lumma | hxxps://github[.]com/valinet/ExplorerPatcher/releases/latest/download/ep_setup[.]exe

Resubmissions

11/03/2024, 19:32

240311-x871jacc31 10

11/03/2024, 19:26

240311-x5whbscb4v 10

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe

Score

10^/10

lumma stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000001e400-43.dat	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 955806.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4656	msedge.exe
4656	msedge.exe
4156	identity_helper.exe
4156	identity_helper.exe
5316	msedge.exe
5316	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5632	firefox.exe
Token: SeDebugPrivilege	5632	firefox.exe
Token: SeDebugPrivilege	5632	firefox.exe
Token: SeDebugPrivilege	5632	firefox.exe
Token: SeDebugPrivilege	5632	firefox.exe
Token: SeDebugPrivilege	5632	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
4656	msedge.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe
5632	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5632	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3452	4656	msedge.exe	88
PID 4656 wrote to memory of 3452	4656	msedge.exe	88
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4008	4656	msedge.exe	90
PID 4656 wrote to memory of 4772	4656	msedge.exe	91
PID 4656 wrote to memory of 4772	4656	msedge.exe	91
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92
PID 4656 wrote to memory of 3620	4656	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5cf146f8,0x7ffa5cf14708,0x7ffa5cf14718
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,15713993248255834643,10923259994339812395,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  PID:5332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5572
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.0.10898139\1834149889" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cad9524a-916c-4de9-b83e-51661382391c} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 1996 22d9f5dc258 gpu
    3⤵
    PID:5836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.1.915430943\1460311478" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d877dd55-8374-4e8c-ae81-fc0eacc0038e} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 2396 22d92a6f858 socket
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.2.615051497\594983101" -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 2976 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a13a0e23-3fbd-4b1a-8128-4a31d63f5233} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 3060 22d9f564058 tab
    3⤵
    PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.3.31771651\1501224747" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f58fce39-5194-43e5-a4b8-aa86e0c24d62} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 3588 22d92a65a58 tab
    3⤵
    PID:1488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.4.1812478190\550332458" -childID 3 -isForBrowser -prefsHandle 4304 -prefMapHandle 4268 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bea173ee-c4fb-4233-ae75-53b2457f14ac} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 1712 22da45a9058 tab
    3⤵
    PID:1572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.5.932436937\1865403305" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5108 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64cf0d7c-eb17-45af-999d-24ecf6f25555} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 5152 22da39d7158 tab
    3⤵
    PID:6480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.6.1516767873\655835322" -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fdff6f5-156d-4d6a-b067-b22d9a280fab} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 5300 22da572b858 tab
    3⤵
    PID:6488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.7.2036118105\1885421168" -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd15ebf6-12b0-43f5-a374-b097dce35d3d} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 5180 22da57a1a58 tab
    3⤵
    PID:6500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.8.682954125\845931698" -childID 7 -isForBrowser -prefsHandle 2844 -prefMapHandle 2828 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff0dad03-7414-46f1-b0f0-9c6412f18bde} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 2852 22da0c86858 tab
    3⤵
    PID:7096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.9.1431618348\1588179621" -childID 8 -isForBrowser -prefsHandle 6064 -prefMapHandle 6048 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66cf8fca-7729-4c07-8a7b-906bce380ab6} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 6076 22da3380558 tab
    3⤵
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5632.10.344936841\216736247" -childID 9 -isForBrowser -prefsHandle 6384 -prefMapHandle 6400 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1428 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03440f12-c3ef-42cb-a5a7-1d253d013663} 5632 "\\.\pipe\gecko-crash-server-pipe.5632" 6388 22da6c24258 tab
    3⤵
    PID:1292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
ee77ee0ddce6df6a4cf39b6d19ea6b4c

SHA1
d5407a3c365266b7a794e647bc17ed9e06b4389f

SHA256
79a078c39145a1dc1c27c15f05bb7a39bdaf7aec14fd85a2dcfd36b95a3f5b36

SHA512
1841689b05aab9ba73ac48bb390c148e92d218b07da6b89bbec900bcb84055fe2080115545933d495f6e8f2506497af930fbab1c68cf65ff080f2d5a61b30eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15fa7cbd2541f643ecd5047b8aaae83a

