hxxp://185[.]215[.]113[.]66/npp[.]exe

Resubmissions

31-05-2024 02:35

240531-c2575sdc55 10

28-04-2024 02:14

28-04-2024 02:13

28-04-2024 02:12

26-04-2024 00:04

26-04-2024 00:01

25-04-2024 23:58

25-04-2024 23:54

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.215.113.66/npp.exe

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

123122086.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" 123122086.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	123122086.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2953417835.exe123122086.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	123122086.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

npp(1).exe123122086.exe194826353.exe2953417835.exe1094426772.exenpp.exe3017817744.exe426218068.exe3591211381.exe

pid	process
2060	npp(1).exe
240	123122086.exe
1100	194826353.exe
1788	2953417835.exe
2240	1094426772.exe
1132	npp.exe
552	3017817744.exe
2996	426218068.exe
1108	3591211381.exe

Loads dropped DLL 10 IoCs

Processes:

npp(1).exe123122086.exe2953417835.exenpp.exe

pid	process
2060	npp(1).exe
2060	npp(1).exe
240	123122086.exe
240	123122086.exe
240	123122086.exe
1788	2953417835.exe
1788	2953417835.exe
1132	npp.exe
1132	npp.exe
1788	2953417835.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

123122086.exe2953417835.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	123122086.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2953417835.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	123122086.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

123122086.exe2953417835.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvratrel.exe"	123122086.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvratrel.exe"	123122086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winploravr.exe"	2953417835.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winploravr.exe"	2953417835.exe

Drops file in Windows directory 4 IoCs

Processes:

2953417835.exe123122086.exe

description	ioc	process
File created	C:\Windows\winploravr.exe	2953417835.exe
File opened for modification	C:\Windows\winploravr.exe	2953417835.exe
File created	C:\Windows\sysvratrel.exe	123122086.exe
File opened for modification	C:\Windows\sysvratrel.exe	123122086.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\npp.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\npp(1).exe:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2268	firefox.exe
Token: SeDebugPrivilege	2268	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe
Token: SeDebugPrivilege	1548	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

firefox.exefirefox.exe

pid process

2268 firefox.exe
2268 firefox.exe
2268 firefox.exe
2268 firefox.exe
1548 firefox.exe
1548 firefox.exe
1548 firefox.exe
1548 firefox.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

firefox.exefirefox.exe

pid process

2268 firefox.exe
2268 firefox.exe
2268 firefox.exe
1548 firefox.exe
1548 firefox.exe
1548 firefox.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

firefox.exe

pid process

1548 firefox.exe
1548 firefox.exe
1548 firefox.exe

pid	process
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
1548	firefox.exe
1548	firefox.exe
1548	firefox.exe
1548	firefox.exe

pid	process
2268	firefox.exe
2268	firefox.exe
2268	firefox.exe
1548	firefox.exe
1548	firefox.exe
1548	firefox.exe

