Analysis
-
max time kernel
447s -
max time network
454s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 16:52
Behavioral task
behavioral1
Sample
release.zip
Resource
win10v2004-20240226-en
General
-
Target
release.zip
-
Size
11.3MB
-
MD5
4115cd94afc46e92446a5ed4c6e02034
-
SHA1
a27d793c873e89366625e8c2577fac9bcc22f55e
-
SHA256
3a521e8eb6c4a7bc7e8981b6377b5ca5a50b47862cd29c15b394a3e1a91cb4f1
-
SHA512
5bc3d1459061e0285f8f6fd9af8fc884bc7495f34bdf165af4374320db698b3f6563887490dd342bb4865758d14a9df8f080c59978a2d89137fbebeac810a2bd
-
SSDEEP
196608:S6oLLrxYCD3GH4sfsx+QlK6GDoudi0E59ythnAB+rJYmd5wyj:6iCSFskQE6Grdi15AnAB+dPEyj
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Monoxide-GDI.exepid process 2972 Monoxide-GDI.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings firefox.exe -
NTFS ADS 2 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Monoxide-main.zip:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Monoxide-GDI.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid process 5672 mspaint.exe 5672 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
firefox.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4888 firefox.exe Token: SeDebugPrivilege 4888 firefox.exe Token: SeDebugPrivilege 4888 firefox.exe Token: SeDebugPrivilege 4888 firefox.exe Token: SeDebugPrivilege 4888 firefox.exe Token: SeDebugPrivilege 4888 firefox.exe Token: 33 5428 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5428 AUDIODG.EXE Token: SeDebugPrivilege 4888 firefox.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
firefox.exepid process 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
firefox.exepid process 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
firefox.exemspaint.exeLogonUI.exepid process 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 5672 mspaint.exe 5672 mspaint.exe 5672 mspaint.exe 5672 mspaint.exe 4888 firefox.exe 4888 firefox.exe 4888 firefox.exe 1464 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 1200 wrote to memory of 4888 1200 firefox.exe firefox.exe PID 4888 wrote to memory of 4596 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4596 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 4072 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 2448 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 2448 4888 firefox.exe firefox.exe PID 4888 wrote to memory of 2448 4888 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip1⤵PID:4980
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:1856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.0.1462309545\1985564474" -parentBuildID 20221007134813 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b44866fc-2242-41a2-93ed-c677d64b3c4d} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 1964 19339cd6658 gpu3⤵PID:4596
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.1.1848007063\750312780" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca99b483-7af8-4afc-9849-79034cbe8597} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 2364 19339630858 socket3⤵PID:4072
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.2.579836168\871963612" -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3260 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0661cb72-34bd-48f7-9205-0ab75ea3d16d} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 3272 1933dbbef58 tab3⤵PID:2448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.3.129696770\1059686566" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86c47eba-80c0-41a9-8d86-c204d1e75985} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 3624 1933c5b1858 tab3⤵PID:3464
