6b0b3288c0797e1199661330e30bce99ea22e9d1175258f2cace9063943565bb

Resubmissions

03-08-2024 02:45

240803-c81k8svgne 4

Analysis

max time kernel
593s
max time network
580s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Monoxide-sound.exe
Size

98KB
MD5

dfd563d229f9f203217d66df57ba3084
SHA1

fbe45679a8d15b26ac6d7f648bddffab0455eeed
SHA256

6b0b3288c0797e1199661330e30bce99ea22e9d1175258f2cace9063943565bb
SHA512

e247cea03190278cbcd006cc40ab074e6af0f1cfc116627736df5d656e59bcb4838f87c226fdc6cf298f03ac615a434d08707b17b9b5c1106722cafb7d9572db
SSDEEP

3072:mPYOl+2oTiF2Tso4cqFOfFA9vhKeAd+eRp/qzgf:rWFOsoQVvhKDFiA

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monoxide-sound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "96"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a0000000e0859ff2f94f6810ab9108002b27b3d9050000005800000030f125b7ef471a10a5f102608c9eebac0c00000050000000920444648b4cd1118b70080036b11a030900000060000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010009fae90a93ba0804e94bc9912d750410400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbeebaa2b0b4200ca4daa4d3ee8648d03e58207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "1"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "3"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	mspaint.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	firefox.exe
Token: SeDebugPrivilege	1956	firefox.exe
Token: SeTakeOwnershipPrivilege	3080	helppane.exe
Token: SeTakeOwnershipPrivilege	3080	helppane.exe
Token: SeTakeOwnershipPrivilege	3080	helppane.exe
Token: SeTakeOwnershipPrivilege	3080	helppane.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe
3080	helppane.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1956	firefox.exe
1956	firefox.exe
1956	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2800	mspaint.exe
2800	mspaint.exe
2800	mspaint.exe
2800	mspaint.exe
2800	mspaint.exe
3080	helppane.exe
3080	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1084 wrote to memory of 1956	1084	firefox.exe	35
PID 1956 wrote to memory of 2944	1956	firefox.exe	36
PID 1956 wrote to memory of 2944	1956	firefox.exe	36
PID 1956 wrote to memory of 2944	1956	firefox.exe	36
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2044	1956	firefox.exe	37
PID 1956 wrote to memory of 2272	1956	firefox.exe	38
PID 1956 wrote to memory of 2272	1956	firefox.exe	38
PID 1956 wrote to memory of 2272	1956	firefox.exe	38
PID 1956 wrote to memory of 2272	1956	firefox.exe	38
PID 1956 wrote to memory of 2272	1956	firefox.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Monoxide-sound.exe
"C:\Users\Admin\AppData\Local\Temp\Monoxide-sound.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3032

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.0.567114169\364156528" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1088 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b300b84-deee-4a50-adae-0ff240e5805a} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1400 f4ed658 gpu
    3⤵
    PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.1.2045616829\1316483804" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c8af051-03e2-49cb-be43-b24ed8224060} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1552 4218f58 socket
    3⤵
    PID:2044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.2.2011415130\1702462223" -childID 1 -isForBrowser -prefsHandle 1956 -prefMapHandle 1952 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbf126d4-2787-40bc-8397-0c268ede5679} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 1968 1945d858 tab
    3⤵
    PID:2272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.3.1786394237\1981477462" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 1704 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a75dcee7-2c20-4270-ad5d-31c26f044995} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 828 e71558 tab
    3⤵
    PID:1716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.4.1085961552\1921955661" -childID 3 -isForBrowser -prefsHandle 2552 -prefMapHandle 2548 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57f41a33-dd92-44d7-b85a-7cedb7552c5f} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 2708 e68058 tab
    3⤵
    PID:344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.5.104243061\478085410" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3840 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d60521ed-3d3c-47e3-9b86-0ffe4778f30e} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 3812 1e7f8358 tab
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.6.397126821\1897075159" -childID 5 -isForBrowser -prefsHandle 3952 -prefMapHandle 3956 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eeaf14c-3f9a-44dc-b3f4-83f3897031d5} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 3940 1f70d458 tab
    3⤵
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.7.1116374048\606132944" -childID 6 -isForBrowser -prefsHandle 4208 -prefMapHandle 4160 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86c16ac4-27a2-4195-87c1-c21f610866db} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 4200 1f70ec58 tab
    3⤵
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.8.1491478504\1766325894" -childID 7 -isForBrowser -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2384ebf5-6877-4075-a565-146b43ccc84e} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 4516 1f8ab558 tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.9.1795676245\222019443" -childID 8 -isForBrowser -prefsHandle 4460 -prefMapHandle 3552 -prefsLen 26805 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6728338-ab24-401e-8210-00f876c33cbc} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 3164 1f177358 tab
    3⤵
    PID:2260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.10.1549656121\99241278" -parentBuildID 20221007134813 -prefsHandle 2524 -prefMapHandle 4324 -prefsLen 26805 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63a30781-71ad-4e70-aec3-a13e5afe3393} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 2528 1f10ce58 rdd
    3⤵
    PID:1540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.11.1978730482\1038572214" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 2772 -prefMapHandle 2792 -prefsLen 26805 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0379c2a5-b08a-4044-bc33-c4b6516b4689} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 2508 1f10c558 utility
    3⤵
    PID:1648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.12.1659308911\571506806" -childID 9 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26805 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {37b10342-0632-47e4-91c4-0247f1ee0ca5} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 4964 1cb61258 tab
    3⤵
    PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1956.13.905766984\1569278346" -childID 10 -isForBrowser -prefsHandle 4444 -prefMapHandle 4952 -prefsLen 26805 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f30172-9fdb-44de-9763-aace03205d47} 1956 "\\.\pipe\gecko-crash-server-pipe.1956" 5100 1fbfbb58 tab
    3⤵
    PID:3684