pid	process
1548	firefox.exe
1548	firefox.exe
1548	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2772 wrote to memory of 2268	2772	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2800	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2800	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2800	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 2604	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 3024	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 3024	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 3024	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 3024	2268	firefox.exe	firefox.exe
PID 2268 wrote to memory of 3024	2268	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://185.215.113.66/npp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://185.215.113.66/npp.exe
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2268.0.1394515198\856848670" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae3b1f06-28ca-4b27-9856-f77ff379ece4} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" 1288 f7d7c58 gpu
3⤵
PID:2800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2268.1.1253830190\1667944262" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {993fb294-807b-474f-a076-8a6d05b4821e} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" 1504 e6f858 socket
3⤵
- Checks processor information in registry
PID:2604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2268.2.1190358021\1286260181" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2c4f676-e467-485c-8dcd-5518acb21d86} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" 2124 19cb1f58 tab
3⤵
PID:3024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2268.3.1967158563\1383770000" -childID 2 -isForBrowser -prefsHandle 2832 -prefMapHandle 2828 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ae5da7b-26de-4617-997c-89a15859c8bb} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" 2844 e62e58 tab
3⤵
PID:2736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2268.4.303599121\751804625" -childID 3 -isForBrowser -prefsHandle 3608 -prefMapHandle 3600 -prefsLen 26345 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {350335e9-e6db-4f1d-91ce-269683ae0fbd} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" 3604 17b7e558 tab
3⤵
PID:1196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2268.5.1277420718\1939184035" -childID 4 -isForBrowser -prefsHandle 1908 -prefMapHandle 3300 -prefsLen 26345 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f30c5e79-00b5-4612-af6a-3227b43feb96} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" 3580 1c485a58 tab
3⤵
PID:2328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2268.6.164890949\154630932" -childID 5 -isForBrowser -prefsHandle 3984 -prefMapHandle 3940 -prefsLen 26345 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4f6ef8f-b191-4c70-b1ea-69aad9fd354e} 2268 "\\.\pipe\gecko-crash-server-pipe.2268" 3976 e6e858 tab
3⤵
PID:2036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.0.277610534\263280204" -parentBuildID 20221007134813 -prefsHandle 1084 -prefMapHandle 1076 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c287403a-b1df-482d-abb2-643135c7029d} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1208 43edd58 gpu
5⤵
PID:1984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.1.501298126\740834854" -parentBuildID 20221007134813 -prefsHandle 1328 -prefMapHandle 1324 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42dff090-a35b-4dcc-bce3-b203cd6e9244} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1340 10070e58 socket
5⤵
PID:2812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.2.361539618\611778746" -childID 1 -isForBrowser -prefsHandle 2328 -prefMapHandle 2360 -prefsLen 23737 -prefMapSize 230321 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6a7ef0f-9e9f-43b5-87ac-d9886c0ea4a0} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2316 1b1ef258 tab
5⤵
PID:2256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.3.130999626\1169091983" -childID 2 -isForBrowser -prefsHandle 2688 -prefMapHandle 2684 -prefsLen 23844 -prefMapSize 230321 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b314776e-02ff-4aa4-82ca-918664938257} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2700 d6bb58 tab
5⤵
PID:2728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.4.1689274433\331637071" -childID 3 -isForBrowser -prefsHandle 2864 -prefMapHandle 2868 -prefsLen 24927 -prefMapSize 230321 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bba43c8-8920-4a01-8f62-3b1f694e034d} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2852 1c973358 tab
5⤵
PID:2948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.5.225413469\1605625678" -parentBuildID 20221007134813 -prefsHandle 3184 -prefMapHandle 3180 -prefsLen 25860 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86c61c4b-bbeb-492a-9985-e88263d8af58} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3216 1efbef58 rdd
5⤵
PID:2824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.6.1409518402\496929162" -childID 4 -isForBrowser -prefsHandle 3656 -prefMapHandle 3652 -prefsLen 31668 -prefMapSize 230321 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6e63976-40b4-4298-b5e9-dce8328a1e1b} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3684 1d850b58 tab
5⤵
PID:1840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.7.149498879\1537935044" -childID 5 -isForBrowser -prefsHandle 3604 -prefMapHandle 3636 -prefsLen 31668 -prefMapSize 230321 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d728e28c-d1c7-43c0-9df5-c680fc9b2463} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3744 1f937b58 tab
5⤵
PID:2220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.8.20544996\2101193425" -childID 6 -isForBrowser -prefsHandle 2672 -prefMapHandle 3596 -prefsLen 32013 -prefMapSize 230321 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45aabb02-ab14-4282-a75c-85c85648501f} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2496 d5f558 tab
5⤵
PID:2404

C:\Users\Admin\Downloads\npp(1).exe
"C:\Users\Admin\Downloads\npp(1).exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060

C:\Users\Admin\AppData\Local\Temp\123122086.exe
C:\Users\Admin\AppData\Local\Temp\123122086.exe
6⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:240

C:\Users\Admin\AppData\Local\Temp\194826353.exe
C:\Users\Admin\AppData\Local\Temp\194826353.exe
7⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\2953417835.exe
C:\Users\Admin\AppData\Local\Temp\2953417835.exe
7⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:1788

C:\Users\Admin\AppData\Local\Temp\1094426772.exe
C:\Users\Admin\AppData\Local\Temp\1094426772.exe
8⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\AppData\Local\Temp\3017817744.exe
C:\Users\Admin\AppData\Local\Temp\3017817744.exe
8⤵
- Executes dropped EXE
PID:552

C:\Users\Admin\AppData\Local\Temp\3591211381.exe
C:\Users\Admin\AppData\Local\Temp\3591211381.exe
8⤵
- Executes dropped EXE
PID:1108

