1997} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" gpu
        6⤵
        
        PID:5988
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb2b1c0-dfe7-4548-98bb-f9f4651b45f0} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" socket
        6⤵
        
        PID:6008
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 3084 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e26b8e16-4063-44e2-be64-6a3ffd6ce263} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab
        6⤵
        
        PID:5780
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3920 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d15b465f-d529-4fce-afcb-a510ccec1bd9} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab
        6⤵
        
        PID:1512
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4584 -prefMapHandle 4600 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44c5b80a-da9c-4fee-806d-899d0e30cb1d} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" utility
        6⤵
        
        PID:2488
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5184 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c9eaff-dcec-4ce5-a2e6-060c873b7c14} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab
        6⤵
        
        PID:6644
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 4 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9756ec9f-f61f-4611-89d7-b218ab608d31} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab
        6⤵
        
        PID:6656
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5308 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f142b32a-dd88-46f8-b312-fcdd20f36d6d} 3964 "\\.\pipe\gecko-crash-server-pipe.3964" tab
        6⤵
        
        PID:6668
- - C:\Users\Admin\AppData\Local\Temp\1010619001\d3f56287ab.exe
    "C:\Users\Admin\AppData\Local\Temp\1010619001\d3f56287ab.exe"
    3⤵
    PID:5420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272
1⤵
PID:6176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4272 -ip 4272
1⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DGCBAFIJDGHC\EGIJKE

Filesize
11KB

MD5
9dad838ba7ceb302e424da4315f5f760

SHA1
84c1c202bf2b44d3f2ffad3b89d5af40f9ca160e

SHA256
5d7caa3a7e3a80ef1a4702f7086fe016ff7ed8356d7a46de3afd1f011bf35e62

SHA512
e7fd69060d71b2965de81bdae11779b3cc0527b591f881e33be25339289dc5d1ea15ba3e698b31eaba22cc121bbf4427cc1edf486ee3df022c2ff7b7f64fc712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3b9e589a5c8e7846de83f9a030f04b74

SHA1
40b2ff251ac1f4acada8cbc77e8cdc89f9215636

SHA256
768a165d9062cc193ffc68a413c8a97cbc58781636b1262ecd3ff4508a975641

SHA512
b4db60a350da5f41433895e8901ba04f1b6aa0cf1a661d73619fe6879b33393ce41066bc7bfbaeb2e6454ccbaf7341d2884290e99842db88b0151d7964c6fe93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4667acd319a206df25b678d047a38bde

SHA1
713f86a308ba213443ed943b2e5e67d44f77741b

SHA256
49b0ae52ddf61f3f0ee89b1b45cc778ecde3607a7da4c597dbfa6996da538545

SHA512
3c081f3b567d237f67f446ba04e74de7129dc299f128422737c9e72b73909179aa1994751466f554175693df5dbf50d730f679a47883904029b42b787c7e18fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
dd078ebc506af123a2a710a9eff7fe6f

SHA1
4fdf5bec392e88075e0a726949afbb3222f017f2

SHA256
c40760ec2789e1a3173bd330475f58b27db9dff09402ab866ae400cacbf18fc8

SHA512
fa663692ff3f0428bf8170ff05b4438aa43b1f5d5fd14f9e975fc6f0c98d11707e0bdbe50e0eaa8649e77937567737193ae5ffc4e544b19e17390c60b01b4f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010606001\3FEtgVY.exe

Filesize
1.8MB

MD5
a151487b27e539f2f2ec79ac50940872

SHA1
eb655ee0a8762714754c713e5bb3171ff1be3467

SHA256
70a4257b71a11086ab596f6122ee6a8b6ef9335f5538f79e68f48727fa1dc439

SHA512
4eb5de737ad27d4aed33d02ef3b6f58c045252e81b3b733de2d204747519d8f6ff9ea75c2858259467439eb833055bebb8c3449ce8fe68852d3ec51bc7b58c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010614001\9f60469e8e.exe

Filesize
4.3MB

MD5
4c8baea05797d476b79aae87e81462ef

SHA1
447003951e78565e626490da1a98eae52d9f46c4

SHA256
564f4ac4ec2dc73a83e271c0b957c3a4e211d38b31781b01e3ea01394be9fe4c

SHA512
55f0ffaa387a3e9a1ed1b9e1e590fb2dc8f22689f71f920f72a37235dcdff43aa62697b5f7cbc1588d9ea92d785667e8bd24d39881e21de7f52b201f845b79e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010615001\3687bf1285.exe