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.4.259503799\892863325" -childID 3 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d318c4c4-8c91-421e-9afc-46dd48e7d62a} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 3976 19325f62e58 tab3⤵PID:916
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.5.1964622124\543929788" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5024 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d214e9-147f-4b93-b826-05e5054f0706} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 5028 1933c5b1b58 tab3⤵PID:5488
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.6.234852583\1049873582" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b8a1b24-abaf-4316-8a42-b5923f8ad9dc} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 4940 193401b9a58 tab3⤵PID:5520
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.7.1537471607\1107913871" -childID 6 -isForBrowser -prefsHandle 5392 -prefMapHandle 5388 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {386f2f53-1d1f-4a10-b0ad-77283abaf4e4} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 5312 193401ba958 tab3⤵PID:5544
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.8.1432169618\2012293855" -childID 7 -isForBrowser -prefsHandle 5820 -prefMapHandle 5740 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81e79d7a-997e-4a59-9d82-6c7587c784c5} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 5832 19341beb458 tab3⤵PID:6040
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.9.1166256651\1194305810" -childID 8 -isForBrowser -prefsHandle 4496 -prefMapHandle 4824 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e9c72b6-5650-4a71-8349-7e6c8ca0911a} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 4604 1934259bd58 tab3⤵PID:752
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.10.458007887\1327904289" -childID 9 -isForBrowser -prefsHandle 6452 -prefMapHandle 6448 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {049c25cd-6ec3-4c26-a83e-c57026673336} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 6460 1933fbde558 tab3⤵PID:1556
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.11.1608731036\58712332" -parentBuildID 20221007134813 -prefsHandle 6448 -prefMapHandle 6428 -prefsLen 26774 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf3c83c0-b114-47eb-a607-a09d4c2f5a99} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 6484 19342be1b58 rdd3⤵PID:496
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.12.1871836005\1203952543" -childID 10 -isForBrowser -prefsHandle 6688 -prefMapHandle 6684 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00511aae-89d0-498e-a686-d47bacfbbea3} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 6696 19342dde358 tab3⤵PID:4268
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.13.952300629\1630014384" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6200 -prefMapHandle 4880 -prefsLen 26774 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da418f4-64db-40d5-950f-b93be05f5a17} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 6260 19342fb7858 utility3⤵PID:5164
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.14.1546120645\1403082219" -childID 11 -isForBrowser -prefsHandle 7032 -prefMapHandle 6984 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a944069e-4514-4c01-9598-e434bd27781a} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 7084 193401bbb58 tab3⤵PID:5268