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4068

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1492

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
549164afb87db1f3a73c3e390acfd7b8

SHA1
5234e3d4c629a30b985b7c66725c5c0b5e697efc

SHA256
e796408b2d64f86fc27c1a9f44cde9fbe21fc14888623d29450ecb4f13ae506b

SHA512
729f7ce173106f4708ec403636396deda70d6cb124cbf192e059d127166bf50fdda030bebd7203d9dc8aeebd139b4eb7fbbeb550546daba654dfbbf790ab23eb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\doomed\25845

Filesize
8KB

MD5
4673331c9adafa7982dc3bd29d91bc7a

SHA1
f471eeb4f1eca014ee61f610610552bab686056d

SHA256
e0318936a1ffaf023019c442a5981586fa0d3cf4e560a8f4ec106a434ca0a8ef

SHA512
170e51e3880358597baa961b49ad094c09d46d72981e7238a289ec71d1fba069d13821d84455c4871ace3587376be41dfbd2e3667def674550c70b2b51432a27

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\doomed\3217

Filesize
19KB

MD5
bf360d00ff62a1fd620ab1ac8961de42

SHA1
a7fcf4058fc9add77462d711378e2498b0b4cbc0

SHA256
b4ffa91ff3f46731deba906a4f3dda9ba26e4789d9e76fdd1bb276d311d3b375

SHA512
ce93d3679e000fac2a0d002ee7d4571555e70e471e90c020806a874e139b77eccdb36b56a197d74deb4dd52809a1a74a409bb4d57c980f521da3f0f8ec753551

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\12E7E81FCDE088576380959119D4D438C2E39594

Filesize
125KB

MD5
e2dc69fd88b2988f10b7444d455f0725

SHA1
c19161302f20104133723be0e111e43267302073

SHA256
7b534b8ce74b8c79b090052c1fe39825b15d8aa9a3c1955fbfbea918e854dabd

SHA512
5b9bcc50414d15d7d5b367a18dee8a3849fe82c0df3076862af549b00082e0c2c101a458af7f2888c88d55cdce58adeceb6b241d8bff14ccac776fb728441b89

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nyws1jjf.default-release\cache2\entries\3D877846D300D51A72607CF0725A097CD0C65C95

Filesize
144KB

MD5
95f6b540004ba6362028f6dc211a6bde

SHA1
2ce7c54f415079d6e322eb1f91b22e05f15c9b7e

SHA256
c9a40ca4077eddb0c87ce095b9bfa36da8e13b8f309ae6083c16a99bf3c6d8b8

SHA512
cc97381ca7e9fac06c8c5e80061ff7a3f0fa35e73c5d656a3efe357333074519c011adfa27a155e2973832ad44d3acf21776b5718750617121f678c8d3b56db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
93b7094fb8ce3bd5172899b77540cf7e

SHA1
83801a6ab8035df8ab63add35bc60ff5024b6ca9

SHA256
f7e43ec23e80b60e28e780bc57d56395c86c5e929acd2b7723f36f22ab17a5bb

SHA512
5bce7a0e24ffef5355aa300f90445263ad8ca5a47771a1d894cb693a921da50bb95ccd7253ee4830b2991257a76338d98e44717910d7bad59a899fafb4335b54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
6747eea7bffb70d4c9829024678fbe2b