SHA1
c07d3e215c6d1debfeaf96eaf041e7d1e7333668

SHA256
907914af224879ea7d4ce987d71b7af08f408d8fd344214772e3371d02155f99

SHA512
3e10a9147bd4f2945597cbb43619812c61c3132156761d332b418c0ac8dd226ddd0dbaedf27c5b5dee401c0bf4ef780815c6419a11733bf7d32960fc872915b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c8ed35b84d59916645e7d5822ad2013

SHA1
0eb0925703981e3530c0c0d265ba21054d64b8b5

SHA256
df7f2a541d48e49a5220e5244b10dfbd4df8a2558fdde0eab201194b3353e1bb

SHA512
c3f7815551e7dc856767967f6852f8259ea969c658740136064e1c414f99c5dc504b6281e0ad79e528743c3c945bf9fc15af384e4b0a63f38b46c510ddc62951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72b8cb776fefbd33a0b9ad46cc7c57b4

SHA1
f2694a8972b43c4809b7dc1fe3372097dc888031

SHA256
fa5c333b7a50b6bb9e67ac3a53c740282edccc3fc47c6e079da21e22bf82263b

SHA512
7f962922c32144d229308719c900d17c162cf0e90d9056b27502e0cbf451ff41a558deae3cb3ea4ab3866251bc54781ce3b5d93bdba4da368ac44052e4263266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
215bddee0bb41b75994670a4dc38b40f

SHA1
39d2d00e73b00a37f80a8e22e2e1e69d4b9184b2

SHA256
cc987e9e4573fcabf7a8180fb74d620bb7563463145f8cda7add1238c9618932

SHA512
6b66d40318ba228bae04b0f92c62c155499771a1cec7564854f16b16e61fe5836cd6102fdb5066240a62e93ebe47abc9ca66b1d822c08e9cd545134ef2899142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a29530667ef592b2061a396a81963a6

SHA1
8d22ab3dbdf414428bf7cc1c9a7fae3fc72997e6

SHA256
838ed3b80e42826062a78c0e050de6b5f98a42079c7bd0928bc4193b408c2396

SHA512
3b108832074f8b8b095a40d951e25c0b61a8c38d03d53594480250d65e1c568640a1227bfb0bb2ddb43b81d3e2a5ea4fcf0105c1b0f08881cf72c0fa9b80ae43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd0d589af82e43cfb093723ab552cecc

SHA1
bbefe307e1041470c0a21213220cd13c2c64ee35

SHA256
f3fb8e68410cb88eef689e57b0da2e421bfb7793e63466a2c4d81731b78e7d82

SHA512
734c8eaac2af99f777ef32f5f9f2d1a078e69e157e87d0de9049f06d4e84507437231d0d1064a8e81a63fd9ece180ed9120d1229632a906e60526065ec8aa614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d443d6c9bce4481aa5871fe94fd11590

SHA1
7ecb246577dec6bee8d97594bf54d05b26ca87a3

SHA256
ca00a4d723e3aedaaef43d44c82f128f7ae4a7c2fcc6e90e1d2bddcf99ac5945

SHA512
9d077e0405a4e76fcda16316e46459865ba538fb8aa6ca6a068a4c3fb31a6bc29ac26747f2b101a512e0a93aafb4a6a8d94f4fc134466c3289803e86bbec2587

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\doomed\27745

Filesize
22KB

MD5
86436cee76f15ab7bcae20166c8c3280

SHA1
220aa2ce3e86e84cc20e1944c09ca0ff46216791

SHA256
82053f073b6e4645ba5b0b36e6b66cab9eadf13b219cf275daece738be7eb1f7

SHA512
396761ea27344d6aa92274de7b98f3680d84b921d94098744ea6978b149124e0938fb769a85193b8dd0e193da61857d32667bb5cb2ca71596d51b4d82aed7e4d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\entries\7D9ECE7F7E134C61FF817B648D5B925C1D9ADD4C

Filesize
203KB

MD5
4e092fa65e07550face41d6b4dfb840b

SHA1
8cff6564d2bc4df0b54858ccbc3fa4670f3d8750

SHA256
942807ff707c0f77eacb81170c29e59e82fbfe96879997e630c6c007c1205fd2

SHA512
cc8b271e876ba7c7a671f1b0578c43aebe521b6776b1f435bccc0d2c4369dda70541536cba6495b6d53ac5f8dfbb9f4ae3b658e532d7fed0f0ecbe58024ae7b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\jumpListCache\ciHnUTCEP4Hh7bWnXGJ2mg==.ico