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.15.1442746920\1519092498" -childID 12 -isForBrowser -prefsHandle 11240 -prefMapHandle 11244 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10f52865-4b7c-4a2a-8283-68f8d11e425a} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 7044 19341d0e558 tab3⤵PID:3500
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.16.1433615093\1893069762" -childID 13 -isForBrowser -prefsHandle 5276 -prefMapHandle 5196 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b36e4ab8-9c49-492c-bef1-9af3483cfdc1} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 5264 19341dd7c58 tab3⤵PID:5796
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.17.85060437\1076556470" -childID 14 -isForBrowser -prefsHandle 6328 -prefMapHandle 6136 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a02b01a-d664-46c0-af2f-4ad1b732a8e6} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 5020 19343649b58 tab3⤵PID:5280
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.18.1024061681\1767300476" -childID 15 -isForBrowser -prefsHandle 6612 -prefMapHandle 6668 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13133e30-ff62-49ca-924e-06558f0c0aca} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 5912 193432c8e58 tab3⤵PID:6048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.19.661041170\136619647" -childID 16 -isForBrowser -prefsHandle 6232 -prefMapHandle 5564 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9799257d-2093-4881-b110-12128f127522} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 4492 193401ecd58 tab3⤵PID:2452
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4888.20.1467129279\767777806" -childID 17 -isForBrowser -prefsHandle 4684 -prefMapHandle 6720 -prefsLen 26774 -prefMapSize 233444 -jsInitHandle 1452 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {356c7c39-ab33-415d-9418-6f0f25bbbf0a} 4888 "\\.\pipe\gecko-crash-server-pipe.4888" 6784 19344568258 tab3⤵PID:3972
-
C:\Users\Admin\Downloads\Monoxide-GDI.exe"C:\Users\Admin\Downloads\Monoxide-GDI.exe"3⤵
- Executes dropped EXE
PID:2972
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\Monoxide-main\Monoxide-main\monoxide.ico"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:5888
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Monoxide-main\Monoxide-main\MonoxideMBR\qemudbg.bat" "1⤵PID:5100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Monoxide-main\Monoxide-main\MonoxideMBR\qemudbg.bat" "1⤵PID:184
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x31c 0x3001⤵
- Suspicious use of AdjustPrivilegeToken
PID:5428
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b1055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD504a8a21f59ef807df329595cda61af23
SHA18e1a941409f12c45d354581139332b641be28b88
SHA2569e9cba7dc9ee36793cfea0ac8e1749a5e07b0418e05454ab61417126a0f5bc97
SHA5124b46b715cff25680e6ee8668663d0f4b744932b5f133bef65e139b2aeb0a0dbcce14ca2e849fd014015958f8e85052130129f53cf01cb99c3139ab899a30d090
-
Filesize
9KB
MD5baa1e82ae795597680f18379d304616c
SHA19a7dc1f3e668bf50255d9f8ab8b1982700e0e7e9
SHA25652b62357c17f4014d2ecd82a89b615a7d042886d6cdad631e1f94f6408f64b32
SHA512949d84353c8519416f71e6915577223b2d4e95ec99984cfd2a065d1d4ecebb1c79df1fe8a4f43fa21a41a036d91b37ac9dbef1f8a617ebf5d41a714bcab22e35
-
Filesize
14KB