SHA1
d1bd2ddc8003369d2c3ec904048a3c69a24491d0

SHA256
7b15c2867d122c30ccbc62a994eb9e2d44ac89d496cf04faed844e6bad3ed439

SHA512
a5bbaf99febe4be337d1f34751b570895fa4232476687f9619bb32cf6a916ce9b04b99bbd52cff9e6350c2b68198c1e66614ec5bb2cd0dfe89d1cbc8b5f111ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
ed923329a866c2c12370b51c3b917a15

SHA1
2092b669c601f6b67a43aa318d4d7ac87d256ce7

SHA256
aa35b471d4092c16a04b9d44587d83837c4bff40ff31adedc0347a20f7af989e

SHA512
238550c2ddc159c3c4744863eea5024749450abe6a769018a066870fc54375bc5bba96c8173e887ad7f7c65f4bdc4c611bf1e932a319b558686f9bb0bd02ab13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\151e7b6c-63c6-4ed9-aa1a-a9543cfd1ab3

Filesize
854B

MD5
6f5f40385c30f81f8dfaa3fa243997ce

SHA1
ba920669e88a77cab9986031be24b4c9accab196

SHA256
488f09854ca396c21ac5aa1b60d908e4fdc823359a0010faa9368ef104477dcb

SHA512
2e0eedbcdda4e5fa2aed36b0c4518c1d823572c22aaa5d775d3c1adddf7ddeafa0f0a4afd557954f4b3236211dee66d684211e302477167b088faed5a11ab694

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\973cd7b5-662c-4068-8350-e7de4f8b2f62

Filesize
1KB

MD5
d25620b9cf029d0100001886a7e4c4c3

SHA1
6dcfe9a7438c36d3e1c2b0006661d1e8a552029f

SHA256
939a9c9318af373e3aaec6db226ed0a128c2595f0318172954800ad7681e7ad0

SHA512
0df6762d790f99d3135bafdefb3d017c73a8ad56aa0d4bc18ae90a2f758b9f27561dd5578e02096998e2851a99ceca184a2421f39dddc42e0ca7ed8489aa7c97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\datareporting\glean\pending_pings\b442601f-abd6-4edf-9f67-eab7b2bda18c

Filesize
733B

MD5
37aa2069ff8275ff375e76b3a04c44ef

SHA1
c95754f6f1c2602450e88185120767f714976d2e

SHA256
ec861e957933bc13a6153a470008f61ba90a728429d484583e4ee2e729f7857b

SHA512
dea4088e674a75f00ea36f0900ef6023c5903d60dbf0b14ac5532ff8720ce93646ba97c71134fc46b413e6c4f3fcfcd57925fbdcab96ac6925098ee7954cf1e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

Filesize
6KB

MD5
af609fc49b3859b4448c86fe293242d9

SHA1
2cbf244b3901798fd265e8b9bf84ae0f4185f928

SHA256
a59af4fa6fdade694d31c6eb2398debf41ab2c43707ee00bfaabce5901770be7

SHA512
23bd38f5fe30a77922651694859f3ca9fabefed5d3a9ed2f56129511f82174ee41b4485ceeb23261a570bae9577d2828b336a0da6901870d1c512a753aec915d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

Filesize
7KB

MD5
94ee81e98c2e5c934c4a5e22fabb047f

SHA1
b77a8abe81384a5eda159d555017f37e626552d6

SHA256
622f8dc404b1f9c27370746f8cd13cd49812972f72c653a94ab8daaa878a266d

SHA512
a88e11bacde91bf83c49bc7d0929ad278933d2a157b64c3275fc8c3c226b9c192f9f9bb715465f607c8f3e3e13c50f41ba4998ff9ac0d34016608623c2693def

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

Filesize
6KB

MD5
ee2876ec1c25ec02ec2d4681caa778d8

SHA1
431d8a79087204af5dce7f91042eaa3089a2162d

SHA256
5bb15ae963fdc2c36fb24c8c6fa99593738f5dfcb486b53aded6221085bfb017

SHA512
5c7869ef87e52437c32139d9ce9621ae45a002420fa21ebc5ada9a9787319554990b5fedafd499a0c66a2f7acefa51b181641d62da63d63212c27aaf3821bc7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs-1.js