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3064

C:\Users\Admin\Downloads\npp.exe
"C:\Users\Admin\Downloads\npp.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132

C:\Users\Admin\AppData\Local\Temp\426218068.exe
C:\Users\Admin\AppData\Local\Temp\426218068.exe
2⤵
- Executes dropped EXE
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\_3[1]
Filesize
8KB

MD5
6eacd33bee969b1ca75e7255804819e4

SHA1
b89d21fe64f2a36f2022fe905a072bdfe432f392

SHA256
b0cd888ec409d1c25055a7f1e9ca5f65309f782557844d245da2b4637f17f41b

SHA512
1c126fdcef507f0bfaf4b5dd74594a0be26422cceaea399bf0e411a86157ba8811e8eb4215a0a0a21e55e6b13fc275d62cece9f22cb89dbe4d9cc9638209e674

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\activity-stream.discovery_stream.json.tmp
Filesize
23KB

MD5
a3b87e15d8d68cc1ea7a2b9191c128bc

SHA1
8c7b52a6c46a69b561c18bc08999a78b013143a7

SHA256
2fdb81a9637f9511eb55a121465613dfd4ab923e928efb37182b06f915d74c5e

SHA512
4136548639cb99beaee6a2eeea475b8fa35ae67de4c86985c8f4f9e8549f09fad12525817d89445d3566f5255863ae492d8bef0a597ac31d7b2d1ff04e8cff1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\cache2\entries\144AAEFC7E5A8A3AF5AB930E963C637B3B56B360
Filesize
100B

MD5
060410fb86a80c6496b369b038d0a1df

SHA1
9260ad597afb7b86381ca9cbc0efabe5cf874887

SHA256
65b97dd1a9ed103e83a196f2707f280c0199aad76a874bbcd8553bf0fbf081e2

SHA512
b5621140f29853e56356e934eba8cc21b037221ee4e6f9eebc8765a826c77151caf2aa93a5b585d6b535243fa815af8de0248731e06fd928b1eb7d5366f02a69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize
9KB

MD5
66f0390c1eabd688d8e103af10327bac

SHA1
8eae1edcb9dbeb4b8b7afaa869b2b8c2db56ee11

SHA256
2a2d56d9d10c59c51e425688b10c14089f43f659a405319bb59c0accee0ac443

SHA512
35a55254b5d59f308fa7627129aa0d7c1ff484628f5fb2f3a7189efe9f214b7c762b777f9fce3ac0a1e8cb74363acc14be237a02ac984e1c210ec16244bb32ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD
Filesize
13KB

MD5
f83db8a047834af8aee082b4541e8346

SHA1
2a1371c4d85b84daa9bb4eb2fbb2650e01cc4c13

SHA256
86b5fa2dcdda3400e5418aa6a3472d117c0778354511c34af9ba7a149e49ea78

SHA512
f16d3eafe7ca305de4177707f15d48bf698cd7b6d120d696626aa2d70b8f74481a3756503bf8e19c8c07850a369f5fdba27d1e1f3fe15ba8e20d1bfc0639bb5a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize
11KB

MD5
aa317c23f6a5eca2dce0578e7b788773

SHA1
6e3a351d48694ae2e1afa5e9def27c3b4c70e801

SHA256
f41e56be459fac788615b45b4e06cfd4fd625eb5c7fe42f0ed877ddccfde65bd

SHA512
d6d2e0e7ecdb64769884d4c5df7903f24d54f39ac0cc4ff9ee569535151a8b1d25f05d3725c4bca4d6096c3cb5c184b1c9d2986386fa52ad46890f4918afdfa4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\startupCache\scriptCache-child.bin
Filesize
489KB

MD5
c994779fd7700932655bf40a083077da

SHA1
3b4631093eacc39f228f529cf4220ee4ac95e32f

SHA256
56a3c8ab0fb9a192ab872167ed527a7d30c9621b074de175a3a81bc64cf3790f

SHA512
58638bd02889f20935e660e30276f549a63c77f9cad36d29198b3e228c5cc65b41996077f148da5669e331b312a4b0b9d4df9ea1e5efeeaa6f8a82094a2b6871

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\startupCache\scriptCache.bin
Filesize
7.8MB