MD5c845624241dd29558cc98ccd1c79ec8f
SHA191207a4dba3cef2abcbb6144467d7ebd47db21eb
SHA256c7f1aac34105401b7f4c13ae938f6613d69ad9f7a52bad4c78c3f1f16d04e361
SHA51270df55b13b1e441e9991b671d159931630978867be6fb752876115fd7b0f95e42f2cacb340b174cf4143421fc20251a9f5eadeee919e6a90b054213d4ab9d005
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\278E6F594C4259ACF0A1CD1228A4E566D7844567
Filesize367KB
MD58c7b0658a2da03176ceef59de6915bef
SHA1da840fab292051c72347c21383a3b7e82b9ed4f0
SHA256dc52c9b0ecc7522638191cc69999fea4027732f1da8b456f8297f98393f210ba
SHA512e71ef634452880d0f083cbc7c1844c8ae20040f862706455d8fa412152ddaf18e6af6c4c36534cc3f23b9444803a8dcdcbb10c05112466112ba14fb7c86fcdb0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD
Filesize32KB
MD5722540aad90526c741eb5a3f96d809be
SHA14760b6864f1ae137e5c7b0d7224ae8b6ba4127ba
SHA25641fc6499a8e5a800aae18de0e2635067a6c945e4ea35732a812fea6dbb46dcd2
SHA5125b2058b48895dc2df8ada16b546862251c143fe1b1bedfe3a97d37eb009393f10c82c9b55ae1c201b33a2a43614ebabb31222f8777e410204b9ead6d18c74c6f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\6440C0B35A4A68EC0CB1C1C79C6E06D909B352BB
Filesize77KB
MD5f2eea9ace70acbc35330001aa520ba77
SHA1850e4705fa6d89e1a4f10a6f8329e2cde63c9335
SHA2565114c31eb917f62f76f330c5500dfa9fb7fa168876c930550fd1cb265f860004
SHA51227dcba6ce71dfb76c233bda7b3882d0aae5e75ed6357b1bca1c4e10ab9b07fd7bd7200142d0c79fba0f8466fa18e1f41339e8e48db93dcbcfd052ebbe5ff0977
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\82562AD5D143783BE1C9360E60DC9F26284E3818
Filesize111KB
MD599b024a192d54de69bbdacc43d49765a
SHA1ef7945c920b727a80f8fe5907e6528b84896cc61
SHA256e2781af7c835913d009db01ec39d95266dad37bbe638213de32d8f9edb159c8c
SHA51289e3b22e456ad3c1ca2a065ead25e522ffd39e8fd3a73fd14bfe6b812b4f29b505990da84589ce6761a837ba7cfbb816a250ebd5fc4fbdcb273161234c1d7134
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\DBD0748B69E2548CDFFE21A4A17B9653F0711FE7
Filesize149KB
MD577bed7189472563c10f3601182c3635d
SHA1ea16efc61b07e7b9f2d9c17aa95124867d2c60d4
SHA2567d83cdfb18613306c7f0012c3b5c55cf49d133e04c4f725d0a2e709c7171815a
SHA5126ce510cb40fc45670810b2ce91daa2fbecc96291d4becca8ae9c2712affc122e9bc68311717f6e74729879ad83daf7304d1ef1eeccd37166ddf20eb075c8e261
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\jumpListCache\OkMQAhOddqnLG3Evn+JN+Q==.ico
Filesize691B
MD542ed60b3ba4df36716ca7633794b1735
SHA1c33aa40eed3608369e964e22c935d640e38aa768
SHA2566574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8
SHA5124247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize16KB
MD5d2ff82f064003f932d3d959fec3eb84d
SHA1cccc8be9675b7268870a23c082d260b182256c4b
SHA256f0b9df91c210ab8497092cb864b5490265706b5f71f2f3d6ae3ba6e73d51ceae
SHA51221fd219c9a99cfdb52d4153179073914919c4c312d1a3beca048aef42bed8660270b303bb2a1a13410c8468422401b81d7e5565b10aa0f4738911339230365e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD524c7c53974d5fe0f27fcf3fa57b277bf
SHA1a828fcd48d92c6f6a01b1b0545f65a175ec437e2
SHA256eb7587f3b79a72937424d94846c1f6ed5ffbb95527870a6bc0e5ce1aefe78ce5
SHA512a9d924c6b05e3fc27662d2ed4a647f574e41c79560b3a491abfff38e9264daabfa4fb182c25d9fc79fb80fc04f275909a01c48f83e430ca8477ae6b33d282330
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD545f8890e152c2c918139f5ca3a59c37a
SHA1f3aec1927cc115d0542bd627d93b51239634106c
SHA256cd82b12b14d0825486338473aa22e6e0be832c21068845c608463007c5dabe50