Filesize
1.9MB

MD5
ac44247e8835b336845ad56b84583656

SHA1
ff499dadf0fd0f90d3e156ba2d521367678be35e

SHA256
e1a6fe984f3ffc681defb85678e20fb0fa1c4afe1a8e99dc974dc3253a04b371

SHA512
0a9476d193084f2232301734cb558b2e5bf56e59d73c2e6f418c51c0592e4b350e19855c3b4a7ca95c19fe071baf3ff097ee0b68077d9976f68600a0266f15d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010616001\ea67a70496.exe

Filesize
1.8MB

MD5
f39d36f64217e34500b5bae41f7db3ef

SHA1
06c5d3929fe215180455f771eccaf67e107a2f59

SHA256
01be31d9e89c730cc3204343cb7ccf8a765d0042a2de86d97b1489dccf1e3cd8

SHA512
092f0cc00bb2698df8ca4034f963d10a12f2f158480afca39c77f0d5a1f950cdb9fb46713da5d51a349232e05062df9cb69c8341766c4b28bd01063ed9da877e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010617001\b96003bf54.exe

Filesize
1.7MB

MD5
2843528f4a04c4d3532c3b54af2f5537

SHA1
2e9a764fdae46b271af76e7e55a85ba2dc580701

SHA256
7d36844cd7e12fd72f6f94f6d6cb5fd3b37fdd956f7f9a9bc09d96404b834a46

SHA512
d7d24803be7fe970652e6c37b2e512c6e7fa27b7abd892caaf67fbbc863703cf3748389f02a39958696a2fc866652921a98efca01de1ca468ebcc02ec1c6bfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010618001\3b2491a0f1.exe

Filesize
901KB

MD5
b41ec8796f23c8adbc8c485921e30c05

SHA1
317a826843e8d682d29390645cbf98b4cc2e61d9

SHA256
fcfa6a31d016d9b4e92fe59ffc959cd406d88543643f375d18e549e52f249197

SHA512
709d4964561b8ecc30eb692369bb03478242d6b5b77e376d15da0ea9e2258306611f6c9428b3190cc714464f1f089a24fcbfd7e6472d3b27fc4f79c0f101be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010619001\d3f56287ab.exe

Filesize
2.7MB

MD5
d411ff4997d06a1d8946b0bb6c1c4392

SHA1
851900aeb53cd9ecf0e6ed07589e3da3f82ea722

SHA256
8b61b8ac54efabf8708464399025293f88934ed3b8cb68d8c1bafb3e17fc20a8

SHA512
bf5a7bd9b53a4e43ac6b810370d276a63e528faccf4be373349b4f7f7753923e5a1c514aedf71d0e47f777fce952065e66f2d3ce3f5bb51e4177aee201c7e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.9MB

MD5
69f7588863e91f123d7cf2fef9452c0c

SHA1
1c60375348fadf76013f96d4a1122a85d7004a5b

SHA256
6f9612016e158ddaef7b0963e8b8962cd9adf36e16bd9a079b9cd5cc9ac37009

SHA512
2421dfa803a4c1754f1ffa7b3ce596150fceadd33b7f67d9e0f8f6c0f09bdd2e0d88523e095af4da8777133daf1de1d5d60afc5aaa2901197cd2a4ae7eeaab78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
6KB

MD5
e19e2396e9bb20c63175721569498761

SHA1
c7b745888485258c4b5dfda5d10882d7106cbb4e

SHA256
2cdaff3e1b90a6410ed0f15620b5ef8ae30894d3ebe6c6eef89d1b3d6bd84b90

SHA512
f76a16d1734c7721d5a35c1b9010cb792213a516bc8e3c951599fbbf077c97fa3e0ba21f24e60166f49b5d9c4c5c68523b95bf37d9865cbfa4787b645d73371a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
8KB

MD5
729756f9918190fe96f2f1f244e74844

SHA1
8de52d9bf175e22fca58d4b33dc9fb7b2c34e7d1

SHA256
2e32cb532ecc417786ee911d71deaef4c3a45495a006e34154013448ec13c131

SHA512
d495dad991c2429a5893e0ac7228dab2ea60c2b5be39e131fa26bef97b4714ab9071a0b50f01cf04c06262cca85379e91810fec49ba09aada0bf4d017f6d6852

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
10KB

MD5
1d76c38641da574b87eccddb979bc333

SHA1
84d15b488c3087610b904142ea6586e21b348165

SHA256
90797982e572024db4dc78daa494a26c465dad9fc1fc9da4fac8c2ab90d3f19c

SHA512
7ac1fdd2a360487f57f0b0aae8bcd5920a6de6f1180f3ac580963acb738eccd90ee04b44767096f8f34eb1186fc58bd05cf7b0e27fe388944f350b4aa9fdcbf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
17KB