MD5
9f6cf6af8b2d7c1fab15547a1f55f5b2

SHA1
50c4d66590a4c5e34b98662fecd007b635b8f429

SHA256
9f7039fde6ca868a2af7e2de337276120e123081744527074a2d315c9b463fe6

SHA512
b89b5984ac6a145d7bd647ff81e01e7dda57abbe372126b6b16f9acf0b5d60919eb0e8a3ff300367649dea112a888ed4995c073f1c4802d5f07a2bb0e317699b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\startupCache\urlCache.bin
Filesize
2KB

MD5
5ccefc6af495fa3ec0fb96c3d13960a9

SHA1
456e980ad8e8e197b632baefc5d136b74b4f923d

SHA256
37bcfe44b76e3fc6064d3cbc9cf17e291b20864371d190e9d4b7d66215a9f0ce

SHA512
6e90a5bb4df2aff969cb92f39bf999cad651c3a18da0c30fabe20dfcb8df18f548880d56fb4b869478bc013dd5d96507423b1d789b2607ade7f8e16ae9647a4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\containers.json
Filesize
939B

MD5
94a3843fad8c45c48b0e07342df3dfdc

SHA1
d55b650208bda884d573afebd90830a3f4d7c201

SHA256
854ff2076f71097b030c302a1ea71d8e851d2920b9ff5fc8dc8f16c91ba95b72

SHA512
4d2a6b2a223ad81bb97195abb27685cf88453caf5769de154b373486d5245f02e0c0f664281d8e3bb33bfcdf1d6f7b3d9602303864d4e56481382adcb0b932db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
9d77bf7981a893717d08a12778a1d1d8

SHA1
9f1e642003758588445a569ebed5a491f76ffce9

SHA256
48eebb31259b322528401a2cd6af064925cd9c6a603971f6a6b56c610891ec33

SHA512
3f2fa246f1c71b1beda33525959714541be4401aa5c2ba3fee5ac63fa50c5870496c3bba853f34598270bfecfb802d0bb0b3a8d85e67126b0b5b0d3609da9155

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\datareporting\glean\pending_pings\0e1a5fd4-72f2-48d8-8d5c-a4e223fdfd95
Filesize
655B

MD5
edd760ba07b497858a8fe412ee3bede7

SHA1
78a3f408ef463bbd7d56cd3954f047f832874758

SHA256
ae5c20ab4ce099e29ea999325f4aa3e651af4bd02a878093fa6173b3e4195309

SHA512
ba586d9a6daccf2ddbbec396a2f7013504eb55be16f92f8cdf6492b91cdff6107059d5ef4abfa7a9bf40b370a64e8991625674b9eb9f2363b943c56d47e415cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\datareporting\glean\pending_pings\ab77868b-92fb-4e1e-a98b-c99d1ee5cf2a
Filesize
586B

MD5
3c2ca0c90e8cd2a1b0537f4fe46d377a

SHA1
cc774d4f813d507f9ec1b07df2e5968aa5b51df3

SHA256
6137556b977cd8b8d11fff74d8fc226936e312e6a6584f5935a33b42b79c10f8

SHA512
28250a44f39ac622b7867c3689a8b31a5e50c8ad9dbafcb406e2368d89ab6f205f4979eaec354891c464868892ec1d4e2d381701f909af8d9a8fa19cfe51c890

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\extensions.json.tmp
Filesize
36KB

MD5
eccb93a6136744efd62453fd152de4d1

SHA1
49d0e1c283666822ac6223a1a527a60ee951a932

SHA256
9d88836f328bd896824e7445de50e2e428dbf418db72cd05a3be27ae20b08d2f

SHA512
94711b16ab76f2181404b81b33749dba63bb61bfd47cba0e5dc76a5f615c78e9698adb51ce0c9d6f4968a586664090d94d3116ae212ef3f86b6b11ced91dac70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\handlers.json
Filesize
410B

MD5
e7a65c5ead519a7b802f991353c26d3d

SHA1
34cc3c1cf9bd4912dba5fa422010934e46419fa3

SHA256
0e5ce92485da953757f615bad034a43032b220da18f8165dd85347851b56b2d2

SHA512
2a6034449ba6f5da8a77870ae665064047cea2460aeb4c8c0b62b308a403fdd30648150209aecc31ab1e50b6d9d94a1f51d3d7d50bbf35ec1b742bff2dbe788d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\prefs-1.js
Filesize
6KB