SHA51278e357acf714833112434002733ec0a9d73eabe0b82029be2778518a1ffdb11a81a9349c35cb3bd851298d4c1c1ed61dd2fb06cec3f7ef0cabdd20e509373c5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\1f4f5aae-5855-44d5-a34c-50553b99931c
Filesize746B
MD59796c66279fbb2d31adfa09a51a2f73f
SHA1237e97c588d22b951828bf62d2bcbba8aa49622c
SHA2565026fda1d87ad79e68b96baa7810aa3483f5012ba298a9e1766b0e021fa0ac98
SHA512dba67c38fbaa08939e790327c3300e72bc4aff79ee7923360c28dcbb9fd4f22d0e9bacbf043b7fb8f8bd38e1d7877756d0af506d2ac5b3109b18e2df4a886183
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\333fa04b-8e80-406f-81d9-1d0beda4a163
Filesize11KB
MD51239902583b5db398a5aecb2f3873eaa
SHA117fa2e2f2f7562a75b988e3e319ad53ff1c22ef7
SHA256ba51dbb256d6b16d2d0334879d725031528b2a0a34e08261cfe23c7692f42829
SHA5126edc3c0209da4001f697b5f8a59b11145dd972d2a61cf549c060c8c13a9d5414c1c0fa0d947863be917eb8f1a7f9d9462dc01536323d98d2e2cda84e0a9ae43a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5377da0a55b222773fccd9760bfc2bc96
SHA110c272de4293ed2b64d387696e16fc6b3a95c706
SHA25620f5da87000e529df31c5c7dbdca87da32936a2c8a98b8ad852ba63b3d8cd4ef
SHA512b3959733a64e6986cac7b09710817cd152978debe2c70871eeec22d1be1641646dd2fb62bb57022ef4546eee17873c0ed13b1430be8aa270f7f00cdd3c71534e
-
Filesize
6KB
MD550bc24baa13c75565514d7fddfc3b631
SHA1c2d3700752ad96b14603ca09b42ac7073c6eb24d
SHA256a004a22272468be190e16ecd9560f84173ce440639660e8ab9cf386c2ca569b6
SHA512369353bba4aa0f36499af204192fde86693566061cef5a5923c55f5db06c1ef04f914dc788711785004fd00324bb2ebeb27c322f7ba9af558bf3d1eec1f3fd63
-
Filesize
7KB
MD513ea1f04a285bc3105ede96351245f28
SHA1bb4d1d997b481e6d7b4c6d166762d29b93fdb2c0
SHA2565f383ae7bfb429cb594d7e95ee9ea831569c68f096fac0250bc9857685c388dd
SHA5125fe7e7989d0c3a72ded44e02b287e53994a6405a37c82d4d697633d74c940187b5e57648e65cdfb986ac77a1f97e9740fdd75ef6468ea7292e88f531e57732dc
-
Filesize
7KB
MD519f40bd4af47d3f291bb62fc44358ac0
SHA126d7ba450ecdb89bf332bca016a55b4aad949f9a
SHA25695306095420101d04da9b344d79d89d958f3df1393049d741663d4510dbdf215
SHA512b77780f508fd66b51c0d086298bc3763df96bf0fe691bc1aff2784c808fd80fb87e9337751543893603e8a102f081c5ca557aadc1bec7f8bc17967a7bf9d403c
-
Filesize
6KB
MD5c3c365df679c2078e61583b082c3248f
SHA1fad59cfd36afc67d29a3dc03848fce8bf80674c2
SHA256f6c3be44525a09f36f5c748e91f2cd2f50d013452bccfe685bbfab141cc152ab
SHA512efc7108b9c3c7c56be2052cac7ad33895489727b5e35ea73cdfa799d47bd4eb44d97968301cf9861e6d6390351914213ebcbba1fc9e7fb768b82d41a06ed0c53
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionCheckpoints.json.tmp
Filesize228B
MD566bdbb6de2094027600e5df8fbbf28f4
SHA1ce033f719ebce89ac8e5c6f0c9fed58c52eca985
SHA256df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc
SHA51218782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD580d020abaa51161cb80af36b0d58d821
SHA11b56512eb6839837162d5fdc2cf7db2e467d2076
SHA256fa2f3db8439fc6804b3a3893cd297018a37456208500f573c91d171b5cec1c3f
SHA5129d5c3ae028d825959b9f24828d93a106655b656da95e5b4f6de421705bb371aff58733db0119ce9bd894a1372ac4adb459a5a07176a2f95eea1106e185f04b00
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD507ebc402bdb78b849aca5b7658f1a373
SHA1fb281d03e9b826cea381df719b93a79f546f0aa5
SHA256255141164d581ffbd0ea785e975354d3947944444a41e5cc2632aef670080595
SHA512c77866641f0f51586c9d16d249c49b7006a9e190274308f02f888efb4a68ed0bf2019ebd974ae47de205fe513f7b0289a91a392cfb1aec14f3de253e4aa6db67
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD580bd4dbc9ddf8dbc2c8164de3ab9472f
SHA10de4f7b10f7c610977440c8c87731a7d29e9304c
