umbral | 4916686177420dca945e81aebaf2fc098c21ddb74fbbf9d0f6f2adaf37f218e8

Resubmissions

09-08-2024 17:20

240809-vwc9aataqn 10

09-08-2024 17:16

240809-vtg5fsxblb 10

08-08-2024 19:08

240808-xtpkmsxgmn 10

Analysis

max time kernel
616s
max time network
617s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-08-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nowatermarks.exe
Size

227KB
MD5

926ac9e42778634f5c2580a913d83f62
SHA1

e36c92f542a4c010c9cbbdb91df84ec2e16ac62f
SHA256

4916686177420dca945e81aebaf2fc098c21ddb74fbbf9d0f6f2adaf37f218e8
SHA512

e415af55a761d060dfd56f77491d853edb806c5e2337460fb7df8ac76f986e7a89904caa913b56fcbf19e0f3e084a71ef1a13336cf7aa73cdd52c342ff8375c6
SSDEEP

6144:+loZMCrIkd8g+EtXHkv/iD475jhDJ6idOIJbGmTLFb8e1mYi:ooZZL+EP875jhDJ6idOIJbGmTJu

Score

10^/10

umbral credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3872-0-0x000001DCA2CB0000-0x000001DCA2CF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4480	powershell.exe
4980	powershell.exe
3772	powershell.exe
1708	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	discord.com
50	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5400	wmic.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId	CastSrv.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	firefox.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3716	osk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	Nowatermarks.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeIncreaseQuotaPrivilege	4480	powershell.exe
Token: SeSecurityPrivilege	4480	powershell.exe
Token: SeTakeOwnershipPrivilege	4480	powershell.exe
Token: SeLoadDriverPrivilege	4480	powershell.exe
Token: SeSystemProfilePrivilege	4480	powershell.exe
Token: SeSystemtimePrivilege	4480	powershell.exe
Token: SeProfSingleProcessPrivilege	4480	powershell.exe
Token: SeIncBasePriorityPrivilege	4480	powershell.exe
Token: SeCreatePagefilePrivilege	4480	powershell.exe
Token: SeBackupPrivilege	4480	powershell.exe
Token: SeRestorePrivilege	4480	powershell.exe
Token: SeShutdownPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeSystemEnvironmentPrivilege	4480	powershell.exe
Token: SeRemoteShutdownPrivilege	4480	powershell.exe
Token: SeUndockPrivilege	4480	powershell.exe
Token: SeManageVolumePrivilege	4480	powershell.exe
Token: 33	4480	powershell.exe
Token: 34	4480	powershell.exe
Token: 35	4480	powershell.exe
Token: 36	4480	powershell.exe
Token: SeDebugPrivilege	4476	firefox.exe
Token: SeDebugPrivilege	4476	firefox.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	4576	wmic.exe
Token: SeSecurityPrivilege	4576	wmic.exe
Token: SeTakeOwnershipPrivilege	4576	wmic.exe
Token: SeLoadDriverPrivilege	4576	wmic.exe
Token: SeSystemProfilePrivilege	4576	wmic.exe
Token: SeSystemtimePrivilege	4576	wmic.exe
Token: SeProfSingleProcessPrivilege	4576	wmic.exe
Token: SeIncBasePriorityPrivilege	4576	wmic.exe
Token: SeCreatePagefilePrivilege	4576	wmic.exe
Token: SeBackupPrivilege	4576	wmic.exe
Token: SeRestorePrivilege	4576	wmic.exe
Token: SeShutdownPrivilege	4576	wmic.exe
Token: SeDebugPrivilege	4576	wmic.exe
Token: SeSystemEnvironmentPrivilege	4576	wmic.exe
Token: SeRemoteShutdownPrivilege	4576	wmic.exe
Token: SeUndockPrivilege	4576	wmic.exe
Token: SeManageVolumePrivilege	4576	wmic.exe
Token: 33	4576	wmic.exe
Token: 34	4576	wmic.exe
Token: 35	4576	wmic.exe
Token: 36	4576	wmic.exe
Token: SeIncreaseQuotaPrivilege	4576	wmic.exe
Token: SeSecurityPrivilege	4576	wmic.exe
Token: SeTakeOwnershipPrivilege	4576	wmic.exe
Token: SeLoadDriverPrivilege	4576	wmic.exe
Token: SeSystemProfilePrivilege	4576	wmic.exe
Token: SeSystemtimePrivilege	4576	wmic.exe
Token: SeProfSingleProcessPrivilege	4576	wmic.exe
Token: SeIncBasePriorityPrivilege	4576	wmic.exe
Token: SeCreatePagefilePrivilege	4576	wmic.exe
Token: SeBackupPrivilege	4576	wmic.exe
Token: SeRestorePrivilege	4576	wmic.exe
Token: SeShutdownPrivilege	4576	wmic.exe
Token: SeDebugPrivilege	4576	wmic.exe
Token: SeSystemEnvironmentPrivilege	4576	wmic.exe