MD5
fdab69d551968e175bbb716ac5de7c5f

SHA1
c62557e2705017fb9342d8fe8a37cef92a05ef14

SHA256
44df1a83b0ae139f7963ca537c6e45d9d20fa73a63ca717a152f51084d811e66

SHA512
1f0612ba1dd0879aa7270b98b4431851e7bf62418efa3e1aa27393b1588d7bd2ce15fbfcc38642d0eedf07ceb74fead6fc53024bbc93cb29fae97ca84f62684f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\prefs-1.js
Filesize
6KB

MD5
e357b799230923729cb2d74fc6acc81b

SHA1
e7888bfb55ad529ae5147f7d316e78efd6d67af1

SHA256
2b63ba641536febf0966498ff2ad1fb9acb3bb4ec818de5849e6b71ce0ad978c

SHA512
547761f1d601af4744fc22b1889e4fd3fb124565bef4641f85c667370e35bca6149e42c862a48a5ba93d486b645d561ae2c7c7fd6e229870d319ffb526293fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\prefs.js
Filesize
3KB

MD5
ec0df01c2d8f083aa9cfd3264bf4cd4c

SHA1
ae21e1fc26505ec8dd6b61fc17e37fb4785715dd

SHA256
7b8ae79af6249c651930367a0995d6c33ed271283119f072bc8a6add385680f2

SHA512
8e0f0b2cff54be325247c581dc6febe0f561ecd72c42bf398096d88362835c6ec3aa898897486651e9d8f0af77ac89c74e183f7232698172cd036200c01d293b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\search.json.mozlz4
Filesize
280B

MD5
41d220d4783f67d2b57beec20c135229

SHA1
6e97765e77920b6010fac2cb4abf1e3cea106541

SHA256
5d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc

SHA512
dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\sessionCheckpoints.json
Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\sessionCheckpoints.json.tmp
Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\sessionCheckpoints.json.tmp
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\sessionstore-backups\recovery.jsonlz4
Filesize
876B

MD5
30caa57fac3509a1f13fcdc81100de3d

SHA1
c619f271073e6863d60407c6ea879a4a82acd2dc

SHA256
5eba1aecbc0ed1df65ae0144c7d16d6c40150b9f6139764a5b20a03140c07c13

SHA512
572aef472905d0d697d8d97a639a948290f6f7f45af854fedf3027f1d9550a89630ce69be6be421d327fc909549d7aa4aec324e9e2cb9567872a15294a3a5077

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\sessionstore-backups\recovery.jsonlz4
Filesize
683B

MD5
0b7a2bedbf9053e5d83604cccbe8e32e

SHA1
a52f44af86a1b5c2d038b6afaa4ffd127df56d18

SHA256
95efc6198577f16cdc3577fdf2e56bc40b15d82b20328373560621ce640f64e3

SHA512
45594a8fbc6ae4e4d52d3faf3b721d24b19eb29730c9c9d690f77a1f669c293924eeb06ff280986704c729b51ba958396ae38cd6af2c09ec93f045699b3bd595

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\sessionstore-backups\recovery.jsonlz4
Filesize
884B

MD5
a3359f7b87a336bc47eab9822735a176

SHA1
59e80cfba1411e3a138e828c7210e4bcc05c62b0

SHA256
30ba2bb79c6efb5482c3bdd8fe80b337fbd481c1a2d11a537a8516f823c01ad9

SHA512
5977bc4460b8936084afc25f89104ee53ba87d79e8965b77ff9257d60329f6119c00b5104b8dd4c57e75f14158096657d79ecd2e73f74f2756ed17006d9bb460

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\sessionstore.jsonlz4
Filesize
250B

MD5
a53b8e7e4b8ef9e1ee7116ec98318330

SHA1
42c89592e91cc75fa448f9de8b34e2d0f1fab585

SHA256
b59bc3fd939b2eb8761d400cb469e68c43f4c078d41fb5779e54989df9b35351

SHA512
4b86e322fe73dd8b5fb81337e0137c6c7077d8670bd9ed91960130e92d5fb6316ecb3d1b2bc27172e89fe0d3240be2774014b9ed932c4b48d6feed18eb13e39f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0f1x4dsu.default-release-1714089312765\shield-preference-experiments.json
Filesize
18B

