Malware Analysis Report

2024-11-15 06:22

Sample ID 240525-lfwagsda44
Target MeltLaunchеr.exe
SHA256 8158a96438c4c741bae0453392f1c93bc14cf4138222c3c57a30e15f36c32bc6
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8158a96438c4c741bae0453392f1c93bc14cf4138222c3c57a30e15f36c32bc6

Threat Level: Known bad

The file MeltLaunchеr.exe was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 09:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 09:29

Reported

2024-05-25 09:29

Platform

win10-20240404-en

Max time kernel

46s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4948 set thread context of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4948 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4064 wrote to memory of 304 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 3892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 3892 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 304 wrote to memory of 1348 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe

"C:\Users\Admin\AppData\Local\Temp\MeltLaunchеr.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.0.1580583499\1743589867" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {213b5b78-0f79-4574-9c45-104525e423ee} 304 "\\.\pipe\gecko-crash-server-pipe.304" 1796 1c1627e5858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.1.540369921\774799470" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2132 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac5d83b3-f540-47bf-92f1-9801618d8953} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2152 1c1626fa858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.2.647060881\102250527" -childID 1 -isForBrowser -prefsHandle 2672 -prefMapHandle 2880 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9273ecbb-ae29-4760-8f30-8adb5a52bd0b} 304 "\\.\pipe\gecko-crash-server-pipe.304" 2748 1c166ab7458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.3.1696341633\1012454464" -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 3492 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d57b8b-421a-491a-aee6-2aa8c97ada93} 304 "\\.\pipe\gecko-crash-server-pipe.304" 3508 1c167787f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.4.1798357933\460762681" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f96556e-349e-4c45-ad5c-bb5ec4f9195d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4232 1c1680c8b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.5.562859688\1589461109" -childID 4 -isForBrowser -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e0257b6-a09e-4dee-95c8-cd18064f08c5} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4804 1c168e5a558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.6.1850512441\28587580" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4964 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adf5aa6-b7d0-4ea9-877b-1bab02dac85c} 304 "\\.\pipe\gecko-crash-server-pipe.304" 4820 1c168e5a858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="304.7.1566404515\155744375" -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 5140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea0ce8ed-68a3-4319-8b3e-f2c5afb9763d} 304 "\\.\pipe\gecko-crash-server-pipe.304" 5124 1c168e5b458 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 sessionannoucemenwj.shop udp
US 172.67.139.3:443 sessionannoucemenwj.shop tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 8.8.8.8:53 relevantvoicelesskw.shop udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 3.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 35.164.250.149:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
N/A 127.0.0.1:49771 tcp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 149.250.164.35.in-addr.arpa udp
N/A 127.0.0.1:49777 tcp

Files

memory/4948-0-0x0000000072FCE000-0x0000000072FCF000-memory.dmp

memory/4948-1-0x0000000000D30000-0x0000000000D8E000-memory.dmp

memory/312-4-0x0000000000400000-0x000000000044A000-memory.dmp

memory/312-8-0x0000000000400000-0x000000000044A000-memory.dmp

memory/312-11-0x0000000000400000-0x000000000044A000-memory.dmp

memory/312-10-0x0000000001070000-0x0000000001071000-memory.dmp

memory/4948-9-0x0000000072FC0000-0x00000000736AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

MD5 98aeb04c77b7f6cbc1c54e2551772922
SHA1 7565a71d4236e3c6c6342d83ca7de16db0c8d696
SHA256 c1e356dc0bdb78f217cd3d36654eab96821d56097f4c23b4f2bd1f9e0b30715e
SHA512 b629c720735bb30157f08a3690c35e2aad4912db4529009b94eec99bc210d2ee73488a39492891618d85d432c790a553710752c1df2698d3ebaa86cdb349416e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\8d988898-95f2-40d1-97b6-6f081c2dec17

MD5 d42ba1e0a372ce4ca771a30046ad782b
SHA1 3b0e9707ad920e31fb9bff98467e30285f1d5593
SHA256 f6f9ff7a44c4827c5a57511735fa8a31481323803b874018c5ee17035a50d1eb
SHA512 8d9b95ae054dcd11ca7d68c38461c94a2966b650dd4dd8bf213834ed4424e33508c0a068b3b65ffae490b5fc1205841c5304b4ab15eaa53c7596dac225b96b3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\cffdccea-7ac1-4ad3-9dfb-90f8f24594a7

MD5 c5780d5cbfdd179abb55ce5ff7f439bb
SHA1 da71ada7dda5c30c7b0886ef7c4d5f102c3cf9cc
SHA256 fcd7eeef6bace169fe47e8c5b8fdf1030090ab11359345cb0214ac4d3e38517f
SHA512 0edac3f8156dc5abcd5359c4d0ad7f07d4fac790c06d19f652f408220ed8d5e159ce5c756ee2b46856ebffc5b0a9d7b833520aa7a1a478296596b4a1edb1ec3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3018d1aad8385b734068dbad441e344e
SHA1 2a3925bc92ec843db64b6db2cd6fe18ccf084a86
SHA256 f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88
SHA512 7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

MD5 54c817121b5a62d8a94e4ac8bf2747e3
SHA1 4373985b12ce6046b7326e97ebbefedcf67c0d88
SHA256 f4c5e2f2cd634a30040ca3ade2feaa30365a62f091d017c9eefc5d38a17a61d3
SHA512 7ceb4ceb6d75ea914876ce04f4226848af5b906bdd5bcfe574248908b5939cd8174b50dd044aaea4f3832e0c38570a8c79d474ed750ae0c3c4c68c2c78286489

memory/4948-98-0x0000000072FC0000-0x00000000736AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 964b6b0d15cbd82817aaf6b542b7ee7f
SHA1 b45541c8fe202cdfa45ce9360711c043d3d46937
SHA256 930424c95933b2b89a5b0734c136aff5893aace10eec62cbe862feb9879fb13d
SHA512 a1f0fb367aa4ff1dc1830ac7d9794c0175f5b9c6b72cab2c01a07bd2fc5eab20ae003cbd422a957a6bdea5e595a118fcd938b82b5ee439f71ed7db9104556211