vidar | f77a07b45cd45bfbe85a30f2f30231a1d5d3c2805c865a0d5c7d7e690b7b56c4

Analysis

max time kernel
114s
max time network
105s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-02-2025 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

text.txt
Size

32B
MD5

a455d48f8584cc5fbe88a099cded5ae4
SHA1

085fc5be40f2edaa6fad96b95b01a6b107745546
SHA256

f77a07b45cd45bfbe85a30f2f30231a1d5d3c2805c865a0d5c7d7e690b7b56c4
SHA512

971a880edbd08c57faa42078097f73867c6cc663bbd3a7c66ba026104cdbe5bd9339596877dbeb277cffca9bac8a52c695f122f4310c4c064b53a65beb41b1c2

Score

10^/10

vidar credential_access defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Detect Vidar Stealer 32 IoCs

stealer

resource	yara_rule
behavioral1/memory/2032-618-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-622-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-629-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-630-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-631-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-632-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-667-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-668-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-669-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-670-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-671-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-672-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-673-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-674-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-675-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-676-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-724-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-726-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-725-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-727-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-728-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-729-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-731-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-732-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-733-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-734-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-735-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-738-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-737-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-740-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-741-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7
behavioral1/memory/2032-742-0x0000000000430000-0x0000000000452000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
78	1752	firefox.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4824	chrome.exe
4976	chrome.exe
3612	msedge.exe
2060	msedge.exe
1628	chrome.exe
4924	chrome.exe
2440	msedge.exe
2016	msedge.exe
4916	msedge.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	config.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 2032	1896	config.exe	110

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\config.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	config.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5372	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133846825482229568"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\config.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2196	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
1628	chrome.exe
1628	chrome.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
1128	msedge.exe
1128	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
2440	msedge.exe
2440	msedge.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe
2032	BitLockerToGo.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
112	SecHealthUI.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	firefox.exe
Token: SeDebugPrivilege	1752	firefox.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeCreatePagefilePrivilege	1628	chrome.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe
Token: SeDebugPrivilege	2032	BitLockerToGo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
1752	firefox.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe
112	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 2368 wrote to memory of 1752	2368	firefox.exe	83
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2320	1752	firefox.exe	84
PID 1752 wrote to memory of 2556	1752	firefox.exe	85
PID 1752 wrote to memory of 2556	1752	firefox.exe	85
PID 1752 wrote to memory of 2556	1752	firefox.exe	85
PID 1752 wrote to memory of 2556	1752	firefox.exe	85
PID 1752 wrote to memory of 2556	1752	firefox.exe	85
PID 1752 wrote to memory of 2556	1752	firefox.exe	85
PID 1752 wrote to memory of 2556	1752	firefox.exe	85
PID 1752 wrote to memory of 2556	1752	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\text.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 27361 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {823ae8d0-c2c7-42c5-bab6-e1af59a765fe} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" gpu
    3⤵
    PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 27239 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91b60bac-9e1e-42ec-bccf-a7d412a3451e} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" socket
    3⤵
    - Checks processor information in registry
    PID:2556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3456 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3248 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {953aae33-85ec-48cf-bc5f-3efd93780a58} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" tab
    3⤵
    PID:524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3928 -prefsLen 32613 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9df1ca4-7609-48b7-a9b5-667c9110f761} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" tab
    3⤵
    PID:4060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4760 -prefsLen 32613 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d46df95-3020-41f1-bac8-042d7293ca56} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" utility
    3⤵
    - Checks processor information in registry
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5456 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d967a6a6-2d00-4688-8339-22c7d67c705e} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" tab
    3⤵
    PID:1180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 4 -isForBrowser -prefsHandle 5460 -prefMapHandle 5724 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d85370e2-b237-438a-bc88-66707dac3480} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" tab
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5924 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5912 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b894fc1e-7504-4de1-aa6c-cc019df7921d} 1752 "\\.\pipe\gecko-crash-server-pipe.1752" tab
    3⤵
    PID:452
- - C:\Users\Admin\Downloads\config.exe
    "C:\Users\Admin\Downloads\config.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1896
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2032
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1628
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fff9233cc40,0x7fff9233cc4c,0x7fff9233cc58
        6⤵
        