Token: SeRemoteShutdownPrivilege	4576	wmic.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
3716	osk.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
6036	taskmgr.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
4476	firefox.exe
2364	DllHost.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
3716	osk.exe
4476	firefox.exe
4476	firefox.exe
4476	firefox.exe
3716	osk.exe
3716	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 4480	3872	Nowatermarks.exe	75
PID 3872 wrote to memory of 4480	3872	Nowatermarks.exe	75
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 3856 wrote to memory of 4476	3856	firefox.exe	79
PID 4476 wrote to memory of 2396	4476	firefox.exe	80
PID 4476 wrote to memory of 2396	4476	firefox.exe	80
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 4160	4476	firefox.exe	82
PID 4476 wrote to memory of 2260	4476	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe
"C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nowatermarks.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:320
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.0.412411408\570799865" -parentBuildID 20221007134813 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d38513ad-393c-4fca-aefa-2bae11946cf7} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 1816 23e25ad4b58 gpu
    3⤵
    PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.1.2099756321\902327706" -parentBuildID 20221007134813 -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3837886e-2904-4d32-b374-51ac46942ffe} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 2140 23e25630858 socket
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.2.44644609\1865149924" -childID 1 -isForBrowser -prefsHandle 2736 -prefMapHandle 1564 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd1641a5-f9ef-48eb-897d-197a6308ea9a} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 2892 23e29dda258 tab
    3⤵
    PID:2260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.3.430314848\1337053821" -childID 2 -isForBrowser -prefsHandle 3552 -prefMapHandle 3548 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05211446-4753-4fd8-b871-42e41b069162} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 3480 23e1aa62858 tab
    3⤵
    PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.4.587099689\1655591954" -childID 3 -isForBrowser -prefsHandle 4356 -prefMapHandle 4256 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {673f44f5-8d9f-4d56-86f9-f4a6f04409b1} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 4368 23e2bb0b858 tab
    3⤵
    PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.5.808945361\366118640" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4952 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9da798d-f81e-4f08-94e3-8398da486ff4} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 4920 23e2c7fab58 tab
    3⤵
    PID:4392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.6.1803488921\1558136970" -childID 5 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3553216c-d7c3-48f7-88cc-004cf69b083f} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 5052 23e2c7fb758 tab
    3⤵
    PID:1820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.7.1926388558\1157102949" -childID 6 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24e4ac5b-47bf-4572-8782-6411a456f096} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 4932 23e2c7fcf58 tab
    3⤵
    PID:2060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.8.888423647\760542252" -childID 7 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6ab1c7e-92ee-401b-9191-2305d4d3cb07} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 5660 23e2dae1b58 tab
    3⤵
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4476.9.159381888\2110503669" -childID 8 -isForBrowser -prefsHandle 7256 -prefMapHandle 7276 -prefsLen 26568 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97865fb6-3783-464c-8ec8-afdb006aa5fb} 4476 "\\.\pipe\gecko-crash-server-pipe.4476" 5856 23e27345f58 tab
    3⤵
    PID:5856