Filesize
7KB

MD5
c2a6f6f6cb15f28d17c3b4bb076c7de3

SHA1
4911109c27c151baf5760cd089393e88dd5c744c

SHA256
0c7666f218a5801f6c7b2121d7ba7f6d12a20a2738d8f181eff772b35ffbcd8c

SHA512
c47bc871400fcdfe3f11916d49be7ff555fa5d17c766d952b1ed59de5ead6f5d74858cc550894fe4159807f825a6766ac8a91446cc6f728e38066be92711015a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

Filesize
7KB

MD5
69bcc898eeba24e7c6de61383ab8c63a

SHA1
6273fc7ca6581de6f5af00f8a1c81775c27e772e

SHA256
3756798fd039bca08343badaaf39aabbcbbc4c37ab1f66526887cd7fbe6470f7

SHA512
d22333536af4a5cf21c6c4f01043ce2f53d5132d5a9e53a66ae138ebef5c827621b07ecd95279bb007b189f1d2f4c449350a816bce2d7d5282a306da5f11d8c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\prefs.js

Filesize
6KB

MD5
ee30d978daa1dc7d071f3acd1571d5a9

SHA1
d1db391a6b93dc26e4327cbcd00b017b12f3d2a0

SHA256
678b78a9d7fba6497900ad711c757e0b8f423ffc80064c9c611ce40a62e6f70c

SHA512
aa959b216a516f50ad3924605a12cfe3631842390e627a2b2d3bfbc57bf915999f5ca51f5b6e49acf105e33077cd19add68f230016cc3d5319628947e7461e6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
25299b5d98f370d9930143c7ea1020a9

SHA1
248cdbedfddb7e0bbeeb3fd1a52a1f12704628fa

SHA256
1522a0ddc3f7504477b7d53ce43c875c0a829fb58df8c80d20ba39bced23db93

SHA512
bf639ddb483bc1baf5ead37fe837db87f2f60702942df3363b1732d9f8eb363795f7daa1a6e5e163552999d7e2226650d171b268be03789f1e404ce12652238e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
5759aaeb65d0b5586a6d87a8a07841ba

SHA1
b1629d8d09e06e57b4f0806375acf7b72e8f5bc6

SHA256
452fc8c2ff4f026ac8c1892725865b33c73dc3871dbbfe91149621130dab2672

SHA512
5092b8dcd59bdd7b5879c243c66cfe4e3905b81f17ff61b88839f8dba4ceb474d0405ead8b335254829f9ef000ffdc27375c3a5b4ff24b330ecbf01e808357e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d2de54a72de7eea5331cf0c4351fe652

SHA1
fba031be5a306140b6f8225c39e931ad4a79a2ec

SHA256
3abbeea73c10a3ebafaafc743187dc2acbb328281cbd13a50cb1a1f241b5c890

SHA512
8f48c20c52b2ab7261c264d1e6fafe14fec4ead6a4cb8b6c1618b9088aa07ae9b5b4c6a5ad9521df8841c84ce1f5ae44c3e74432e5b24b49f1c9c201658162f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
5b0236c7a1e7f85256a18c8e4c52d8d0

SHA1
e2cf5ca8380696ebf2300ba9053f3848e0154752

SHA256
c3ad5fb6441223b60770016cd381a2566f72496cb80ca1e4828e6b2dd48ec044

SHA512
343539d2fadddeeccd3388a2b2ab9deb646ebff2c43556ac38e5c2fe4bb52d07b1bc56424b9fc9d2076088df6be36327259108cbbfedb25e028db4d8f2b7432d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f543eed52c107e77f7a25f0f4d69d2b8

SHA1
c63a5bfc3921df2357f14f14a4caa4b68f6d768a

SHA256
1e8158de85125c2194f9f68ed91ef47deeb74e25f455ee888d3dccac758a7b45

SHA512
9e960c678cc40a7480ea9d7c1ac5bd0e11dcdd6150012dcca991e9417795639a1ac9d186eeee678600cf0f0f70ea6c8b7ad225c3adf2a33515c3408e8ba2cce2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
bf02d65dbd7dd117f3fa49e4941009b4

SHA1
5192614034b16afcc743c72f16837b59780970d5

SHA256
7ec7b5bd4233696c1a09d19e5cf06db2e74aaa951566e2d164f33e8740ec7e8a

SHA512
96776f54f214bac1d3e05a75044b9ffb1d753e3314a042392a0e454617ffe717b880075447c456a63dfda0fbcb4bd285ef49fa03b0c6e13430ee9d46c1dbd134