        PID:4376
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2036 /prefetch:2
        6⤵
        
        PID:3800
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1900,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2348 /prefetch:3
        6⤵
        
        PID:4916
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2396 /prefetch:8
        6⤵
        
        PID:3188
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3228 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4824
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4924
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4616,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4596 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4976
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:8
        6⤵
        
        PID:4396
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4880 /prefetch:8
        6⤵
        
        PID:1316
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4628 /prefetch:8
        6⤵
        
        PID:3704
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,13170219820862530561,1534521581559086829,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4812 /prefetch:8
        6⤵
        
        PID:2888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:2440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7fff923446f8,0x7fff92344708,0x7fff92344718
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15440754689671290914,16436080622904121648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        6⤵
        
        PID:2420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15440754689671290914,16436080622904121648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15440754689671290914,16436080622904121648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
        6⤵
        
        PID:4296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,15440754689671290914,16436080622904121648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,15440754689671290914,16436080622904121648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,15440754689671290914,16436080622904121648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2140,15440754689671290914,16436080622904121648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\gln7y" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5372

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:112

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:3404

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2060

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:780

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4924

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
40a7fd2af012a0035df4439e84a91899

SHA1
bd0c6bec4e1bf2c0c84702b8505796975b75cc48

SHA256
d19928a212694cfa6674d5b9efa82707baabdca4242023343af8dc711b355326

SHA512
e68fe33f1ea0cb67d4f845724c860e70e032f1dbdf0685c7a2dd417b594f2c5c0959152a95904ce4f05eac03e31a88738f7a34de569769760dac21ae8722077d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a638da662a04aa6893433539d9b1f10

SHA1
cd372e802c08839330576af7edca8e3bacbdb0a0

SHA256
480bff41519fb5a7626d0ef564bf5d0c88377fe59040d9bc464382dc13d8574e

SHA512
503f11ea243d8cb3db5db239c577d1a27b199c818303ee5f4ca6e09d3d35d6d1c6fc76b97d3b79584df684c111e7b66486d9cd874d52879c35d575f273f61d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e03fc0ff83fdfa203efc0eb3d2b8ed35

SHA1
c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664

SHA256
08d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe

SHA512
c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\aj20sixn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
904a48e9dc2c101314e462f4a5a5f088

SHA1
fc32c324afb7d6885753522c0bb2d1723bfac0a5

SHA256
0dd18169eb8b4e5d27d43d857c7721f00598a1a3b1ecb07a3b8830f8dd13028d

SHA512
8fa1efcc25a133cd866a20b390950636b12921b601d88fb8e24f58aa759ad4a36d26632f28409ecd49ee0966be6af9a77bddc100efd31ad66445945472f27528

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\aj20sixn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\AlternateServices.bin

Filesize
7KB

MD5
5311a6c92a6cb610ce024c13280c4c95

SHA1
476b3b47665eb4b08f49edc5c8825ce2cd355957

SHA256
fe5673f1c748a63ee0675314dd06b24deddf32a77638ece541382830311f2c6d

SHA512
7732e93317f3586dab8071c3c7c7c776b111a3773963cc31626876f40ca8df5e855813419f886c904866056bf7d4981f05c9b6d27428c255caf1092b7c14c928

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\AlternateServices.bin

Filesize
10KB

MD5
72c4e9e9988126408f5f37de4ef60721

SHA1
fe337bf61dda3db00775c3fd4bb87a5290e89fe4

SHA256
6ba84b9244e892dee35c0f1b7edb6d2478fb0e550bcef4e4ac689070ab6a3c16

SHA512
6f48acf8519365be991dc5a00e025cbf579d1b21d1aa01d2bb361b1248dbd0e897bdd9af0a5fda17c7e1af014391d5e02db7bbf0aafa0d1fcb176943c2bb8cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3a4eaa3a0163dd72ff7028b77e0a9541