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6036

C:\Windows\System32\CastSrv.exe
C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
1⤵
- Modifies registry class
PID:3872

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller
1⤵
PID:3372

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:348
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3716

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x208
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
4b047b541dbe615ce7914960b052fec0

SHA1
bc46459971d30704f1a67bd2bebee722e226d630

SHA256
50b6ac217f2e16cadcde36db2ce1fdfc4b1b2921ebdfc39bffdf7de529b0fd7c

SHA512
79df0d491320a0a7e056e9df241ff50a40c25a060b618c6c20ea015448a270c2daaec73c5a31ce9ece40594240ff612d7aa51ec6e0361993071d3feb42ebba8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
1b0c04e3c6985b228f01e4df044cec7a

SHA1
e44c186b444e3add976f2686c1bb90ca1ce7e826

SHA256
45563f881e9dcf3eb600aba64974870ed5a4435817304ab4d07178a1c810f02e

SHA512
f3888a0f86365ad88b6d36a1ffb5d5e0555f67ab3c8ed2cc9840181c9f703fc456c166f49adfda0dd920b135cd162af649e782e4b0a716be4dec23f64f1125bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ce32cdb860ea27c099070bd8739917

SHA1
0316c3dcd8f5926dc125427a2220526e53b2b1c6

SHA256
cea8621365f1e4a19ccdbc46ef431635352d68753fc939f7412df3181080f6bd

SHA512
69da9c85c8068dfcef7267154215047aa3743a80724b60558f22c66237e04b24737d14dea19b7d8d8a7236da32d4fe9b4a48af04f22f61f54c5a69af1bc0ca95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2487346cf1b3c44defb92035cf48da47

SHA1
26e6f1b59047c10d1368f387e82c7037482768f0

SHA256
1a705249bd7555b1a8ca795ffd4a605556e284ad658d308f4737349264ad545e

SHA512
3dc09fff00fb9881a37e287962af27418a23c0ecafe4112922126c584e8f16b07baf39fa9b419a8d65a00e9ed95c5df39da21b800c2bf5429d041d2340da2ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81e9cf108135a56560253f00eb7cb9fc

SHA1
3dbe28a9a823a1d1461763701595784c5bdc99ac

SHA256
cf1595b8c7c677d166ad839f8add6938606cff9956eca4dab80cead963699475

SHA512
68cc1097b3479892486feae8d28af789ae8724465aa266ff0a9b1c4d3850acfc86ece4304c71d9ff00fa09fcf4a646b72c1dad4589173ddb4fdea8f85de83706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
534752608b347ba9d46d70cd3245cc51

SHA1
c5c0cfa90ba32665163ca1a445c6da2d8a7245b6

SHA256
48e67484ef528d90f71bb5e89db6c21542e854ed7551552eac2976519f795648

SHA512
ada0cd5a0c1dc8f30bdac7e6e807df61008689f68f4c282cb103a9e4f6727c568bd439295de4fb1c9ec8b5e64782074e965a2e8d01281ad4a91d3afaf51fea94

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\D51AF647E4D4CAC1114F86C66307284ADE3F1FA0

Filesize
219KB

MD5
1499120608c9afa35155e33d45ffd293

SHA1
0a796578c012148877f2d6e524719b76548ec320

SHA256
a968b51d7f0dd1b45ef80e1b5ed33497cff8817a7e06a15488ca672a0ce11555

SHA512
06556601d78222184b1b7a962f9b90e2adf6d2cd6356ee2f63420b42d4020363ae0657d0b6e44c48a9a82409d2f8926897f94edabc1672f1791ebb050c07c973

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iq3w3old.41e.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
3085091c273dee1bc3cf3a9746eb51ad