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
2255d3e206c63ec9b86723668321ef75

SHA1
882b364bfc0d6abf9dd9049170898f53664d5539

SHA256
24d171756be4f6ff9226d9ae4db7b09b4cb0f61a45026cccd9070eed471204b7

SHA512
9a51a30bffbbdd9aa1436c3ab482d7e9821c90371760628707c3d4166254d97b02947c22694dc178266a2f6a905c5b6f7482bf6d55d96eff958a3a804c06a36c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
cc3744d84f6b5220dbd31a7cbcb893da

SHA1
a4be3221da1025c635ed012a7a531665c2b272ac

SHA256
50b58ef781b4b4e4f941c44e22efe2418a784607087a2bad89e50a462db27f57

SHA512
4ce49edab0fffe0634d104b331d2369d9ea689a7a54697b77018c1a5b1b0f566d6604a8d4211b85483eaad8756c82828d7a891de03cbda8386512ef7357cd77e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\115\{65533608-8e4c-41f1-baf5-1845aff74873}.tmp

Filesize
465B

MD5
2300eafff09d478fbf68f49fdafbff49

SHA1
12f127da15a69beece4f71f600975e0503c77ce1

SHA256
f8c94c9f9dd4455eb89053d024bfd28afa482a9c697732ce5acb2df3144e885f

SHA512
93d447b0a87e4c25dbca71a80a198693b12c684c0a96b370693d693899230460bbd8c85c137dcc0b4872bd2d85fd0d10bfe3f4137c1b08f01da3a9bbfa481447

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\125\{df69f094-9ef1-4587-a148-8222c9b0127d}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\157\{78c00619-3189-4fef-9f67-448fabd7109d}.tmp

Filesize
315B

MD5
440b8569f0166adb464f65b587fc1864

SHA1
bd9ec70774c72144b24d6b025169adcf97f4100f

SHA256
7679aaa38924228f58794ffd76387e65f03fb1a7ed42ba79a369069f2da4c13a

SHA512
2a4d57dabf61b213de49a46569ad00401afeee417d28936851c1ea346d65d5019be0b8092d1857b58ca0bd0f2a1407452920a2f3e0a69688d61bef25b419fcbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\187\{6821bffa-bf04-4a27-b7be-9e1eb7d007bb}.tmp

Filesize
283B

MD5
9f99c5db53c5fab1bcd32e05ca06def3

SHA1
6b898b3b757218e0bb43f98266f14ab2ecd922af

SHA256
99daba8f81f9cff4feeea76ecec876840213816b0b53a16c60b9077c640e6831

SHA512
36d66379ced9bb670957e4a1705b8edc22ff433c601c1acd34b96efa900d58f1971b73ef8c7ef0ad7e07d15fadc97b68ac182d4ce5f592b67cc5134976be4b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\229\{0afb51ff-59ee-4696-9de8-ab2fdfb564e5}.final

Filesize
4KB

MD5
fe4c1c9fd3578c4ad4807a353e794f1f

SHA1
cb7019ebdd271898fda9846061e1b0c6ed1da899

SHA256
282e6ef4e3d1c600561402bb2d00664e8cb91c4a5cb93a9f4a665ee326c614c8

SHA512
228ca7ef9292c35648d5e92c4a876ac40596a758892c37b5a63e27792b716206fc99b814c85079fcad191eaec4bbf0cda6328cde5b1839f30d97a5f895ea40ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\235\{d3b2e30f-956a-4b84-97d1-0a53fd8905eb}.tmp

Filesize
669B

MD5
5dac736054f1bfd6efddc9f8941f6513

SHA1
8d333e22dc6fa20e26c4732d5ff91c954433185c

SHA256
e1f390622425670904099ccdffe9b808e555fc402e7015697d49f9f22abf9175

SHA512
3ea570e7041a136d250e5e94c215b468991b70a6d6609ed27907aba24123e068e08559bbd96ca39a615a52dceccd524e3aa52702a8ad544f8a7b952fff935577

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\39\{f7427f81-a0bb-4ac2-a58b-8a96b9169b27}.tmp

Filesize
197B

MD5
f8a4486578289f338eccea68bf578c6e

SHA1
6cbd17168a35b3f10b74a28f1fa3a83e161a7e35

SHA256
264c3ef4f7bc3f390875ca49d87ec35f9c4f0bbb0eabfdb38073951253ca721a

SHA512
e896ce1bbfd145a4c38f7e81a8afb12c3f354d5632f24f26cf19e8b5f1a466fca8d098e7277a4c0979170c37be25b6cdcc0654ae94f46908bde1810d4c03c3c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\52\{6c5f7650-8b66-4041-ac80-49b9e6c25034}.tmp