MD5
285cdefb3f582c224291f7a2530f3c4e

SHA1
f816c3e87aa007b6e6d31eb6a4618695a7d83439

SHA256
704d28223a4320a853df4a19d48c7015cf79d56a5317cc3475b6305fa43dcc05

SHA512
8f1decf1e4b5755fce8f165daae115f45d6890985c9c4bbb33a6f724cbfd26db75f6da06f9ef675de20fe755da9b7f55e5ee37124296a12a520a393da159bd58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\AlternateServices.txt
Filesize
163B

MD5
412085e062d7360c6b51ee4b5ce0eb70

SHA1
25d8e2e2f4cd985246d6335e62a9578151dd6973

SHA256
d6b8209fad0bd5fa8457cb5ac1701c678900fa98f0427f886bda67346239da60

SHA512
eaf5075e616a0a2eed116304885546917b3c5a79e3cfd2c37330639be66c08885c458d18e8bbfcec11ef5e570202ee9e2f8359e02a9a3b1a694c096f8d4c37bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\SiteSecurityServiceState.txt
Filesize
324B

MD5
544de4fc3c36ee293e767508d0b7f7bf

SHA1
faa3bde99871b7d39ba3bdda1a84e260b6278582

SHA256
442123515fbc17de3a76607658fcc6e5820bfd37e8d5f6715dddb9fbf8858a54

SHA512
602407cd58537818edb43784d93d9554f937e7d07a0518621d6601cdb9912c2c5944068d3321b4f113b9be77034aa3e4cad689566d77745edebf406bf2588ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\addonStartup.json.lz4
Filesize
5KB

MD5
7d3f25d62d6b121dc644c5c8b346b369

SHA1
aa24e0b255cab692486d95f6938dcf746f0af2d1

SHA256
32874cc791c3d75056e14318126e5a828865ae445816b6d2fd5bfe71e40d47a9

SHA512
a8fac8f408e7479d4243ac1a48cb012ae4eff4f372f3cf5850be5d73c337a6eb2817ed816ca90b7048be831e7fd16e9842d546604a036cc3e5a41a3bfc55a6d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\db\data.safe.bin
Filesize
8KB

MD5
be97dd23f7e395296294c30768d53725

SHA1
2150144b053be0992c368e86c3d2e2530fe40d6f

SHA256
84dd50173382a3cb02d0f543e3308de9b35a6c1f113f18ed3fbc060100d81bf1

SHA512
49c65ecf9b3ba6ddc8048a430df5264f1bcc620228cedb8a0f434e2184349323a167f429987e017d8a2a35116241deeeaea00d50cbd7cd4822ba996d7107ebf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
3d78bf1dcce100be95163de48a7b843b

SHA1
f54884fb3e510506aaba10c3fdc4f317445e257a

SHA256
ffd9b01184663d634efd476c4cf03fd5c7208e3a2a4eca4bdd588634a9a38a51

SHA512
27c10a550abc89f9bd5f2bd76f2088b680b12f0a3aa9eece204702c50bf9afd7c75e6b8a06fffa190c3605d73d44f46ed57059d0d48e5f8a3fd4d885554d6685

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\d1c37519-f4fc-42cc-a2a8-2bef847bfa90
Filesize
745B

MD5
8896fa4a6e482b9214a540f72639ef00

SHA1
0779abeeeef819995cc975dadabb7e7dc2d2201d

SHA256
eac93f2a98645496e4d5fafa0bb33f6c63f120071195d9b93c4c0361be15d8a6

SHA512
4b8bffd674983ef061127a92d6512e5528ae78502079c6a2432f17a3f7beab664caf666c8b69c535ed0914dea8d0d9d24ffdc7da902cc9424d462290890c037f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\d6c88130-ce0c-4a1a-9a31-a2d5426269eb
Filesize
12KB

MD5
ab5a780c1d867c1c28b3d8b8bf3f2ca8

SHA1
9e73f89d4abccb17b20fe9189651743c06e79de5

SHA256
15cda7aec9123846483bb38144cd4b1ec9132063fd7cd563ef4a64de9922fd10

SHA512
ff9a35445924470d6e9ef507b5f55feb2a05ae59846f3e98521ca7fe02c5c07a94d5423be293e68458b31ed479be0aba5fa6b9ad4a518d6649c6d9eaf884bee4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\places.sqlite
Filesize
5.0MB