SHA256e8dcc93e7b8c1fbee92809c5eeb554c16d8ad95b6d4251aa3bf45b27c5865de9
SHA51243646c1a389c8f313540d43f6da2b85441923e9b8c9aef3b448ee5b0fd6ee4cae497bddee6fa623f122358bb5a07a60d14332a436643d2be9667eb5fe481ed4e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD5839dda69ce2f325064cbc16aa8bbdc95
SHA16b1f614fb8c6a4802d5d00d3082c08c44ef7c21e
SHA256004a0419be98f0bcad3d1f67cfc17aaa8449a3bf26d52bef54aba7f82444741f
SHA5128dffcfeddc6e844722831f382288c57a345034d6fd462814c82e7300bfafa55444c36535713fa5c9e6cf13ca493cc4bd670388954811774a42bae0f8e4a35044
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD5e59f8fca78a35c497890228867e5ac02
SHA128c598e7ed20dc6516bd98bbb54b49919d777820
SHA256ac4074493055b34ea0c31997fca634fba16eb0e9ae34a43bca30aa95df17e4b7
SHA5127c8c6d39c4c2db65da5b0cb1e838bea0cf4f1079a92ff2afd5db8671bcaaad637b3ce3ca856a9eb9faafbbb14bfa44477985bbe202cc0593e8701e76ad4fb835
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD5878805c649bd51b9c321573ecbf2d622
SHA1576f6ec5b2a63fa22aa301d65538dece3ca9988c
SHA25695c1f06b60a2f13a41ac692630092618f7cb2213df1e07da6ab3e77639b04ed9
SHA512aa87ece02ff9477f32a4e8c40f825c919356e215acd5216a76630fdda6caf09730278414dca8a1b46204a096dff1d07c0351fee7881eed14c995e4f766dd30f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize12KB
MD5ff3afe6064665a9f5e887b9126dcc158
SHA1860614701688c8572e6c7d2a05e4c42750595368
SHA2568be44805429d9288d9475eab88ed5915b03c060dd3546cbee3b96a219f7709bc
SHA51229161462f478afd9dab46aba528736f86b5a9feeb743f786009db660575515ee20b3e0cfe09ec65eada066d7cb780d1a99435930203cf61ab55707a5e6f2a3ee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD51a341a47a5796225c968a9d828f49fb5
SHA10b607a7f7c4ebbe62a9fc09c19505c2814902e12
SHA256c99ce297ec425bab9e3abc1bd975b6ed3c82677e87e6564b6d66c7601522d038
SHA51274e750b2949a11d4395cdfcaae414fd4c73ca2597e7f5d6fc830388702fdd16cbb23136978a4c81e328bcb08e36db8e152e313fb09e61f232c0d692b635ac879
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5a5e6d5fa290b20615bec9b6a60a7465a
SHA1a50cafac6c986d978777c6085785b4bcc1e4996e
SHA256d63b658fdd3867bd6852adb76aa9456d74c47ea33f8a751c81b4f5cf74c55810
SHA512f49d18c6977bb66af3d7baa7704efcefcc2cd3ea320e076f81c2c57d3fb679b18e3281e9cc07d97b866233f56cf9b0599bbdd372df589cd9b40ed91ac2601526
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize7KB
MD56bbb85d6b31cae5fa34e6ca5ff8441a3
SHA15c94174f0359903a6aa02b5f56cb3ca4bdd5ddb1
SHA2560de08a84001fd3946160a04d31126ea87ceaa4eb442287b9eaeadd82429b9896
SHA5125e044d54c2de5f35fc2c513ffc2ec9453cbeaa74df9e4dd2fbb2aed7873266c0d1fae85f2478d57bffd1e72f13902c5b2580a2e6bac9b821938fe9735b0d68fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize8KB
MD51ba8fe6e87043f3c95fae675b8e18d30
SHA1865d89d45ca5d41954f04cdd714dc4feb998b61f
SHA25657f5aa6cf7b87c0b7c28f10263c774f7e486eb0334bfaf53dff134a5b3b00725
SHA512d8fa8674a09539897c9ff6504c5e0ec1221505c0dfcf56e98b03f983e478efd2bbca7b07bd2dfdef227043d31faeb7bead52d2b514a61ccbb394a7da885e37cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize9KB
MD595846425e8b78003ba6ad52222f147aa
SHA19935d66a86c28738ced3e8513609861641e78313
SHA2564551b7bdaa539c8491e12ad5ccc02662ffbf6e8bfe1775bb37baf9c6a38cff9e
SHA512f3a48ac03fe4a724a2f40e462ab8bb336a956c2e52bedc08578d6415fb5c0956e88438ca31e0cd0230611519dd9a81e95df459a4fd56d56ea4f2087131c3f907
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize12KB
MD57044c8aa6f6c51f44c81264a9894e1e5
SHA1ce77641f7453ce2f1722731b08f5468268688896