MD5
1d12e4023452ce3f5480e04a8d634887

SHA1
2ef3580ec8418cd306998359fb87cb9fc482d4cc

SHA256
b3bee5a0c4b69a6bc6e880803c6d8dc9ab7f2e1e01bdf6d58a9da5b0a80b8701

SHA512
fe39e13b1c8c89c3791d3208644b3a2de517cc3b75882547a0c10e170d095642cc217e390273d7a00a90b309ca0be3c54b810ff9fc672e19024f42c54c539390

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b45d2db1600ab8b22553cb2cad4fcc56

SHA1
d5e5dd1bfad6552010147e67f2ca87513fa9ecb8

SHA256
9cd3cad6dc5d3820023ee95d7132f9f6f9678e2e3624fab79188c4d0fe13b0f7

SHA512
a9e07791aa1eb2cdb3b34432741884c4240b0b40111387ef9db33f359ee76469173420c0992becb40c67960853dbdf26c5f8303c0d3019e8e80118a918807a94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
c02afecee23fc72f3f1787c2d89672f7

SHA1
6baf3ccec1273ced7838e7b7f16d59648e5c481c

SHA256
08b364f78fecc01fafd43040fea53561a8e294aa444a4a1772feae73ce52f679

SHA512
7863837591a5dfff390e0fc63c07df4f142189e28c83a5f465e7b92ec66674e0ee4d069214f80d0d0b2eaa7711a40b74927ec524ef78501c2af76c8a4867ac57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\3fdf8259-bb62-428c-8e61-7cca3cbbaf0e

Filesize
671B

MD5
d3d6292ef60fc86aca31dfa000c34098

SHA1
78f41074d3194d666f9e73f17adc7b9a28996c50

SHA256
20a12ca67a0f9faae90587ee05127f2d79b2835a3058b0b735aded067ec8b45c

SHA512
c1b23874c091720d5e0c9a17cc01fc34cf4aecdb06237f9e737520cf4e49216d15f773d94fc30e4f9c7288e160e7151819bea7d67284027eab32cfe523ca4b14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\4d0d54f8-a4d3-4504-a6df-5105f4dc6e62

Filesize
26KB

MD5
b021a6636fb0edb813c2bceb580949bf

SHA1
5d198a8a3255fee18c6dbc533fd17953be23dacd

SHA256
216d2cfe6b3c3d85fc0e7f2c68f8c5ff01a6cb7540e8dc87c7a8a55383de89a2

SHA512
9ab8c0a6e55ac435b6e5633ab0597e24280281a32946077e1fd5c52ba8f370eada2d1c8a9c65198cbe3a99e8134e9d8a923b91681c7c9fa93da0736fe8d0ed14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\e4b2947d-2c4f-4759-ab1d-1389536822f5

Filesize
982B

MD5
0a6a9662be251d14ca6415d518374a3b

SHA1
e34e56cfe97cde738f95858073549da2512cf945

SHA256
abe002ec9a452612294f31d6058e8123d0e39a60a6a75edde6cc8586495b7e85

SHA512
a351f9cf41f89bc021935227920cc559619d3c642b7f4b0c995f0d78d06ed702dc91899acdfc17ab171482ca801192b17a6e73e26fb8cebe7ab9ba584d56c219

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
10KB

MD5
a5795e5c5c9d6fbf15151825f48960fa

SHA1
d17df53615feff5f74e7163928de45624d30863c

SHA256
266f74a51f411fc0183a62ccc7c41a5d901d504042c148f720318ce9ae770bf2

SHA512
ccaf4aebeb57375c951f3eb5a040fe5a60520182a121d0ddecbce54717bfbee2660eb51aca596b708dcb89078a592dd9d92da945ad1cc5d9eabc40d5013d4ab7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
11KB

MD5
d39bce488cc1fe338c2596c2fd3012fc

SHA1
e1573903409bb8740b5e38e773348b35ef5a783c

SHA256
8b141df946f74d5755d377536b6527ef104442ef120404e78761797b2e32f633

SHA512
7529bcb0a03ccb739f32cc62c67475cf79954b45821fac82582f0fa93f3ce59277206515d334bc23b7d636b9c504dd91859bd4d2ee59b728d65657639507d91c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
10KB