SHA1
3f3a04523cf33a8fafef7d6cc065c6104d9ef9a5

SHA256
cfca89d6fc8303e853a0dbabaa2732f7711bcff3ba59a67004a54c8b0fa74981

SHA512
11190e0bb4d798e78340457b9c04ed99564e119a9853ef0a72003dfbac2974b0e123974c75ef5c6f66173e4f30b3c9932044c6ee434bea376609632889e6b912

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\SiteSecurityServiceState.txt

Filesize
455B

MD5
89aa5f95ae5ace7fde181cfe4739f25b

SHA1
8007a5b824ad21d7f9232feb3890eb6d41f770fb

SHA256
4bcb0978c92e7564f83793823a20668685115ece159559eba38385ad74066e76

SHA512
c45d4b10fb813dedb0d2b4c6140acbb296e3128693f2880fde7b991e13a8555a30a83e736a93245cec32c35b974c10686051f8b56378219a2d805d9e0a954f8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
240ba8559eb2129c9de23ef68fb49e6d

SHA1
bc37cc5e3dbe368918d503e4304aa90006fd99d7

SHA256
b3fd0ee397e7e3214cf9076f4fc07e22ac7c89c1f15e3dbf2fdfb4f9e697b1ec

SHA512
ca97992adceb23b333c4c8fa57c28177fafe69a2472a774907a2119111c906f2b97552308c572e78abace3e1f7a61cf402f46010d8664f68b3554b2792aac7ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-08-09_12_qNdK0XjSDRtwUnFY6-sSMQ==.jsonlz4

Filesize
1019B

MD5
7ef60d1da8fae0ce8b8a7c0c1038e6ad

SHA1
62ae7e8ad850492f3d769bbd06ac28d66481d4f0

SHA256
6461105042ca9bdfa0d472395b5ae5c1f652b511b197b47068019edd220829e3

SHA512
d68d1aded8f530819cc59d7b405c73d66d717a375cc80e2b06f556fac08ceb9626ee0303b5834200d45d55e710af6e51fd1f328f40b482c1151667769aaad238

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0a37bdee7c147130cc937d647a733882

SHA1
25d041e8991a8a6069ffe853a995de01b4760b40

SHA256
1f07211b0b789180c70bbcdd633131cb8a6738cb63a01524a1f5f8b9e00f6c26

SHA512
60c989e20bcdfd4314bef2926dc8ca8755ba131a9da20cb291d33148dfe03f9f3f82de7f83ffa9007f5054802a429ef5b82a428bcbba41be168835ce8674d023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\6dbf997e-b90f-4dec-a192-3f1df9015f56

Filesize
746B

MD5
add5e17f868101b046fe5d5d5dc92ad7

SHA1
be9017047ed6089bca9d1c304489642f10f6685a

SHA256
2cc55e98d120ea94b6396acfcf697c06e365e7006e899cd56766fc83c8935c5e

SHA512
df5e74adfeb83dfaf413fcf2d6d27299d6df959d65fe0f1046436ca1dd9a4df9102f996f010c8271b2ebf4020416f76d64d07d947f718b56a8e680565993ee5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\a94c1bbc-ea80-4a36-bbce-769950ff56fb

Filesize
10KB

MD5
5a48febdd1c6348ed266750b9e685767

SHA1
612a3681058d34a70ab4adf8f6322611592edc2e

SHA256
d5ee1e00583bc9b2b191132b9584a8eeb3d819036a0d04edcb82035d1f70e579

SHA512
d51e72f7739a1c67c12d411993a1a85ae1eecefef51812c8e19c2b6f926c67b2cc29d52f7a26ccc96d7e5e63321abbe0202425c4b2150560e0f612eab6c49e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
afa4cfa7805b0934761e4248d93e69b4

SHA1
8b37ca811bec5c4f1b1b3fca92b2057f7c895fe8

SHA256
9b3de0d16459647ee39b1c9be0b52f568f3ffcfe9a41a631a4b3cc93c1642263

SHA512
b65f15c96dbc90aff1bf17ee9779d4b22288ab3575a999697568c452b4e3d101f1b167bd43d54c645ef51a0c6c6c98eb5369cce354742208380ee49211287624