Filesize
15KB

MD5
a3c1306e53848dce3a3c2fec6e1cdff2

SHA1
87f8463535c624202f9b6efe26e993b0b1f3157c

SHA256
d2d32f8573ccc7ad555d258c8362cfb0b699eb4b004f93dbeb171f3510df055f

SHA512
871e877c73990e372a7a41d9851e9dcf301efdc543696aa4dbc35b8a121e24b7fcdf76d426b5f90fa3a14253440697de01ffa0d82d417e5490560ce7d9740aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
60bf08835f3e90c33ff4641747733e0a

SHA1
d51ae078a98a4d051f97855e235d931306e4ab2e

SHA256
605cf8aab20e0b5619f0170ffea3c796ef0cab4a4dbb7e8dc4360f64b8fc7b63

SHA512
441048d7e6f0a07d5eb400373592eedf3f15d416c5898a70b7b3bd56c798df7a098276efa949726a4c04ba35a848ee8f3e4990ef2b69d87062cd3ce7063ec93d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
240ba8559eb2129c9de23ef68fb49e6d

SHA1
bc37cc5e3dbe368918d503e4304aa90006fd99d7

SHA256
b3fd0ee397e7e3214cf9076f4fc07e22ac7c89c1f15e3dbf2fdfb4f9e697b1ec

SHA512
ca97992adceb23b333c4c8fa57c28177fafe69a2472a774907a2119111c906f2b97552308c572e78abace3e1f7a61cf402f46010d8664f68b3554b2792aac7ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b0cd25f085dc61a8171c9698ca79031b

SHA1
7862df23a5f3fcabaab26c51abdef18aaaad84de

SHA256
420af63955f8bff6b3664b1546738e80c3be0a76532251803f74cda70ce6116f

SHA512
1c4fa25d9aa96d4b9e83fc686239af8b4ccd6c6e2854955dbc7aa98793857d019cb61c53f12ecc2cd2fc04e8172ac872cbe5526ee5aabac18693342586d9869f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\229fda8f-f507-4337-8f9e-04730009ace7

Filesize
746B

MD5
d273d931e8d1ff79343f2d26824e8d21

SHA1
972cdcf0b2e9e0ade5a1731bdd2df8cd16453bbf

SHA256
4505d6d4850bf10ea0edf5e3bb5f98ac10060bfb511fb03183bfd0530eada0ab

SHA512
c7645b495e4fca1846b7c99431540e98ebe0669830e4d3a2f48ad848659b0f91a2062b855c6302b19aa6bad99871973bf33e18f74a03fccb8183b70a4d55eefd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\6d88e9a7-ae0b-4053-b5a1-0d4ea717b5ff

Filesize
10KB

MD5
7b5d8c6276cf8ba948ac242db7527a99

SHA1
958bd80df2c22285f98009c3f3bba0cd1ade14f7

SHA256
43a5d7e0bd724fbdfc049c49bdbdb419db3ce4e3da101d351f0b08fc388cae10

SHA512
40b9037f27cedc9712aafda5d4377f6f49602585ae815eba1976981b5c7813c3a9f9656f92b6559d50885d41abc3fed3c9b68e154b992157a27afd04f3d7a903

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
ea0a555bb3f462267ea6575e6e8762dc

SHA1
71617fceb77b2868c8f3c3fb9a630f1d800448c3

SHA256
b70b0ee8adb7bdeed99496350b6aec0ec30cd49cc6985d155ec8a3ab866aada9

SHA512
a3bada4a5c5b28d38584df39afa8bfdbfae68904dbafd0577f55a0ba07af020aa55718b0917f288ff4e2e35efc61f1c336b89a8e309a3db8c70f8de388b6fdcc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
cc39315dec0d786d1aa4e518408e53ce

SHA1
66fcb4cbfafb40137134a8b09500f91e27082c7b

SHA256
55b7b471396f45089e91351b192cda560958b24faa362190e1c06ef3c33f904d

SHA512
c7b4a7c9afdc2ff789e31d0fc11bc28cfd06c267c90f196bb970e3d9d52f915094fc70fbaa0589ccb680564246eca3036c5df404b07b97b04ae2cce294b9d69f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
7KB