MD5
3baf1b06a66163f1adc97eb784913745

SHA1
9fd23a5a86147fdc18754c267a3287250f24aeb7

SHA256
fa23088c2189279ce429b0b49e1a442eb66295838b734352cc44ceb963517c28

SHA512
14c5213fb23e3374d3a1412c345d6b870d61e3f5fba8c3aac4b2f21df446ca7d48d8eb7f1cd515857979a4facbd6ec61471a4f86d73b7360363a51e1acf1198e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
11KB

MD5
6418fc54b9dfafb1d77a68b46e8c5b7b

SHA1
f3380392d04c77d05d372286d33696dc26108cc9

SHA256
b5589f09ebd6f3518f8f1f3d35a5c0404e80ec9e518ea15d16dc9fea302161ec

SHA512
5a7ac6bd25287973cf0910069afa5ce9699df3661ba3aa10672bfb9938219d7f4b277d61b58a7caee81d4a7a640fccaed9e7ba2f125ec70e06cc750fcb771264

Download Submit
memory/228-89-0x00000000005B0000-0x0000000001261000-memory.dmp

Filesize
12.7MB

Download
memory/228-156-0x00000000005B0000-0x0000000001261000-memory.dmp

Filesize
12.7MB

Download
memory/560-116-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/560-638-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/560-665-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/560-128-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/560-58-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/560-231-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2000-792-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/2284-159-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/2284-162-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/2632-193-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-39-0x0000000000401000-0x000000000042C000-memory.dmp

Filesize
172KB

Download
memory/2632-652-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-40-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-41-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-36-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-101-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-77-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-475-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2632-102-0x0000000000400000-0x0000000000AD9000-memory.dmp

Filesize
6.8MB

Download
memory/2808-0-0x0000000000D90000-0x000000000125D000-memory.dmp

Filesize
4.8MB

Download
memory/2808-18-0x0000000000D90000-0x000000000125D000-memory.dmp

Filesize
4.8MB

Download
memory/2808-2-0x0000000000D91000-0x0000000000DBF000-memory.dmp

Filesize
184KB

Download
memory/2808-1-0x0000000077284000-0x0000000077286000-memory.dmp

Filesize
8KB

Download
memory/2808-4-0x0000000000D90000-0x000000000125D000-memory.dmp

Filesize
4.8MB

Download
memory/2808-3-0x0000000000D90000-0x000000000125D000-memory.dmp

Filesize
4.8MB

Download
memory/3468-804-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-120-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-794-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-800-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-787-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-609-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-738-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-666-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-806-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-206-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-207-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-808-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-675-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/3468-810-0x0000000000400000-0x00000000008C2000-memory.dmp

Filesize
4.8MB

Download
memory/4272-653-0x0000000000480000-0x0000000000930000-memory.dmp

Filesize
4.7MB

Download
memory/4272-239-0x0000000000480000-0x0000000000930000-memory.dmp

Filesize
4.7MB

Download
memory/4272-151-0x0000000000480000-0x0000000000930000-memory.dmp

Filesize
4.7MB

Download
memory/4272-667-0x0000000000480000-0x0000000000930000-memory.dmp

Filesize
4.7MB

Download
memory/4272-235-0x0000000000480000-0x0000000000930000-memory.dmp

Filesize
4.7MB

Download
memory/4828-127-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-788-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-20-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-19-0x00000000002B1000-0x00000000002DF000-memory.dmp

Filesize
184KB

Download
memory/4828-637-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-16-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-38-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-42-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-59-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-668-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-809-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-774-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-807-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-21-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-805-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-793-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-676-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-799-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-230-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/4828-803-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download
memory/5236-205-0x0000000000370000-0x0000000000A10000-memory.dmp

Filesize
6.6MB

Download
memory/5236-201-0x0000000000370000-0x0000000000A10000-memory.dmp

Filesize
6.6MB

Download
memory/5420-658-0x0000000000910000-0x0000000000BC6000-memory.dmp

Filesize
2.7MB

Download
memory/5420-655-0x0000000000910000-0x0000000000BC6000-memory.dmp

Filesize
2.7MB

Download
memory/5420-261-0x0000000000910000-0x0000000000BC6000-memory.dmp

Filesize
2.7MB

Download
memory/5420-266-0x0000000000910000-0x0000000000BC6000-memory.dmp

Filesize
2.7MB

Download
memory/5420-267-0x0000000000910000-0x0000000000BC6000-memory.dmp

Filesize
2.7MB

Download
memory/5528-812-0x00000000002B0000-0x000000000077D000-memory.dmp

Filesize
4.8MB

Download