SHA1
24e56682870f6a8b8bcbc322d47755236fb8cf67

SHA256
3f8575e5d6c4f92869b9850e41f3a0a10a0120dac510b3bb9e57a41f25c54e49

SHA512
1cc9066a83a06ca1a4de81d81907fed058b6b8ba21c0989711feccbddaedddae64a1440b08c2fe436de13f78c6daf8fc60762688c4c9fedfcc7ec5fe1f80a272

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2c76c4ac3cca063a5d17a1c7ae8cd8d2

SHA1
1a1979f26634e3af1cd61e1fc12a1ecf7a652e36

SHA256
336c2c18cb3a67f5474e2dd51c966525496cffbc0885c9a0c282b49606aab4de

SHA512
06d3f8498d6b16f9076f9aefed82656b6b9e1dd5789d63dfdb01027eb480b221f145f1b3a5d1628b4dc56d2d691e025d0910b1c4afd9055904ad091b2d206283

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
0264e67d446ad5981c9b1785affefc30

SHA1
db2c935dcc2c05c32ac7987f28c9b4902e509935

SHA256
522cc0b16de3f11031580c4669a149f1d94d900f061739d22ab85fd541f99e4c

SHA512
dd1c9ef48ee6833a33bf8c9cda957f32cd11b7c9fa38a20ea6f42917359c2063ee69074a0df013c796827b47c9863bfe071e6c6437602a7493ecbcde50bc9567

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\datareporting\glean\pending_pings\6b2ab96e-07df-4442-83ee-b1a6a52fc21a

Filesize
905B

MD5
0da284540909d002eb56b509f8b89189

SHA1
39c78446de2bec09a2761f319e3d040a53825c20

SHA256
c4f090066bbf871fa9931f45642e0d5424cc68004ba747c793764ffeed5d9e19

SHA512
fd3ac0ee0245e045b09d379ec5ea2dfe58b4c2faa9a99a3eae25dea5d505be812b739404eb0909aa8aa56099bc3209cae3420e0da87cf6774cdb6b81c3f65656

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\datareporting\glean\pending_pings\db76ac49-c4c2-4f16-a6a9-277afc53784d

Filesize
671B

MD5
8be82f5c2779b880aa8763db66ce2409

SHA1
fdb3675bcb01b254d9158fdb719005ca5871eefc

SHA256
d5e562d95f600cafaef896a429588d5ba17499d2ea2c8eca1506ad6e35141f49

SHA512
66e92a87f4eb86ddd0ba2f6ae0cf00aa9b860ea27d7e12a8933428cbf7c83ca7105c18dcd5edee6967ea570f5261f867dd194e8b4ede3360d56f90fbb736a8ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\datareporting\glean\pending_pings\dd947b4c-6cf2-4bc8-9bed-ccc687f44839

Filesize
27KB

MD5
40baeda22e0cfdbcf162e5b9dfc2abcc

SHA1
4aaace824322edd080b0072bbb6985b2fc6acbf9

SHA256
4817c9e34e7cf2f0006e621426b84d3d0089f7adad20978c9b5786138127bdef

SHA512
4641a5eece12a6c7164b8721e6772c0c44fe8c541e81941829fd29c974b4e9cd444cca2547f278670fdf0685e0b213d4da5a57268299fed6e4dc5f4a78be08e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\places.sqlite