MD5
d73b5d69bb06ab71088ee192674eba5a

SHA1
4c03769b7da2a6960a7d936385e384a3e4d66dc1

SHA256
e4d6eff3e31041d3e41ba58255b36d2bb2923bd78d94aa08be21ea9accfabc85

SHA512
8dea9d5cf7c3d0e9a5cb23a567268fc17f7a76628964a59a3de00d569da9559f06122182b9816582f32b73e7ec115f95ee3b940a6f067429e17ce4ea7a11856e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
95f8e5b1cf9214df6b2d7c46fd126933

SHA1
5de327d215d1d29ffae5832efb0bbf2ce868266e

SHA256
134c32a867a715c958dcd8532015f374c52dc1bffec1535d080b59fe8d67bbee

SHA512
ae2a83c97788dd16e62d4885d2a208bedb789e343a187443fa7cd6f31ec88e24b0248165b15e4271b78d78f00ba620a6f4f6740629c8c016c302de8d30ec2830

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js

Filesize
6KB

MD5
70fe86bc58e0e72a21ad9f2ec0917a45

SHA1
a3fbeed6762aac775a1d525446c46abce2fcbcca

SHA256
a79893302e1b429b420f394b5ec5959bc0c63a211a1a70c3749da73c55f69d35

SHA512
2ba4995bdafc8187426daccf30e50a5def1d6d42bd695979eebbab7fe0a67a2f93752bd0d36c81fd921ba71065385b8c93115ea045b43016a70f64f06e6ef8ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c941087201e58d5225497b7a266c7c8d

SHA1
ce5fd6dafa067f67a8085f5482babf75e9c26a01

SHA256
dcba787d1952a7a9dcabb3c8a31afaf5900c8bf30425ebcd0c012a3e0c0f7234

SHA512
9baee0bc201186daa43b6c940e7fc6a7d1faedc88e4c70fd451a4ba273cc7b1ec0323753fce89bb54cbfed165ac69b896cdc11982b420534441bda23cf7a68db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
2ea7f621862abc47b37dad0e72d42855

SHA1
d2137f593745544795c5dde3cec6c3954e3bdec3

SHA256
fa91a56dfc0cb27a9afda4a7647ce0d0e541e66b405b3418f8f21d9ff490a971

SHA512
774c413a4f1218bad0a72b0ada9aa4b8def85d2d4decb71121aa9d1a5dd7bf135373cfb863bc2a29dac6451ad9ea0d46f7e28787e66c4bb1a5d4f4e7bae0c567

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
63f325139a94d694f50f18fa8d9fc88b

SHA1
6d0cdd1c956428c0c29fc574422eaf9f83de6c79

SHA256
91e75bbef58003c86f0800c28ee274da39ca71ad305f0e4c9ca1e7d4987c1266

SHA512
9d2c4da2496bf28301b350e5e57e4c900027affbbfc52a27832a4499d70348972237421a3234f825005c90004115994d1ec47f7e0faf6f8317f4f3c5c90f9a1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
8f5396c3ddab1ef8bdfc307b629623af

SHA1
646a28dae77a07bc3bba68c67274d26359d50807

SHA256
c117b6c8eb1637d88ff0282329988d01de63a67a7a395ff3d72ef3b184044435

SHA512
80204b26f196e07a5bbb739ba4c5d408f2b014d5a237890849ebb58d04e68ae8e86061700ca0263268fa251aae6fd7a234a8b0d07050f9ebd0694b2f22fb7ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
98fbda68280eb7fb53c93365f167de2d

SHA1
444206bf0a4b6c9070f509fb5bd50b7120166342

SHA256
bcb4e89d7645c74ab04c53fa88985ae37111107e81b47391192a552c0ee46e12

SHA512
af19f1088da87dc52f5b5c0cfab4fb8149c9f2897b9345d66fb4422ee513a98d53e0daa98baee3884e05a5af022ab19d6062196d00d6827f318bced73bf4a35e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
9ca04bd4301b36ab153c3b9e957d3967

SHA1
8b9aa55093bc145f1718e83fcb2109e1f9a1fcf4

SHA256
af5317fb84026d7aa8cdc565f36bba905dd0edc962d6bb1e60ea4ae6defb329b

SHA512
8efc03c71678c766ac31398ba1ea6fd4a0a85207155ac63414e3e959f060c5c259d755050f568564c3df19c47f8e76595cbdb9d59d8246b7c9ea0c551be0d2ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
e217f70cf7567a55bc2829be7d452a1c