MD5
83695112647224dc31a756dc019784f9

SHA1
68fa87b61c7718be63c0b2eea412209ba1308787

SHA256
c0bc9069c5206f33d3dbeff9a2b5a22ddf5daab48846507e5f948244cf938ef6

SHA512
4dab7c0ac5982b8df5843f374ed6366e0904338a6efb80ee77cb90e16ae7968a7d7bcbaf002e66587bc251524b5b330f770f80daa320151cc712f04e75ddfcc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs-1.js
Filesize
6KB

MD5
efebc8d012ba2689961c73a577872056

SHA1
f2fa86ab33d7681d33ef382d4819a8066d1ae425

SHA256
ce0c841be1bc9d1a2f9288cc30046c55538658369f96c92c8542449cbaec8e9c

SHA512
4b622468255de8f68f4b84ed30d3f950f1eb8cde1afbc1eff7b9757a9e2d17ec2ccbec8cace993f52eea30b6107cec1936bdcf798a2fde56401f0710e972a917

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js
Filesize
6KB

MD5
1a4016b090e0934806398713264cc356

SHA1
16a8d2fc4a179b2a48126682458ee55f70674de3

SHA256
24c03e3e790b8b52eda066c311c826323490cdef60b9297a35ec856b7a38a700

SHA512
4418f053be7882d1b5da94f5bdfb8595443211f0e50715688ec9c57ddcf4ba0055294e2b49b21fbbac6cd63f397e9c57eb462bbf6f0e7279808446f3b7360abd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js
Filesize
6KB

MD5
3870e1884e1a6f3bc7885b4da8201cc3

SHA1
b7c4e30ea9f5cff2745f6e163b354d331b373a26

SHA256
1e2e33dec962fcb7fb402c59ed7f9bf62e6cfa86bab8ceca559b6b5265e95e03

SHA512
7b139c9bdc16c3d650bfe00defba1520ed9f2fd6e4a76a63aacbcff293bd13cb8e3419b48db3f5bf60ecaa57d09ae30b2c5dabb8dd56febc39706169e766cde0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\protections.sqlite
Filesize
64KB

MD5
deeced8825e857ead7ba3784966be7be

SHA1
e72a09807d97d0aeb8baedd537f2489306e25490

SHA256
b9f022442a1506e592bf51284091a8a7fe17580b165d07e70c06fd6827343a54

SHA512
01d303232d6481af322137b44fef6c2a584f0643c48bab2836f9fe3193207015da7f7514fe338500ae4469651e3d9618293858ae507e722198a249257677099e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
946B

MD5
5fab15180bb65495c9c1de4d2e05d49e

SHA1
6ce463b5d983898a262eb84251787ff370520fd7

SHA256
1b08f971de586a622a66aa8fc82caafc3bf7bbf83c532b6fdc2e754f2a294ca0

SHA512
cf5e4eea1ce160589e035424bb90cbe18ee6001ff4bb59a5c039b73030ea42f3b385ee0035a4b0e8c9683164cd8deb2ea5a75a572a2b3038914244761ed7b947

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore.jsonlz4
Filesize
947B

MD5
92102a33f94a304c6ddc4a37c820fbc7

SHA1
afec7a7cb9c89b946577b39f991e2b620292f93a

SHA256
deec54ffa959cfccba4bcd7cdb8f11b3efea295430a2825101cc22c93d225926

SHA512
1cfd38217025c2039ac9f354713ffd58db768f97fec411ebd79173834868b57ab7377ee1cb53267022486270cf40db857b422148bf3936eb2b4f72663baebbe9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize
48KB

MD5
b0ca58606dda807b7f7e041dc895f3f0

SHA1
4412086cd12c067d5fb3ad6635ff47a37f2cec8c

SHA256
0a108b59c53ed8c14d241c6d97a4fc44b1d19f338f5b6d91d22cab62e5b88e06

SHA512
20fd516b40dc18f79cdea0d2a5359fdb4387c06e2292fe801513b53a54e335c9d2271a04fd89225ecdfffe13835fdc168117aabde737d5a2f97d7dc55b64cfb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
c09e14712fceb847b7dd6bc434f9bf96