Filesize
5.0MB

MD5
93b1776eba411cad44a1484fb7dcbd3b

SHA1
99edb4422251057c997d2fc24fe9dc2c413383a4

SHA256
6a3a4563ee2dd478c169746717c62b249824506f0b2321e54e17fe34a7fb1f85

SHA512
47c71d18efceb0a4e057c9756e571d20852af3f3d38c949b76b3e9fbe3520bd527fbbef976ea538d8bd61d662c3ec5a1ddf35f802744c48fa2be41a633f5cf24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\prefs-1.js

Filesize
9KB

MD5
61d7dac01235b430b58ff4b0283bfb68

SHA1
ce4e7a427b94f6cd1c8e4bc5d4140d0b94b75296

SHA256
d529934e4908ed09e7abe08413aebfc1cd24663150a2c90bb1d706cacb115b2d

SHA512
709936d6e74dc62733b63a4761cd8626a313b70207be8b0df7e00cab43d5f95431aabdc45b143c74186f0917f9350819e4c4c81c4d9a0dc3c6fea596597447bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\prefs-1.js

Filesize
10KB

MD5
2b4c4ad98c004791099c20fa48c601de

SHA1
59f7cfacce3ffb810e486fd7fd4338fc876af920

SHA256
57a7caaf24e7d9fe20d1d02cd1da2f1edec3931fc8fc633e59ea1cf1732c5482

SHA512
4c063b4cab377c9ff926f9e7b3f6d928a3d3640bb5a360752155e2bba7a304a84a2ee58306e1ac4b36867dfbff07187b1d4faf5076d8af1f25c05bccc227cad1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\prefs.js

Filesize
9KB

MD5
46e38cb202320b85dab8d537c6c3676a

SHA1
12afa6c9ac37c5322815a90fd96e73fe55abe391

SHA256
3e4d83ad605c1cde05b4bd363b60697580cbf6865605e01866f162a7657002c8

SHA512
dea4559b136781a396560e2c14fefa7abb8632f19cb49f81d50220e66d76abcb5194d768915b87f4cded086f3f796212b4a9069c0cd2187e2147a365e8f3e905

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\prefs.js

Filesize
11KB

MD5
466ad81a69cc835af280eeb4a7728bad

SHA1
9ac4f5cbcb9102aa9cfa659ac00f952023406ced

SHA256
f8785b44015b3c5f4609a4880095dcc88de89ffcb4b018e222ba0182c13320f3

SHA512
65a28d664f718079a3311171734b5124dfca817596a14b46abd3c55a57447c21abf10b2f785bd11f7385c116e9e2a4794422b0640d3e9584d2be242b255f1118

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\aj20sixn.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ac99f82f0ef31770304dbb8bd373911e

SHA1
5912f2e001911dd87fdda7dd41e9a6697ec74093

SHA256
6b3739e8724c7408de090d674e09a2ea76afae58bc331d2e00a11b83fb61269c

SHA512
92edc6b5956822c98a9202866eff4064e90de40d8902eac06917dcd3f3f80519c12b1cf2c968285245a1faf2f83db700ae6a87eab195d6c1142e214a6f7f0e6b

Download Submit
C:\Users\Admin\Downloads\config.nUD08cV-.exe.part

Filesize
5.2MB

MD5
fcdd5d8bbdd7e9c70b30904c37267bb2

SHA1
6c8c923851462e0c97b48b3826643eea441ed8b6

SHA256
d9b7cd71505bd423ba63c900c792c585314c44d9515cd2767f6c9826e8237979

SHA512
2ea5167cb7c6f4d87d2e3a595cdd40a2be9e24098841a40c64bf50db9e55f954ae7da0646d9ae10f4e833ba793a94fb304791445c8f9f78197e11ce04af012eb

Download Submit
memory/2032-725-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-672-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-667-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-632-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-669-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-670-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-671-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-727-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-673-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-674-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-675-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-676-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-630-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-728-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-724-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-726-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-668-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-631-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-629-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-729-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-622-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-731-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-732-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-733-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-734-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-735-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-618-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-738-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-737-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-617-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-740-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-741-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2032-742-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download