SHA2569a8c62c9970d5c9c70840dd8d1c8148e8d1387ea06e6c34df007dcc372b42915
SHA5128e05aa2b5690aeeee4fe023f96c647e3561641aa352f31fd68ddb66d6ccb927ea5ce4867829780819632fef8f3c8760d10603b78b54e28311347380cc54608e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
Filesize10KB
MD5cc0a9630ac10b7937f7add83fdb99557
SHA1f8071a97d20d65dae335a46eeb40ce5625fa9ed2
SHA256ab7112d9694e5013b928a44962d4628c37736977c9603efb7e8be10912231f68
SHA5121b7a93d8741a4644e1c1bf1c7b3be65f773d3827b9a4927504ac9a055414ff06900f92b5c589ec7462f762c2dc16e97280e235be12b151ed952747992c91326a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
Filesize10KB
MD55efcd61c091db01dbbb6edfce0593a00
SHA135451efc5e5b02260679d8de58d4ced2c479db23
SHA2565d2e89edd11c971142b93af5918ae527f099cb535f0c09d24386237d0656c2a5
SHA512f50a58621ab0f84d879b4f6c4605e38bd664061c8f09d4fb4bc82d285ce62a9da0ca213ea607cb2629abffe2dedaf0e471278e523fcc7044475f4fcfd6e51130
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\default\https+++www.youtube.com\cache\morgue\193\{9f6f013c-ddb3-46eb-a4ba-560f9a0843c1}.final
Filesize4KB
MD560d66e4bb5c8e81f2e74110242be319f
SHA17d06f8a849998764c0a8b83a75d6d5de60de1238
SHA256413d58f8847f0606c70486a3f8af24044303cc5639852b5daf7b8bb81ed8bdde
SHA5126ad63eaddf057ffe9c211bb5c3af7675105ec6af38d6e844a0efba85dcf9e10fcecfceaa5dccd103ded114bc1b50036c49604e731000b1af4c037f2cc6b680d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\default\https+++www.youtube.com\idb\2171031483YattIedMb.sqlite
Filesize48KB
MD5da9b7d3ab8b724067a0c5347f3a5724a
SHA1318defd2641bef3ba3399fe6649fcfafb8dba5dc
SHA2564f9ded346909b4c4ab4ea313d39a88c01cff3a4ddc67d76f7b3945799041f604
SHA512b06852c7df59018f77a2387d15d84065d88c4ff0a43c2ffc8b8d2a05e1c5d9645f6d0df6bbd07e8de96e0c6388b395528b2df7a9fdb6e0b52d1fde32d9618353
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal
Filesize40KB
MD5626f83be1c6b2639cb473a70afc44af2
SHA1a6e831ef9fe5760dc4e87a307c4f184425f36db8
SHA256ecca6b4a19ff031e03f1e867e2a70d6195135169ae1b750cef711b6a23d61dd5
SHA5124331a106d8fc647a3aa2f629039bc9fd965f5f97f38b21447a94ca0d8376cdd8610f11d45be30c8111a5a84de0fee01ded2b389cbadeb4ebd267391039e01a4c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2256980065LCo7g%sCD7a%t7a8bba3s.sqlite
Filesize48KB
MD5622d07092e9fd0838b0c1f42763acdac
SHA1b363de00d6dc7397c2d6ebd5b214a745c04c414b
SHA256ce57d9182498a86c248a806e55052942683f4df711748ce3f6504b32aca4b0ad
SHA512af40c2db141ddbc7e5e10b3e5a775510e8571a51a85149d107168813d14c7d89dab99249711db685437b14a0b9d3458fe314b2ccf9ed139c9420b6c6e7bd1053
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD589fb414d778d11d3a12991de60301815
SHA11d7a63ca92d9ad28930ce2feaac8c71c3f699ef7
SHA256935ba660008416f0b46a028a709944f11f9c2858243a2f7bc0b57aa1d96314be
SHA51249f06dc78f2e08621ba4ed19925d8c7ed040502f13edaeedc7df3d675e77417d8b7b3c0b3feaf7f4fcef989091b363f5af1fa9258de57cee5bd904e1d7a31f9b
-
Filesize
67KB
MD5f9382d06e61df3cd9537978c0cc5bef4
SHA146c5cc5ebedbecf6ef71829087a151d4b4398fc8
SHA25666adb855a6f8361258d2468f4e80cb17fa903eda20db0a1ab7989b26e46f1e10
SHA51204afea5c05d5ae1157c1bf7324e49d6dbe1233cf356620a189b3941805e7d43c261e2cba116d04f4aab82cab22dc4fe37ee8ecbc24414f835244bf7fee998c3c
-
Filesize
116KB
MD5567807ffd4dc5918c342138051a07902
SHA1b2e19490673977db2442a10cab691f6bae2a07de
SHA256a4ad6bb531bd8268d624f264910b15600f902fd634cef18a500c0f75a25a8042
SHA51263f776e3df52662dab41e97fe934b08b590a055126db4ba6d829208d627e79ecc367da19e433e981d7f4ea8214d9114673bf10c1b3bd88c12bef63fdbf6379fc