SHA1
bffd6c8fda54c9d846db249f0c66aa472194b2fe

SHA256
5c22fb058fcd9b1134a85475da0884f9846383e556bc304191c05158a8f0772d

SHA512
16012802062ccd7300f277c147f9cffd03053b346cc00488228037e815af4abfef3d07f167ed774197fc12b77dcad25ffe1c172c46670cd3b4c1bf83638a9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
be1f3e3065fe246c80e4ac6672145e6d

SHA1
125b5be748ff3ef8c06a0a40a3952a448c239991

SHA256
a6344887fa1e25d951a4bafb64a10e1bd1d0de8f1ced686b376ad451ab009be1

SHA512
e046c7cb1414cd33b4ecbebe04fc18b641cbff3355b8f039736e982b27a59842e1f5790b833d090d0b09052286c86eabda124ed70f652fab2523ff7cf39aef1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
925c02d48c4613d01623ddbd56baaa92

SHA1
f7e49d485962119f9f54c8e7251e607eac30a203

SHA256
8017cc384407e582700966ba45eeb9dd7f14bd66709b4b59f68d233af0dd7c01

SHA512
6a0fb70d133748fa8a7797a185f72804271fa6aad347f9d0bef7321456263645d76ac103f0270cc3eca4bc20d6cb4dddda74d59dadc957d1bfca7a45d38600ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
f8ff6bf6304abf9967e11842a6439d46

SHA1
df5d0ad12a8bd030802dd971d8f319628aecd473

SHA256
393cf4caa1c9ab3a9949286577ab03bf2b896d8a19624c2d2bd0130fd532072d

SHA512
d6bbf35a59409ce346a862433c0fa63f2fa2c679fd0e7b29f7b7a2e1f14b3380dfc73de86b22d16b48a6b3b434ce9f208398a5f5755958d258ef838984402d9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\storage\default\https+++www.virustotal.com\cache\morgue\213\{be13214c-fd62-4aaa-80d3-eb4fcf4645d5}.final

Filesize
47KB

MD5
0d1a7f5503bd4bfbdb0b16e6666bc650

SHA1
4465c8bfe03e7840ebc1f0c2098471f1065dc2a8

SHA256
d8145ba6dc19150853c958763c3432a903fd5c2dd056f823d19f4e803daa4426

SHA512
8185fff9eadf34128a42c1a7c392a58dad6a7dd4b1b9b015e91849d8068dff0992b6fb09c4033b2fcb425c942f0554d4fbbc416429d3d4c2dc1bf678137cdb89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\targeting.snapshot.json

Filesize
3KB

MD5
14942a4e58117c6bb9a2ae555e248e2d

SHA1
c5b66aabff7fb1fc40988147e4a9559c048e94bb

SHA256
d01ac85aead8aedc4a6f6c6429f47552f2fab9a310e22da612aa58e9f77145f5

SHA512
5b5fd8bd96d8dca68f9caf99c35080eb7f41217eba28ad40b66df09665ae1f3bd8eb8743509362c79db343b736aad395f753482bafea9ac8dc6b17822a895477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\xulstore.json

Filesize
140B

MD5
160ae2ebe63a474a1b759711dbb0cf38

SHA1
b83392ff8f4847f64e421c036473b205bb44c5b7

SHA256
914d28001561eb4f892e78157b09e842631e665af4f3b113c6f1288ab220f83f

SHA512
1f0d3634723704ba9b1eeb478de043e1eeb58e4dae3b72aee879b11ea6189d39a9b9bb25115ccad605760ff01850dcf651587078e91b4c1495e13f1fa3d8df5f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 955806.crdownload

Filesize
2.3MB

MD5
7ea3f1aacb347b9acd4a536197330eaa

SHA1
beab07dde096910d7214d82dc12f383df1fa399c

SHA256
e44790e25db09d1fdcaa1b4a8e868a31d646a260c9df4923aea7be8efa0d8e1d

SHA512
cf1f53481b6b9f723e6832f027dd496ba1e9bad3bd797ab8626f0d84a17a0e115d717d3d0915954044867b5eabb20936cba1c44afe5ae23c8d75fc1dcc963493

Download Submit