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
3023b0d95d11850163d575ad076e32a3

SHA1
dbc9684650674e953b0282cee7058bb1f2efa562

SHA256
43dce83230b25558173daa400b091a99095a04bfae5f76414c174caff9ce6d45

SHA512
ecc9656a40043324dbcede089172f73b84741482e08ef51bfcc29737ee9551629827fd625298b42331bbb9e1263629615cfd65cacbaee73ac077ccc2dd38b176

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
debcb533c906b6df86980844a42b9798

SHA1
041daea3f74c20dd45659f7a7e2b5f3ee56c3d3b

SHA256
05de10a3ef4eae318fe350e2307752e61faee581f73ef11ea2d685b49da65e19

SHA512
72f53c7d4f1c74725c566e1424279185cf9ce6edf35369a9b251da3b544d78085378fac67c69d8483ec47e651687a856f2f57dfb99f0fc4511195fe99490ea2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
2f74620de6bd8d8662bbaa97582cfaa8

SHA1
1e4480cec00a38fbed3e590e50e788a3daee66c9

SHA256
ce09b3da8c8b87444e0f5325edd1d68d4d6034dbdf41558f8ca68762de9d0e8d

SHA512
6e00e7e72f07bf0d7a1cce2bfa32fd8449f83ef8ab722884c010292a98a81c15d79fd1344cd29dbb924de7474e153f875eef72efde0ccb9bdd3a248c199c7031

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
d5353b8a237cede279bae6324e500d69

SHA1
b72a06ecb566006a8e516293421db9d7501f2268

SHA256
fddc4b1bc99e931da08e92d87f5873f3bea2971c81a636d582ccee9de95d8254

SHA512
2a8b90ae6d93a596cbb330e0d41a040a8066472afb47142260dc94695232bfac1839344ef0e912f33045b9dae0bd7e9b5550fe2e0c873a1bad214704e12e3744

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0573e424e81b650e9578b3877aa2f78e

SHA1
d573ede6a488af6d8253efb2650f4a642fe72bd6

SHA256
3425687d00dba5bf8df27ac7c97e70d4240639bec5c5aa345f7eb72ea0a98677

SHA512
c0e46cc17cd39501fd8d9d5dd46839ef69f83aa39a5ad9b14b03963fc36948bbbf657091abf08ad10b607537395dde8c511b6e803005a003862b4b0af14a2970

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
a0f9b306eceba8fe7987bb34b2337d95

SHA1
804cce6b45e8e8c75dd17262fd325c5fe526a939

SHA256
9813b61c7d2d44b7bd5c7faa9929ad28ae0b36cfeef1a03f1c0bfe83858ccfdf

SHA512
ae017f3ca35a3da12d1cf12e287da2f52a5ed521b1e4eaf8ef1ff84d1d3f798255f6e26f7bdbc5bdcd24e20ebae17c0584e31288f84e215b3440880a959b3d9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ca40c84b5efaaa01aacb8e7f2a10a78b

SHA1
5c36c86f9f52edc9def6d4615a275f49ac9372b7

SHA256
a7428dfd5221d72943c4e5d1110c52576b15624833a77cfc8a8dca65b8876ae2

SHA512
c1278a9f498f773a9a6b7412ff3a2294ddfe8bfb3fc418cc2236474b965153be94327514395bad1098f74d1dba9c16271215d9847d61981fd3efa45c87cd4df6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f7b1e5237a391f5a964346d238c15fdc

SHA1
3d860f85b1e301db409d18ad357a95ceae6a65bb

SHA256
a5ef040e1a0cdcf80bb8b2c2cde5c2f73532efddec0c3df43f659b0d032b6b14

SHA512
45b881c0a84bb6925ea2441814962cf3ccdba36dd4973bdf0e254e018ee869af6fb1a08d7ba56a7d97816b65f1e4f5d00a222251267af6bcfee0b464ab97dfd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
762e3e6c202db509add0d062e112f268