Filesize
225B

MD5
cedfd917c042bfd5faea22058d451ad1

SHA1
5a98904fbf1c9bea6d27f75c42aa49c66db8c54f

SHA256
9cfc9e25c7e723abf5c14049886f33d836c6ab91b40218920efbdc864764f3f2

SHA512
5f7513b881549aba1fad170019ddf45e780ddb6a576e08365f4c9ab2c8bf4e7d2d5053b1db4ec6a2af570de21a182fc8981a0790881172d8605c023fbbbba4d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\57\{d003f835-e912-4cd5-b8bf-06adf614c939}.tmp

Filesize
216B

MD5
321ea72e49df8692233391c1f36451e6

SHA1
2f016758fc5830a806ed9891e574936db521c034

SHA256
8113ef313d8a5519df57034e29db538c65721112804bf1a1a446b8302ae7e0d0

SHA512
86d5a408e472a62c2cfcf69a5fadc122f7a62dae866a36fdc4a7381de6cc8028af4ba51cec9c827b9815c26f75db82c4813ab25682c728c1f03d3bfc7ff21114

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\59\{040839c9-9449-4987-b5a0-5cd63c1f5d3b}.tmp

Filesize
258B

MD5
d0d1672cc7d147f9f802ebefdb01e914

SHA1
22ed7eb147f695ec1df8ae6f43cb7787dd0ea652

SHA256
62efa98b135e5ef8779b99489ab8200b60026a5b1000ff3c997f3be230febe2f

SHA512
7f8ef8af3f57a6aab90ccda6ab1079e43630de11d14a780786a1b0f1ab057d7cfd5ab512b53ecd8ddd1bcc669fa56a0c260b2df421db64e3855dee7d63251a68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\cache\morgue\69\{544a9267-3bdc-4691-b8a8-3c542af3b145}.final

Filesize
74KB

MD5
4ec2c98d881403597b3df55bc47759fd

SHA1
78838f560f7f796075380e6f8bb51cc333411b31

SHA256
10843937b184cf8e775413f69bf8d71cc9b6390f54c973dfdc84f12399361f5a

SHA512
c9b6065437fcb8e86919a20c872fc99874942c30f9a9c839e58e61f031cf1a9bb8f98acc0837abaf6a8487b423a288efc711d2707cd2939b3fbb6bf0d0b523f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\default\https+++www.youtube.com\idb\2834887188yCt7-%iCt7-%r4ebsdpeo.sqlite

Filesize
48KB

MD5
5bb6d1c0086cf29a9b3e0d227667519f

SHA1
5cef72eebfddb03912ea2f3a50c04972fb48e65c

SHA256
9b12dec6da3490c9638464831019e6e6e49971fe1c292cfba791d820870435d9

SHA512
eace4a2a6406651d257b4ca90a6a37547df0493850cef8811a71aa54ad6c81efa33ac02dc697bf1c69e3162822d746e7aa10c616d187e43efd3e95a06eed65d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nyws1jjf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
930310edb276c992702c569771bd3f3b

SHA1
df748d61665201c6014fac5b650b24820f261410

SHA256
5988949d36cc85738ab86f8c6e5827a5cc643151aa8f24abc1516426539b480e

SHA512
c6eaae81196a6a37be0ce249e85abc2506e30168535c2bc4b7f1c6bbba559e1cd0225253fa44b70c63d2bb42e407420d2872bd5d2bdac28c1385c17a9da87953

Download Submit
C:\Users\Admin\Pictures\Untitled.png

Filesize
6KB

MD5
a6bfe5e98442aa33646ca597d1de2955

SHA1
d04dde6ba879ac5590360838228b877c4cacbd54

SHA256
4048c34c0c2420fca3a5a52976f4d9e6818df765dea9157f613bca9864a52198

SHA512
d99a792cfa2af7ff2ceda93ca56b949e35fd682e44752b7e8c90be93a1757ef73c2f8acae0290b7702bf92d4d463caf3a60ee90e946db522dae776150a06a598

Download Submit
memory/2800-1-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2800-16-0x000007FEF7040000-0x000007FEF708C000-memory.dmp

Filesize
304KB

Download
memory/2800-3-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2800-2-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2800-0-0x000007FEF7040000-0x000007FEF708C000-memory.dmp

Filesize
304KB

Download