SHA1
411f88cd1df0db05df389e38d50e042aa2cd1d8f

SHA256
59338c47345d89dab532828d55085e8e68b0127e7b78872554ad073676236f9b

SHA512
c3ea66366b98c6d1194c038b0e132f6c95bb39a267f20f2decdd4d1cf6d3b6efa5c72845da4bc5c82e994b582e839748d7a23dad4873232c367de84de25a0aee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\targeting.snapshot.json
Filesize
3KB

MD5
dc210c498a0ade74522203c6825102ec

SHA1
97fec3370f414422d3ebacd8eac6de5c945727c1

SHA256
cf459097df38338da1b1b0c87811702494e5c30490332511674649563dc352be

SHA512
2151c7305f4506995918e63c8375ecd6355218793ab9e537ec981b86a7bf225ac11dd95941237ead6af546bc05f2b98266a17da906ff3324c83c5fa539a73126

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\xulstore.json
Filesize
120B

MD5
05e1ddb4298be4c948c3ae839859c3e9

SHA1
ea9195602eeed8d06644026809e07b3ad29335e5

SHA256
1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be

SHA512
3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

Download Submit
C:\Users\Admin\Desktop\Old Firefox Data\gdoevwuq.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Filesize
48KB

MD5
02df71c96177897247909653e701e809

SHA1
b9015f49e51f905711e7cc6f1f587a0e4a2d347d

SHA256
6a837f6c39f1b5a109817a24864787d2f6ccc60b25e333077e67e7f8330f5ff7

SHA512
bcfe79f06935a679156cdd1d22c65a1c3eb0cbb0953212dec707234b29ddb035df910b0698a167311a3275fc3f750cd9f6066298bb6747485b51a794da51890c

Download Submit
C:\Users\Admin\Downloads\npp.exe
Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\1094426772.exe
Filesize
7KB

MD5
5a3abf2d99e1d6ebace7ae59d286ec17

SHA1
4fafd267a828ba66bb8ba0ec620b2bfff93f77d1

SHA256
3775c7888a3571a039b1415779a915e6dc806eaf0459eb551cbfb9b78c68f9f6

SHA512
1775cc5e2f5c8ad36437b086523e191fe31c441c99c39cf21af672e2beaa7987808b24a99960720731749dc33f8cb976e9ef6de5840a7f4e92c02b3c4b073bc1

Download Submit
\Users\Admin\AppData\Local\Temp\123122086.exe
Filesize
84KB

MD5
36010b83bccfcd1032971df9fc5082a1

SHA1
9967b83065e3ad82cd6c0c3b02cf08ab707fde3e

SHA256
99c140f3dbd18b65457bc398730516f3a8c1d0e5ba68aa46c194505bf0f12a98

SHA512
c8008923315d86c06b57e47d9bf81cec47cda0dec6d9f8aa57d7b4c57c7138997486a6f60eb0015bc99755afeb3d943bc8d9ba83dbb8c9219fa4990296de1def

Download Submit
\Users\Admin\AppData\Local\Temp\194826353.exe
Filesize
84KB

MD5
cd1d9c0ed8763e6bb3ee7efb133dc60e

SHA1
f6f3bea085ba7c13a2956fc0810c2034792f2ddf

SHA256
19ee79b7852c54de5883404f049f9e85cb0085bae8132ada3e46d6f75b24b100

SHA512
77b675fdbfc11bff45e2438cb1bd73b7fbfa03771c600e37171f684141c82f356e392ba2694285390aedbb3ecd3306a3c0f8687d0a1940d8d44cae3a7fc41591

Download Submit
\Users\Admin\AppData\Local\Temp\2953417835.exe
Filesize
14KB

MD5
d085f41fe497a63dc2a4882b485a2caf

SHA1
9dc111412129833495f19d7b8a5500cf7284ad68

SHA256
fb11b4e2d26812e26ea7428f3b0b9bb8a16814188250fa60697c7aec40a49bd0

SHA512
ed4d8e297094248fb536154ed0427f4cc1832f339ce29d0f782971ede42fa2b9e5f953f73e71d0cfc026e5fd2ec0f7062410af359fd940a14f277adca37fc106

Download Submit