SHA1
9d5098f56bdef563eec0a7da146f06273c15180b

SHA256
7489bf83248acaff75e2df72781a04cc8cc2b7d9072274601ee0d48a2310d2b9

SHA512
62946d92819aa42f407229513a9e373c827ceb48234298450e9d022d315b1e3a8dccf3a12d79f138e2a683f747c9ce68095ab5fa21d7fa40c97afb5afecf4f2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
941b4e0d6835b00f460b858e3dd5f46e

SHA1
baf8207af7d1c8fba17c36ec85ce1f19fcb3e57a

SHA256
73ad4cf1b167926bc10922dad627058ab8f9339b64028789574cebe57cd3b924

SHA512
03e36584675681a9779a0d2204a724648283bc08ff3f7da6ab2617e74757f9865840e5c25c02506b9c8efea0ffcda64e3eb74a24ef2274a81b82de5f5994248e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
1bd84c9166a3f5fa99caf0a56cc33a50

SHA1
5b32643ccff48d294c304e144f94298b5f7009c7

SHA256
173d20273bf18cb5e479613cae50aab3b3f702a8eedec65c4f7b0044cdb94381

SHA512
cac8f9c73a5771e01ea964c28ceb66bc3b11275f49d01bff731e0dce443680b9188f64d8d6cc9835ebb2c7116f76224105fc3cccf640d9ef3770660fa1055159

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b473446dc7f708b6366e33014e49f228

SHA1
9e4c00c634b83c298ebcefa82d898e74ac94a7cb

SHA256
e1f8211fe072d5604d76ff0c6d8d842da2c68e1158924a19f792a302f30e518d

SHA512
ac95a0bc29a6ee750817366ac24b5247c87a195c9fec7b6e15017427f34755de8c08907e120d2274120a8e86efbc2c723faef9643e1b119598a6bd482c7ed9f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
1a26df62e6063b36a8e9375485d37139

SHA1
eb16302cd5103221a7640bbafab50d928c51a69d

SHA256
d698e0da4bc2ea7e95630e227a01bde51bc11622b0855f30431746f0ab916c4d

SHA512
0af16e5e2f3604337478d0d1130178e00bee091502d748d778455e039563e634915bf4c8a7507d12b83ede72438e45d1ab4d500ffc3c7482bee764addcfd2f19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0105f1b42c1f285676d898e1ca0a4068

SHA1
01af1a7f059a9392d48fa6486c1109bbc0932baa

SHA256
580aa1cc527d29e53a6bebbe7771ebdc9d6f71fd0cfa4b07812668a7edc6d501

SHA512
f5fcaf40c329ed3e340625bdfd32f968db9d3c108b9a5ac6435cb9a82c725c6c895d31d5c5f70f22b80d00612b5bb90bccc6b6159d47c03031326521e0e0d3aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
003769938095c72fa7c45a129377402e

SHA1
65273fd405ebb412f35e97b826747cd98faed627

SHA256
c890d2182b2b31bac82ffed769f4626a76bd88c9356a0c9493d8fec17176be68

SHA512
a786edf77ace51643c481c52b83cfe0d4f435c69c74ca93a1e0412d46a466ce031267fe61bb6d5d26e27508b15aece646cd402bf309fab426a361cad8a7b089f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
92984394c3002f18906ae7ed0b4b3b72

SHA1
6134b254951f77a53ba54455a3069bffc5e6de03

SHA256
a6f9155f95f9ac4bc930f7e50d310ca830f5aeafa612d4bed8ba5ac332de822d

SHA512
bf98981f21ed27c26019368c92835b09fc6afb37ec917459875f809d6fd5de212c976cf1b2b5da31341f861a5e8a798f5423a2657b4d07aad48684e533db50fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
8dc5f9a523acefebee7c812ebb8d600b

SHA1
452e00bab918f153d269017736e166a300a9449e

SHA256
67c6145fe99c8469f7738bacfdc714eec561d9a9c88b8a13bf2e84b8ceff6fd6

SHA512
adc7d5c7be574a061df39b1bdbe52c7c27ac89deb7ddf0d61e77a55763662850a1db60a6c7f39010f1ce1e98921cca97aa47712b704e4f5079399e24cb848b4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
076ac3d1fa212aea777f5a692a1089ed

SHA1
c2be01c17c3e5c325ce3e042b36fb4397f7dd6a6

SHA256
b8cfaeac8c38183bc5d410710eb497871a5e7a6b7fbf4dabead26210b3a45cb6

SHA512
8e3dcf9a3de9ba3a067bdd33b38af566ceb6e5265eec27a95f3766659f08e8d791878b719e22bbde54f64128256e1825a1731cbb96bad53d305d524bddedb9f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f0041d6fae494bb0165819e6a804f03a

SHA1
bdfb101edc17c87b892ec5d5e9e6382e4e7afe61

SHA256
8a334e6609b03561bf7b6ccc869b57d0a11077cde47ba351ee6b11a8e0a55315

SHA512
79e16894ed2f78f81e3743e648f35ec3a57ad66c707fe84744c3422bd29e4754ea362108770f54457dc97bb297328065f5784dcee475ffa7ecf8b0df8c635408

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
e7d901ad03d22078f4c42ecc83c3bd45

SHA1
13ffe2ced2026e6b99c39a96d006c7832a72ba17

SHA256
fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

SHA512
8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
c051ed8446bac8ba9f784061cf393798

SHA1
8ed29b2fa43ab272331c15dbdbf26194fa76ab22

SHA256
3dceed5262df0260362c3794b0d940819f547902d0faa42c0b4558dbbcfce93b

SHA512
f5cc165e51270f99ac20074213cfef15b8b91962f732ea2583ba5360a9dc56ee1963a5062d832fc1667208794e315f67460bb5a6257ad067ad9ff00358e0ef72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json

Filesize
3KB

MD5
605c138258b20580c3973c30d66422ea

SHA1
82f2fd17eecf06fc2cbfe2396118b55c3ddeecfb

SHA256
11ceb3ff9baf3ddec7089679a289c84de9073c3a027ff10fa6e031462a8678bf

SHA512
d4093bae07430ef60358fbe6cc1b918216334be22524c48a32f5217b678b9e010f2712eee5ed99f0e01fbdcb29b57c8ea60efa9bec787f5592dfe4e1a1ee5b7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
memory/3872-262-0x000001DCBD250000-0x000001DCBD262000-memory.dmp

Filesize
72KB

Download
memory/3872-0-0x000001DCA2CB0000-0x000001DCA2CF0000-memory.dmp

Filesize
256KB

Download
memory/3872-1-0x00007FFEEB413000-0x00007FFEEB414000-memory.dmp

Filesize
4KB

Download
memory/3872-2-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

Filesize
9.9MB

Download
memory/3872-177-0x000001DCBD280000-0x000001DCBD29E000-memory.dmp

Filesize
120KB

Download
memory/3872-315-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

Filesize
9.9MB

Download
memory/3872-176-0x000001DCBD3B0000-0x000001DCBD400000-memory.dmp

Filesize
320KB

Download
memory/3872-261-0x000001DCA4A00000-0x000001DCA4A0A000-memory.dmp

Filesize
40KB

Download
memory/4480-8-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

Filesize
9.9MB

Download
memory/4480-7-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

Filesize
9.9MB

Download
memory/4480-9-0x000001E9DD430000-0x000001E9DD452000-memory.dmp

Filesize
136KB

Download
memory/4480-41-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

Filesize
9.9MB

Download
memory/4480-54-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

Filesize
9.9MB

Download
memory/4480-12-0x000001E9DD4E0000-0x000001E9DD556000-memory.dmp

Filesize
472KB

Download
memory/4480-135-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

Filesize
9.9MB

Download